This document discusses various methods for password authentication and storage, including hashing, salting, and challenge-response protocols. It describes scenarios where a user sends their password or hashed password to a server for verification, and vulnerabilities like phishing, brute force attacks, or dictionary attacks. The document recommends techniques like hashing passwords before transmission, salting hashes for storage, extending password key spaces, and using multi-factor authentication to improve security.

1. IT549 Foundation In Information Assurance
Answers:
Alice sends a password, and Bob compares it against a database of passwords.
This scenario involves the password-based type of authentication. Passwords exist in the
form of letters, numbers, or special characters. However, they are prone to phishing and
password attacks. Today, users have different accounts and have a lot of passwords to
remember. As a result, users choose convenience over security, and they end up using weak
passwords that are easy to remember. If Alice sends a plain password to Bob, an intruder
may use it maliciously to obtain confidential information from the database. Also, attackers
may target the plain passwords stored in the database (Mohammed et al., 2017).
As Kamal (2019) states, plain passwords are protected through hashing. Hashing involves
turning a password into a different string of letters and numbers using an encryption
algorithm or cryptographic hash function. This method is effective because it is an
irreversible one-way function. This way, if the database is hacked or an intruder accesses it,
they cannot read the actual password. Also, Alice can hash it before sending it over the
network, or the system should incorporate an automatic hashing function when the user
keys in the plain password.
Alice sends a password, and Bob hashes it and compares it against a database of hashed
passwords.
Alice sending a plain password to Bob makes the password susceptible to phishing as well.
Even though Bob hashes it and compares it to a list of hashed passwords, an intruder may
be listening through the transmission channel.
Like the previous scenario, the most appropriate solution is hashing the password before
sending it over the network or channel. The organization should include a hashing function
to encrypt the password at the user’s end (Kamal, 2019).
Alice computes the hash of a password and uses it as secret key in challenge/response
protocol.

2. Hashing passwords has been effective in protecting stored and passwords sent over a
communication network. However, hackers can also crack hashes if the hacker has a hash
dump. Dumped hashes can be cracked using brute-force or dictionary attack.
To solve this, confidentiality at the application and transport level can be implemented. The
scan2pass system model suggested by Zmezm et al. (2018) can be implemented here. The
model first involves protecting the sensitive data and encryption key transmitted through
the communication channel. Second, a key derivation function is used to extend the key
space length of Alice’s password. Extending the key space to 256 bits prevents brute-force
and dictionary attacks. Finally, mutual authentication between the entities is done through
multi-factor techniques. The Quick Response Code (QR code) computes an OTP for the user
and server during the challenge/response protocol.
Alice computes the hash of a password and sends it to Bob, who hashes it and compares it
against a database of doubly-hashed passwords.
Hashing a password does not entirely secure it. Hashing it twice creates an iteration that
makes it more difficult for an attacker to try it against the hash dump. However, the stored
passwords are still prone to dictionary and brute-force attacks if the attacker spends more
time on them. Also, if the attacker had already cracked Alice’s hashed password due to the
lack of iteration, cracking the double-hashed password in the database would take less time.
Solving this requires using salted hashes. Karrar et al. (2018) define a salted hash as a
random string that appends or prepends the user’s original password before using the
cryptographic hash function. The technique can also include swapping, reordering, or
rearranging the user’s plain password before hashing and storing it.
References
Kamal, P. (2019). Security of password hashing in cloud. Journal of Information Security,
10(02). 45-68. https://doi.org/10.4236/jis.2019.102003
Karrar, D., Almutiri, T., Algrafi, S., Alalwi, N., & Alharbi, A. (2018). Enhancing salted
password hashing technique using swapping elements in an array algorithm. International
Journal of Computer Science and Technology. 9(1). 21-25.
Mohammed, S., Lakshminarayanan, R., Ramalingam, R. (2017). Password-based
authentication in computer security: Why is it still there? SIJ Transactions on Computer
Science Engineering & its Applications. 5(2).
Zmezm, H., Zmezm, H., Basiron, H., & Khalefa, M. (2018). A novel scan2pass architecture for
enhancing security towards ecommerce. Future Technologies Conference.