HW8 : Hash Collisions


Due: 7/15/2014 @5:30pm via users.cs.umb.edu:cs210/hw8

Gain experience with hash collisions and secure code

Get the server code here: https://github.com/ieee8023/cs210-summer2014

For this project you are are going to use your knowledge of hash collisions to log into a server. The server is returning the hash of the password that you need to type in by accident. You can use this knowledge to gain access. Because you don’t need to find the password, you only need to find a collision.

1. Connect to the server merb.cs.umb.edu on port 6801 using netcat, nc, ncat, or telnet. Observe that the developer has left debug on so you can see the password hash. Read the source code provided which details the hash method.

2. Write code (CatCracker.java) to find a string that results in the same hash as the one the server is looking for. Hint: generate strings of letters randomly and check each one using the getCS210Sha1 method. Just copy and paste the method into your code. Don’t try to connect to the server for many words.

3. Write a memo.txt describing any problems you had during this assignment and what you learned. Report the password you found and what the server returned.


+ It is ok to find some random string generation code online. It’s a valuable skill to know how to use code online to solve a problem.
+ You can find code on the internet to generate random strings of characters
+ Print out the byte array using Arrays.toString() to make sure you are comparing correctly
+ If you cannot find a match then try larger strings
+ Don’t print to the console when searching. It will slow the search down
+ You should find a collision in about 5 minutes

$ nc merb.cs.umb.edu 6801
CATDEBUG: Debug mode is on!
CATDEBUG: Remember to turn if off or you will leak the password hash!
Welcome to Cat Server 2014
Cats are password protected
Please enter the password:
CATDEBUG: Input CS210Sha1   : [-87,74,-113]
CATDEBUG: Password CS210Sha1: [-75,1,-127]
CATDEBUG: Password mismatch

Grading (total 10 points):

Turn in the following files: CatCracker.java

3 points: generate random strings

3 points: loop through different strings trying to find a collision

2 points: found a password that works

2 points: memo.txt, easy to grade.