Lecture 9

1. Entropy

   1. Suppose a password is chosen as a concatenation of four lower-case dictionary words, where each word is selected uniformly at random from a dictionary of size 100,000. An example of such a password is correcthorsebatterystaple. How many bits of entropy does this have?
      If we assume the way to generate the password is known by the potential hacker, there are 10 000^4 = 10^20 combinations possible. Since the entropy is of a password is equal to the logarythm base two of the number of possibilities, we can see that this password generator has log₂(10²⁰) = 66.44 bits of entropy.
   2. Consider an alternative scheme where a password is chosen as a sequence of 8 random alphanumeric characters (including both lower-case and upper-case letters). An example is rg8Ql34g. How many bits of entropy does this have?

      The number of possiblities is equal to (26 * 2 + 10)^8 = 62^8. The entropy is then equal to log₂(62⁸ = 47.63 bits of entropy.

   3. Which is the stronger password?

      The first password is stronger and is also easier to memorize.

   4. Suppose an attacker can try guessing 10,000 passwords per second. On average, how long will it take to break each of the passwords?

      Case 1: 10^20 possibilities / 10 000 passwords/second = 10^16 seconds / 86400 seconds/day = 1.15 * 10^11 days / 365 days/year = 317 097 919.83764 years to gues all the passwords so 158 548 959.91882 years on average to guess the password.

      Case 2: 62^8 possibilities / 10 000 passwords/second = 2.1834 * 10^10 seconds / 86 400 seconds/day = 252 708.45554 days / 365 days/year = 692.35193 years to guess all the passwords so 346.17597 years on average to guess the password.

2. Cryptographic hash functions

   Download a Debian image from a mirror (e.g. from this Argentinean mirror). Cross-check the hash (e.g. using the sha256sum command) with the hash retrieved from the official Debian site (e.g. this file hosted at debian.org, if you’ve downloaded the linked file from the Argentinean mirror).
   1. Download the debian iso from the mirror:
      wget http://debian.xfree.com.ar/debian-cd/current/amd64/iso-cd/debian-12.X.X-amd64-netinst.iso Copy
   2. Retrieve the official SHA256SUM from the debian website:
      wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS Copy
   3. Calculate the SHA-256 Hash of the downloaded ISO:
      sha256sum debian-12.X.X-amd64-netinst.iso Copy
   4. Cross-check the hash:
      sha256sum -c SHA256SUMS 2>&1 | grep debian-12.X.X-amd64-netinst.iso Copy

      If you see 'OK' as an output everything went fine, if not...

3. Symmetric cryptography

   Encrypt a file with AES encryption, using OpenSSL: openssl aes-256-cbc -salt -in {input filename} -out {output filename}. Look at the contents using cat or hexdump. Decrypt it with openssl aes-256-cbc -d -in {input filename} -out {output filename} and confirm that the contents match the original using cmp.
   1. Encrypt the file:
      openssl aes-256-cbc -salt -in original_file.txt -out encrypted_file.enc Copy
   2. Check the contents of the encrypted file:
      hexdump -C encrypted_file.enc Copy
   3. Decrypt the file:
      openssl aes-256-cbc -d -in encrypted_file.enc -out decrypted_file.txt Copy
   4. Confirm the contents match:
      cmp original_file.txt decrypted_file.txt Copy

4. Asymetric cryptography

   1. Set up SSH keys on a computer you have access to (not Athena, because Kerberos interacts weirdly with SSH keys). Make sure your private key is encrypted with a passphrase, so it is protected at rest.
      ssh-keygen -t ed2551 Copy

      Be sure to enter a passphrase when prompted and don't write it down on your computer.

   2. Set up GPG
      Follow the tutorial linked in the lecture.
   3. Send Anish an encrypted email (Public key).
      You can encrypt a file you for someone if you already have their public keys configured:

      gpg --encrypt --sign --armor -r person@email.com file_to_encrypt Copy
   4. Sign a Git commit with git commit -S or create a signed Git tag with git tag -s. Verify the signature on the commit with git show --show-signature or on the tag with git tag -v.
      Configure git to use your GPG key (replace ABCDEF1234567890 with your key ID and replace user with your git username if it's still not configured)

      git config --global user.signingkey ABCDEF1234567890 Copy

      Sign a git commit:

      git commit -S -m "Your commit message" Copy

      Verify the commit signature:

      git show --show-signature Copy

      Create a signed tag:

      git tag -s v1.0 -m "Version 1.0 release" Copy

      Verify the signature on the tag:

      git tag -v v1.0 Copy

Previous lecture

Next lecture