Problem 1: Access Control (a). Under each scenario given below, explain whether ACL or capabilities would be a good choice for revocation. Justify your answer.

(i). Revoking an individuals access rights to a particular set of files, but not all files

(ii). Revoking access to a particular file from a group of users, but not all users Problem

2: Authentication

(a). Suppose that a password-based authentication system only allows passwords to be created by using 26 characters from the alphabet and the 10 number characters. Under such a system, how many number of unique passwords can be constructed assuming that passwords are exactly 10 characters long and are case sensitive (i.e., lower and upper-case characters are considered to be different)?

(b). Does using passwords with salts make attacking a specific account more difficult than using passwords without salts? Explain why or why not.

Problem 3: Intrusion Detection

(a). Suppose you have been hired as the security manager at XYZ company. Your boss asks you to determine the number of erroneous login attempts that should be allowed before a users account is locked. She is concerned that too many employees are being locked out of their accounts unnecessarily, but is equally concerned that attackers may be able to guess passwords. How would you determine an appropriate value for the threshold?