An Analysis of Computer Network Security Solutions and the Security Implications of an Auction Syste

1. Suppose that a website enforces random passwords that are exactly 8 characters long, where the allowed characters are from a set of 16 characters that includes the set of 10 numbers plus 6 specified punctuation characters. The website will lock an account after 32 failed login attempts for one hour (from the time of the first failed login) and uses a random 128 bit salt when storing the hashed passwords. Concisely explain how long it would take an attacker to guess all possible passwords for one specific account in each of the following two cases: Case 1: An online attack. Case 2: An offline attack. Assume that an attacker can compute about a billion hash computations per hour. (4 marks)

2. Analysing of computer network security solutions; public key encryption; symmetric key encryption; certificates; PGP

This question is based on the following scenario.

An auction system is being developed. The system is run by an Auction House which creates new auctions, registers auctions bids, determines the auction winner. The Auction House issues for each auction a certificate signed with the Auction House’s own certificate. The Auction House welcomes bids on an auction. Bidders identify with the Auction House using a public PGP key. Once an auction is closed, the Auction House publishes the list of bids.

The system implements four different types of auction. For each type, bid registration, bid receipt and bids publication are as follow.

Type A The bidder sends to the Auction House [auction certificate, bid amount] signed with his/her private PGP key; the Auction House returns to the bidder [auction certificate, public PGP key of bidder, bid amount] signed with the auction certificate private key; on closure of the auction, the Auction House publishes the list of [public PGP key of bidder, bid amount] signed with the auction private key.

Type B The bidder sends to the Auction House [auction certificate, bid amount] signed with his/her private PGP key; the Auction House issues a new unique bidderID, returns to the bidder [auction certificate, bidderID, bid amount] signed with the auction certificate private key; on closure of the auction, the Auction House publishes the list of [bidderID, bid amount] signed with the auction private key.

Type C The bidder sends to the Auction House [auction certificate, bid amount] signed with his/her private PGP key; the Auction House issues a new pair of asymmetric keys [bidderPub, bidderPriv] returns to the bidder [auction certificate, bidderPriv, bid amount] signed with the auction certificate private key; on closure of the auction, the Auction House publishes the list of [bidderPub, bid amount] signed with the auction private key.

Type D The Auction House creates one symmetric key auctionKey per auction, the key is kept secret. The bidder sends to the Auction House [auction certificate, bid amount] signed with his/her private PGP key; the Auction House issues a new pair of asymmetric keys [bidderPub, bidderPriv] returns to the bidder [auction certificate, auctionKey, bidderPriv, bid amount] signed with the auction certificate private key; on closure of the auction, the Auction House publishes the list of [bidderPub, public PGP key of bidder encrypted with auctionKey, bid amount] signed with the auction private key.

(a) For each bidding system type, concisely discuss the confidentiality of bidder identity. (8 marks)

(b) Concisely discuss and assess the proof of bid ownership for each auction type. Indicate how a bidder would prove bid ownership, and how someone would verify the proof. (6 marks)

(c) Explain concisely why all the auction types require the bidder to sign the [authentication certificate, bid amount] pair with his/her private PGP key? (2 marks)

(d) Concisely discuss the impact on bids and auctions if the Auction House certificate was found to be compromised, if an auction certificate was found to be compromised, if a bidder’s PGP key was found to be compromised, and if an auctionKey was found to be compromised. (4 marks)