1. (30 points) Consider password authentication. (a) Suppose an off-line dictionary attack is used, and suppose the atta

Post by **answerhappygod** » Fri May 20, 2022 11:46 am

: 1 30 Points Consider Password Authentication A Suppose An Off Line Dictionary Attack Is Used And Suppose The Atta 1 (226.52 KiB) Viewed 41 times

1. (30 points) Consider password authentication. (a) Suppose an off-line dictionary attack is used, and suppose the attacker has prepared a dictionary of 10,0000 entries, the password file contains 1000 users with 50 different salt values. If the attacker's goal is to get as many passwords as possible, how many hash values would the attacker compute in the worst case? (b) Based on the above part, how many comparisons between hash values are needed in the worse case? 2. (70 points) Design a Role-based access control system for an organization with the following require- ments. 1. Any branch of the Cairo Amman bank consists of customers, cashiers, a manager and auditors. 2. By default, the Central bank president is an auditor of the JUST branch. 3. A bank manager or a cashier cannot become an auditor. 4. Any person with a valid Social security number may become a customer, including all bank em- ployees (consisting of auditors, cashiers, and a manager) 5. A manager may become a cashier temporarily for a day, but may give up the manager's duty for that day, provided that another cashier becomes the manager for that day. Then, if the permanent manager had approved any transactions carried out by that cashier (who become manager) cannot approve any transaction of the permanent manager's accounts. 6. . An auditor may never become a cashier or a manager. 7. A cashier or the manager must relinquish that duty temporarily in order for them to do their own customer transactions. 8. Alicei, ....... Alice27 are customers of the JUST branch of the bank. Mohammad (who holds a joint account with Aliceis) is a manager and Ali and Ahmed are cashiers at the Cairo Amman bank. The current Central Bank of Jordan president is His excellency Dr. Ziad. 9. No employee may approve any activity on an account with his/her name. 10. An auditor may audit any transaction and balance books. 11. A cashier may debit or credit any customer account, provided the customer submits a written permission. 12. An account may be owned by a single customer or jointly by two of them. 13. A joint account transfer has to be approved by the manager. Answer the below questions based on the above requirments (a) What are the roles of RBAC system that models the bank: (b) What are the permissions in the RBAC system? (c) Who are the users of the RBAC system? (d) What is the User-to-role-map? (e) What are the static constraints?

(1) What are the dynamic constraints? (g) If Mohammad had approved a transaction carried out by Ali for another, and now wants to do a transaction on the account he holds jointly with Aliceis, who should become the temporary manager? (h) What is the Role-to-permission mapping? (i) If on the same day Aliceis wants to operate the same account which cashiers are prohibited from transacting for her?