School of Computing & Information Technology
CSCI262 System Security
SIM-2022-S4
Assignment 1 (14 marks, worth 14%)
Due date: 5 November 2023, 20:55 (SG Time).
Part One: Short answer questions: 4 Marks
1. Determine the entropy associated with the following method of generating a password. 1 Mark
Choose, and place in this order, one lower case letter, following by one upper case letter,
followed by two digits, followed by @, followed by two letters, each upper or lower case,
and then followed by three symbols drawn from the set {$, 9,5, 𝑣, 𝑤,𝐽}. Finally, apply the
hash function Tiger to give an output string in hex which will be used as a password.
What is the entropy of the password? Is the entropy of the password increase after applying the
hash function? How about the strength or complexity of the password? Justify your answer.
Assume random choices are made with equal likelihood of each symbol from the space being chosen
from. So for a random digit there are 10 possibilities, each chosen with probability 1/10.
2. Generate a BLP lattice–structured system where the objects and subjects are appropriately levelled to
give access consistent with the access control matrix below. You need to describe the process by
which you obtain your lattice. R and W correspond, respectively, to read and append. You are to use
only the mandatory BLP rules, and a default allow in place of the discretionary rule. Be sure to add a
level as necssary to ensure this is a lattice. 2 Mark
3. For the following collection of statements, describe the sets of actions, objects, and subjects; and
draw an access control matrix to represent the scenario. 1 Mark
2
Alice can climb trees and eat apples.
Bob can climb fences, eat apples, and wave flags.
Trees can hurt apples.
Carol can jump waves and wave flags.
Part Two: Implementing a rainbow table 10 Marks
You are to write a program, in C/C++, Java or Python, that should run using the following instruction:
$ ./Rainbow Passwords.txt
where the file Passwords.txt contains a list of possible passwords. The password file contains a password
per line, as in the provided words file and consists of strings of printable characters. Any password used
must be taken from this file, so the only stored hash information needs to relate to those entries in the file.
The program is used to find pre–images for given hash values. Rainbow tables can be used to solve
pre–image problems for hash functions. At the simplest level they can simply be a list of hash values
and the corresponding pre-images, often from some dictionary. This can be expensive in terms of storage
space however, and a more efficient way of identifying pre-images involves the use of the hash function
and reduction functions.
First step (5 marks): Your program will do some initial computations to generate the rainbow table.
The process is as follows:
1. Read in the list of possible passwords. Report on the number of words read in. (0.5 mark)
2. For each previously unused word W, first mark it as used and then carry out the following process
(3 marks):
(a) Apply the hash function H to the word W to produce a hash value H(W ), which we refer to
as the current hash.
(b) Apply the reduction function R to the current hash, which will give a different possible password
which should be marked as used and then hashed. The resulting hash value is recorded as the
current hash.
(c) Repeat the previous step five times. You can deal with collisions if you like but are not required
to.
(d) Store the original word W and the final current hash as an entry in your rainbow table.
3. To assist with the later identification of the pre–images you should sort the rainbow table based on
the hash values (0.5 mark).
4. Output the list of words and corresponding "final current hashes" to a text file Rainbow.txt. Report
to standard out the number of lines in your rainbow table (1 mark).
Second Step (5 marks): You are now ready to carry out the second part of the exercise, finding pre-images.
Request a hash value from the user. There should be appropriate error checking as to the length of the input
string etc. The process of identifying the pre-image for the provided hash value is sketched as follows:
1. Check if the hash value is in the rainbow table (1 mark).
2. If the hash value isn't in the rainbow table you reduce and hash until you get a hash value that is in the
rainbow table, or until you have done the reduce and hash enough times that it's clear from the way the
rainbow table is generated that something is wrong. Display an appropriate message if this happens (2
mark).
3. Once you have identified the relevant hash value in the table you take the corresponding password and
hash it. If that is your hash value, you have your pre-image. If it isn't, then reduce and hash again, until
the reduced word hashes to the hash value being searched for (1 mark).
4. Output the relative reduced word, that is your pre-image (1 mark).
A reduction function is designed to take a valid hash value and return a valid password, in this case a valid word
from Passwords.txt. The reduction function to be used should be based on the number of words in the
Passwords.txt file, and since that isn't a fixed length file your method needs to be dynamic. You should find a
way to convert a hash value to an integer that identifies one of the passwords. You can define yourself a
reduction function R or find some examples online. You should describe how your reduction function works in
readme.txt. You should use MD5 as the hash function. You don't need to implement the MD5 hash function by
yourself. You can find such a file online. Provide a reference if you use any open-source implementation.
1. Submission is via Moodle.
2. Include the compilation instructions with your submission in a file readme.txt. That file should also contain a
description of how you do the reduction. If no such file exists in your submission, then you will get zero for
this Part two.
3. Late submissions will be marked with a 25% deduction for each day, including days over the weekend.
4. Submissions more than three days late will not be marked unless an extension has been granted.
5. If you need an extension apply through SOLS, if possible before the assignment deadline.
6. Plagiarism is treated seriously. Students involved will receive zero.