PLEASE EXPLAIN ANSWER ( Please state what language this is written in, would pre
ID: 3766957 • Letter: P
Question
PLEASE EXPLAIN ANSWER (Please state what language this is written in, would prefer C or C++)
Develop code (in programming of language(s) of your choice) to guess passwords using brute-force technique of dictionary attacks, as discussed in the class. The project assumes that a system to be attacked for password guessing has file that contains a table in which each entry is a 2-tuple and this file is readable by any user. Your code should provide the following functionalities:
-Read the plaintext password dictionary file, one line at time and compute its 160-bit SHA-1 hash value to and create another file (“PasswordHash.txt”) containing all the plain text dictionary passwords and their corresponding hash values.
-Create a GUI that has two dialog boxes. First dialog box should be used to provide a user name and the second dialog box some arbitrary 6-10 character long password.
-Using this GUI, create a file (“PasswordYellow.txt”) of 16 user names and the hash value of the password typed in the second dialog box.
-Having created these two files, now develop code for password guessing. This part will also have an associated GUI with one dialog box in which you will type in the password that is your guess that it belongs to some user. Next, compute the hash of the guessed password and search the file “PasswordYellow.txt” to find if this hash value exists in this file or not.
-The second GUI should also have a frame box. In this frame box, if the search was successful, display the user name associated with the guessed password. Otherwise display the message “ No user with the provided guessed password” and then try 4 additional guesses.
Explanation / Answer
Guessing:
Even with all of the advanced programs, algorithms, and techniques computer scientists have come up with, sometimes the most effective way of cracking a user password is by using logic and/or trying commonly used passwords. For many unknowledgeable users, passwords are more of an annoyance than a security, and therefore they use passwords that can be easily remembered, and thus easily guessed, such as:
The word "password"
The same as the user name
Name of the user
Birthdays or birth places
Relatives
Pets
Favorite colors, foods, places, etc.
This method can be more time efficient than using a program, but obviously this method works best when the person "recovering" the password knows the user. One other thing to keep in mind is that the average user does not like coming up with multiple passwords, so if you can figure out one password for one area, you can usually gain access to most other password protected areas using the same password.
Dictionary Attacks:
Dictionary Attacks are a method of using a program to try a list of words on the interface or program that is protecting the area that you want to gain access to. The most simple password crackers using dictionary attacks use a list of common single words, aka a "dictionary". More advanced programs often use a dictionary on top of mixing in numbers or common symbols at the beginning or end of the guessed words.
Some can even be given a set of personal information or a profile of the user and pick out important words to guess, even if they are not proper words, such as pronouns like last names and names of relatives.
A weakness of dictionary attacks is that it obviously relies on words supplied by a user, typically real words, to function. If the password is misspelled, is in another language, or very simply uses a word that is not in the dictionary or profile, it cannot succeed. Most of the time, even using two words in one password can thwart a dictionary attack.
Examples of programs that use dictionary attacks: John the Ripper, L0phtCrack, and Cain And Abel.
Brute Force:
Brute force password attacks are a last resort to cracking a password as they are the least efficient. In the most simple terms, brute force means to systematically try all the combinations for a password. This method is quite efficient for short passwords, but would start to become infeasible to try, even on modern hardware, with a password of 7 characters or larger. Assuming only alphabetical characters, all in capitals or all in lower-case, it would take 267 (8,031,810,176) guesses. This also assumes that the cracker knows the length of the password. Other factors include number, case-sensitivity, and other symbols on the keyboard. The complexity of the password depends upon the creativity of the user and the complexity of the program that is using the password.
