Q1: Cracking password management protocols
One of the best ways to evaluate the security of a password management protocol is to try to crack it yourself. Fortunately, you do not need to be an expert hacker to do this. A number of password cracking tools are available for free online.
For this Discussion, you will choose one example of a password management protocol (this includes password creation, storage, revocation, etc.) in any product suite you have used (e.g., Microsoft, Apple, Adobe, etc.) and discuss its security or insecurity with your colleagues. Then you will install one of the available cracking tools to see whether you can crack this system and share your experience with your colleagues.
To complete this Discussion:
Post: Name the product and the associated password management protocol you selected. Analyse the good and bad practices of this protocol. Install a password-cracking tool and try to crack that product. Then share your experience with your colleagues using screenshots. Recommend ways this protocol could be improved, if possible, and explain the results of the improvements you recommended.
Q2: Context and environment
In a pervasive computing environment, context plays an important role. Services are provided in a smart way based on the surrounding conditions (i.e., contextual attributes). From a security perspective, security services such as access control have to reflect this fact and be context-aware. With that in mind, consider the following scenario:
Alice, a security researcher, thinks that the role-based access control (RBAC) model, along with all traditional access control models, is not suitable. Bob thinks the opposite. Bob thinks RBAC, for instance, could be used to grant/deny permissions in such an environment.
For this Discussion, you will consider the current access control models you have seen so far and align yourself with either Alice or Bob.
To complete this Discussion:
Post: Take a position in which you agree with either Alice or Bob as described in the example, or if you are somewhere in between. Evaluate the suitability of role-based access control (RBAC) for accommodating contextual information in the access control decision-making process. Identify and describe any obstacles, and explain your solutions for them. Given the access policy, evaluate whether or not Extensible Access Control Markup Language (XACML) could be used to express the contextual attributes.
Encryption case study
ABC Company uses the cloud for its applications. It uses a password management application that stores passwords in a protected file encrypted by a single password. The password is five alphabetic characters and is changed on a monthly basis by the administrator, who delegates that to a colleague in case of the administrator's absence. When a subject seeks access to a certain protected object, the application decrypts the whole file in memory and matches the subject's password with the one in the store. The access control system does not accommodate contextual attributes in its access decision.