CS513 Homework 3: Storing Passwords

General Instructions. You are expected to work alone on this assignment.

Due October 24, 10am. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution using Word (.doc) or some ascii editor (.txt), as follows:

We discussed in class storing passwords using salt and pepper. For each user id uidi, a password file contains the triple

< uidi, salti, H(passi || salti || ppri) >

where H is a hash function like MD5 or SHA-1, passi is the password, salti is the salt, and ppri is the pepper.

Two alternatives have been proposed. Compare each alternative to the above scheme and discuss whether (and how) it is better or worse.

  1. For each user id uidi, the password file instead contains a pair

    < uidi, Epassi(uidi || stuffi) >

    where

    Here, a login is permitted if a user u provides a password pwd and the system computes that

    holds, where

  2. For each user id uidi, the password file instead contains a triple

    < uidi, Epassi(ni), H( passi || ni) >

    where

    Here, a login is permitted if a user u provides a password pwd and the system computes that

    where Y denotes the third part of the password file's triple having as its first part user id u; X denotes the second part of that triple.