The upside to the brute force attack is that it will ALWAYS find the password, no matter it's complexity. The downside is whether or not you will still be alive when it finally guesses it.
size taken for password checking 48GB. so the time taken will be 4 years by pentium 4.
so it is preferable to use cpp as because it is object oriented so which helps the programmer not to repeat the same code and easy to retrieve through objects and also when you are working with really huge dictionaries it could become an issue if we write it with c.
import java.security.SecureRandom;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.SecretKeyFactory;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
public class PasswordHash
{
public static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";
// The following constants may be changed without breaking existing hashes.
public static final int SALT_BYTE_SIZE = 24;
public static final int HASH_BYTE_SIZE = 24;
public static final int PBKDF2_ITERATIONS = 1000;
public static final int ITERATION_INDEX = 0;
public static final int SALT_INDEX = 1;
public static final int PBKDF2_INDEX = 2;
public static String createHash(String password)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
return createHash(password.toCharArray());
}
public static String createHash(char[] password)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
// Generate a random salt
SecureRandom random = new SecureRandom();
byte[] salt = new byte[SALT_BYTE_SIZE];
random.nextBytes(salt);
// Hash the password
byte[] hash = pbkdf2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
// format iterations:salt:hash
return PBKDF2_ITERATIONS + ":" + toHex(salt) + ":" + toHex(hash);
}
public static boolean validatePassword(String password, String correctHash)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
return validatePassword(password.toCharArray(), correctHash);
}
public static boolean validatePassword(char[] password, String correctHash)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
// Decode the hash into its parameters
String[] params = correctHash.split(":");
int iterations = Integer.parseInt(params[ITERATION_INDEX]);
byte[] salt = fromHex(params[SALT_INDEX]);
byte[] hash = fromHex(params[PBKDF2_INDEX]);
byte[] testHash = pbkdf2(password, salt, iterations, hash.length);
return slowEquals(hash, testHash);
}
private static boolean slowEquals(byte[] a, byte[] b)
{
int diff = a.length ^ b.length;
for(int i = 0; i < a.length && i < b.length; i++)
diff |= a[i] ^ b[i];
return diff == 0;
}
private static byte[] pbkdf2(char[] password, byte[] salt, int iterations, int bytes)
throws NoSuchAlgorithmException, InvalidKeySpecException
{
PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, bytes * 8);
SecretKeyFactory skf = SecretKeyFactory.getInstance(PBKDF2_ALGORITHM);
return skf.generateSecret(spec).getEncoded();
}
/**
* Converts a string of hexadecimal characters into a byte array.
*
* @param hex the hex string
* @return the hex string decoded into a byte array
*/
private static byte[] fromHex(String hex)
{
byte[] binary = new byte[hex.length() / 2];
for(int i = 0; i < binary.length; i++)
{
binary[i] = (byte)Integer.parseInt(hex.substring(2*i, 2*i+2), 16);
}
return binary;
}
/**
* Converts a byte array into a hexadecimal string.
*
* @param array the byte array to convert
* @return a length*2 character string encoding the byte array
*/
private static String toHex(byte[] array)
{
BigInteger bi = new BigInteger(1, array);
String hex = bi.toString(16);
int paddingLength = (array.length * 2) - hex.length();
if(paddingLength > 0)
return String.format("%0" + paddingLength + "d", 0) + hex;
else
return hex;
}
public static void main(String[] args)
{
try
{
// Print out 10 hashes
for(int i = 0; i < 10; i++)
System.out.println(PasswordHash.createHash("p assw0Rd!"));
// Test password validation
boolean failure = false;
System.out.println("Running tests...");
for(int i = 0; i < 100; i++)
{
String password = ""+i;
String hash = createHash(password);
String secondHash = createHash(password);
if(hash.equals(secondHash)) {
System.out.println("FAILURE: TWO HASHES ARE EQUAL!");
failure = true;
}
String wrongPassword = ""+(i+1);
if(validatePassword(wrongPassword, hash)) {
System.out.println("FAILURE: WRONG PASSWORD ACCEPTED!");
failure = true;
}
if(!validatePassword(password, hash)) {
System.out.println("FAILURE: GOOD PASSWORD NOT ACCEPTED!");
failure = true;
}
}
if(failure)
System.out.println("TESTS FAILED!");
else
System.out.println("TESTS PASSED!");
}
catch(Exception ex)
{
System.out.println("ERROR: " + ex);
}
}
}
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.