PFA
Microsoft Word - a3.docx SENG2250 System and Network Security School of Information and Physical Sciences Semester 2, 2021 Assignment 3 (25 marks, 25%) - Due: 31 October, 23:59 Aims This assignment aims to establish a basic familiarity with network security topics via analysing, designing, and implementing solutions. Questions 1. Network Security (10 marks) A bank system, including the internal and external sub-systems, is used by different users. Based on the security requirements, these accesses should be protected in different ways depending on access methods. We will focus on network security for internal and external access to the bank system in this task. • There are two types of users: bank customers and bank employees. • The bank system provides a range of services, such as personal savings, bank statements, money transfer, internal message management, and account management. • As a customer, it is allowed to use web browsers to access the bank website and make transactions. • A customer can also use the mobile app to access the services. In this case, the customer is likely to use a mobile network or WiFi connection. • As a bank employee, it is allowed to access the bank system via the website or desktop application. • When an employee is travelling for business, it may need to connect the bank servers via a secure connection. Your task. a. Consider the security of the above system, discuss two potential security issues and provide countermeasures. For each of the issues, specify the related security service(s), attack(s) and mechanism(s). The demonstrated issues must not relate to the same security service(s). (2 marks) b. Consider that a bank employee requests to modify a bank customer’s daily cash transfer limit. Briefly describe the essential security-related step(s) that demonstrate the security checks for the operation. For each step, specify the aimed security service(s). (2 marks) c. An employee accesses the internal system with proper authentication and authorisation. Consider Kerberos, SAML, and OAuth, which one is better for internal system authentication and authorisation? Justify your answer. (3 marks) d. To provide secure connection services for the travelling employees, which of IPSec, SSL/TLS, and SSH, would be a better option? Justify your answer. (3 marks) 2. Programming Task (15 marks) A client and a server are planning to do data exchange. They decide to use a simplified SSL handshake (see Figure 1) to establish a secure channel (session key) then exchange data. The simplified SSL handshake removes the messages for alert, change cipher spec, certificate, etc. Figure 1. Secure data exchange. IDC: client ID; IDS: server ID; SID: session ID; Your task: implement the above mechanism in Java (alternatively C++/Python). The following components are mandatory for implementation. • Fast modular exponentiation (2 marks) • RSA signature scheme. (3 marks) o RSA key generation: randomly generate two primes ?, ? (for 2048-bit RSA). Set the public key as the fixed ? = 65537. Server’s RSA public key will be sent to the client in the Steup message. Assume this message can be securely delivered, no security protection is needed. Note that a client DOES NOT have its RSA keys. o RSA signature generation: using SHA256 for message digest computation. o RSA signature verification: using SHA256 for message digest computation. o The underlying hash function is SHA256. You can use it from the Java library. o Key generation needs to be implemented using (Java) BigInteger. o RSA signature generation and verification need to be implemented using your own fast modular exponentiation method. • Diffie-Hellman key exchange (2 marks) o Use the parameters ?, ? from the System Parameters section. • The DH key exchange should be secure against man-in-the-middle attacks. (2 marks) • HMAC (2 marks) o Use SHA256 as the underlying hash function. o Use the DH key (e.g., ? = ?!") to generate the authentication key ?′, such that ?# = ?(?), where ?() is the SHA256 hash function. o HMAC is calculated as (refer to lecture 2) ?(?#, ?) = ?((?#⊕????)||?((?#⊕ ????)||?)) • CTR mode (2 marks) o Assume a message is always a multiple of 16-byte, i.e. no padding needed. • Data exchange (2 marks) o When a shared session key is created, they use 256-bit AES encryption with CTR and HMAC to protect data confidentiality and integrity, respectively. o Demonstrate at least two message exchanges, where each message is exactly 64 bytes. You may refer to the FAQ for more information. Compilation • Please provide a readme.txt file for compilation and execution instructions. • Uncompilable or unexecutable program may receive zero marks. Input/Output • Print (to standard input/output) all messages exchanged between the client and server. • Use a proper output format to demonstrate the message exchange. System Parameters Hash function: you should use SHA256 whenever a hash function is needed. Diffie-Hellman Key Exchange parameters (?, ?) ? = 17801190547854226652823756245015999014523215636912067427327445031444 28657887370207706126952521234630795671567847784664499706507709207278 57050009668388144034129745221171818506047231150039301079959358067395 34871706631980226201971496652413506094591370759495651467285569060679 4135837542707371727429551343320695239 ? = 17406820753240209518581198012352343653860449079456135097849583104059 99534884558231478515974089409507253077970949157594923683005742524387 61037084473467180148876118103083043754985190983472601550494691329488 08339549231385000036164648264460849230407872181895999905649609776936 8017749273708962006689187956744210730 Notes • Your implementation MUST be able to handle large numbers. Otherwise, 3 marks will be deducted. o Java https://docs.oracle.com/javase/7/docs/api/java/math/BigInteger.html o C++ users should use NTL library. https://www.shoup.net/ntl/doc/tour-examples.html • Your implementation MUST use socket programming. Otherwise, 3 marks will be deducted. o Java tutorial https://docs.oracle.com/javase/tutorial/networking/sockets/ o C manual (This can be used with C++ with a few modifications) http://man7.org/linux/man-pages/man2/socket.2.html o C++ tutorial (uses boost, you would want build tool to manage that, such as https://cmake.org/) https://theboostcpplibraries.com/boost.asio-network-programming o Python example and documentation https://docs.python.org/3/library/socket.html#example FAQ 1. What is about the “Setup_Request: Hello” message? It is just the text “Hello” that initiates the setup phase. 2. Can I use modpow() (or some function like that from the library) for modular exponentiation computation? No. You need to implement the function based on the pseudocode in Lab 2. 3. What are the identities like IDs? They are random character/number string of your choice. 4. Which is the shared session key for (CTR-AES256) encryption and HMAC? It is ?′. 5. Can I use the “CTR” encryption mode from the library? No. You need to implement CTR encryption and decryption processes. 6. What should I send for the data exchange demonstration? Anything, as long as 64 bytes of each message. 7. Can I use the external cryptography library? Yes, but you have to implement the required components. 8. Can I reuse the code from the labs? Yes. Submission All assignments must be submitted via Blackboard (Assessment tab for SENG2250). If you submit more than once, then only the latest will be graded. Your submission should be one ZIP file containing: • A PDF file which contains answers to Question 1 and screenshot(s) of Question 2 program execution. • All source code files of the program and the readme.txt. The mark for an assessment item submitted after the designated time on the due date, without an approved extension of time, will be reduced by 10% of the possible maximum mark for that assessment item for each day or part day that the assessment item is late. Note: this applies equally to week and weekend days. Plagiarism A plagiarised assignment will receive ZERO marks (and be penalised according to the university rules).