Question

In: Computer Science

can you create two examples for each of the vulnerabilities in the category below and possible...

can you create two examples for each of the vulnerabilities in the category below and possible fixes

Use of a Broken or Risky Cryptographic Algorithm

Improper Restriction of Excessive Authentication Attempts

Use of a One-Way Hash without a Salt

Solutions

Expert Solution

The software is used one-way cyrptograhic hash which is always against the input but hard to invert given the image of a random input. the input are like password but software will not use a salt as part of input. the ideal cryptographic hash function four main properties:

  • it is easy to compute the hash value for any given message.
  • it is not easy to generate a message that has given hash one-way function
  • it is not easy to modify a message without changing the hash
  • it is not easy to to find two different messages with the same hash

The Rainbow table is precomputing lookup table offering a time memory trade-off is used in recovery plain text password from a password hash generated by hash functions such as cryptographic has function. They are compromises between pre-computing all plaintexts to hashes are looking up through table of plaintext, hash. The table only stores the starting plaintext, and the final has choose to end with, and so chain containing millions of hashes can be represented with only a single starting plaintext, and single finishing hash.

suppose, we have hash and want to find the plaintext, so we search saved hashes. if we find that hash, we reconstruct the hash-chain and after each new generated hash we search through the saved hashes to see if we already know it.

Some hash function have become vulnerable. along with the mistake of not using a salt this makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. it's should be noted that, despite common perception, using a salt with a hash does not sufficiently increase the protection level. the attackers who is targeting an individual password, or who has a large amount of computing resources available can still pre-compute the hash. the use of a salt only slightly increase the computing requirements for an attakers compared to other strategies such as adaptive has functions.

The real danger is offline cracking. Hackers break into a system to steal the encrypted password file or develop or secretly listen to conversation on an encrypted exchange across the internet. they are then free to decrypt the passwords without anybody stopping them. if an attacker can obtain the hashes through some other method such as SQL injection on a database that stores hashes, then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes effictively.

The Detection can be done by following ways:

  • Source Code Weakness Analyzer.
  • Context-soruce code weakness analyzer
  • Binary/Bytecode disassembler then use manual analysis for vulnerabilities & anomalies.

Example 1:

  • A user is looged in if their given password matches a stored password:
    unsigned char *check_passwd(char *plaintext) {
    ctext = simple_digest("sha1",plaintext,strlen(plaintext),...);
    //login if hash matches stored hash
    if(equal(ctext,secret_password())) {
    login_user();
    }
    }

    This code does not provide a salt to the hasing function, thus increasing the chances of an attacker being able to reverse the hash and discover the original password. the code will fixed as follows:

    unsigned char *check_passwd(char *plaintext) {
    strcpy(stext,plaintext);
    strcat(stext,salt);
    ctext = simple_digest("sha1",stext,strlen(stext),...);
    //login if hash matches stored hash
    if(equal(ctext,secret_password())) {
    login_user();
    }
    }

Example 2

  • In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.
    unsigned char *add_db(char *user,char *pass) {
    cpass = simple_digest("shah1",pass,strlen(pass),...);
    update_db(user,cpass);
    }

    there is no salt providing to the hasing function in the code, the chances of an attacker being able to reverse the hash and discover the original password if the database is compromised.

    unsigned char *add_db(char *user,char *pass) {
    strcpy(spass,pass);
    strcat(spass,salt);
    cpass = simple_digest("shah1",spass,strlen(spass),...);
    update_db(user,cpass);
    }

The adaptive hash function can be configured change the number of repetition of process. it can be configured to randomize the salt, the number of repetition of process and salt are saved in the database along with the hash. there is active debate about which of these functions is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. the use of these function can have an impact on performance, so they require special consideration to avoid the action of denying of service attacks.


Related Solutions

create two examples for each of the vulnerabilities in the category below and possible fixes ....
create two examples for each of the vulnerabilities in the category below and possible fixes . Missing Encryption of Sensitive Data Execution with Unnecessary Privileges Incorrect Permission Assignment for Critical Resource
Describe for each category below an example of a test of control you can execute to...
Describe for each category below an example of a test of control you can execute to assess internal controls in the sales cycle. [4 points] Method of testing internal control Example of test of control for sales cycle Inquiry Inspecting documents Observation Re-performance
Describe for each category below an example of a test of control you can execute to...
Describe for each category below an example of a test of control you can execute to assess internal controls in the sales cycle. [4 points] Method of testing internal control Example of test of control for sales cycle Inquiry Inspecting documents Observation Re-performance
create two multiple choice question from each category below 10 questions total, that will test knowledge...
create two multiple choice question from each category below 10 questions total, that will test knowledge and understanding of key topics. you can choose the topics but your questions and answers should be written thoughtfully. identify key ideas from e ach category and create your questions to test knowledge of these key ideas. 1 chemical and physical growth requirements 2 questions. 2 chemical and physical growth control 2 questions. 3 DNA and RNA replication 2 questions 4 microbial genetics 2...
Why are adjustments required? Describe the two categories of adjustments Provide two examples of each category...
Why are adjustments required? Describe the two categories of adjustments Provide two examples of each category and what accounts (i.e. asset, liability, expense or revenue) will be affected by these adjustments. Describe the expense recognition principle. What is another name for this principle. Describe and list the purpose of a contra-account. Provide an example to explain your description. What is the adjusted trial balance and why is it critical to the accounting cycle? Describe the difference between temporary and permanent...
What are the major categories of fraud? You should provide examples for each category.
What are the major categories of fraud? You should provide examples for each category.
Briefly describe the mechanism of action for each drug category listed below. Also, give 2 examples...
Briefly describe the mechanism of action for each drug category listed below. Also, give 2 examples of medications in each category and a way to remember the medication. Example, the drug category of Beta-Blockers-"olol" a). Peripheral Vasodilators b). Nitrates c). Calcium Channel Blockers d). ACE Inhibitors e). Beta-blockers
What are the five major categories of pricing strategies? Give two examples of each category. Note:...
What are the five major categories of pricing strategies? Give two examples of each category. Note: my subject is INTRODUCTION TO BUSINESS.  
Rewrite the sentences below. Follow the examples to make each of the sentences specific. You can...
Rewrite the sentences below. Follow the examples to make each of the sentences specific. You can make up these facts for the purpose of this exercise, just make them specific made-up facts. EXAMPLE: “Either as an addition to a home or as an integral part of a new home, sunspaces have gained considerable popularity locally.” (This might be OK as an introductory sentence, but it wouldn’t fly as a technical fact.) Choice 1. Numbers. “Sunspaces are included in 13 out...
There are many possible things you might be interested in measuring. Below are a few examples....
There are many possible things you might be interested in measuring. Below are a few examples. For each one, do the following: (1) Write a conceptual definition of the construct; (2) come up with a list of 5 to t10 observable indicators of the construct; and (3) decide if your indicators can be grouped into two or more dimensions. Life Skills Civic engagement Urban blight Organizational politics
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT