Description
Aims
This assignment aims to establish a basic familiarity with network security topics via analysing,
designing, and implementing solutions.
Questions
1. Network Security (10 marks)
A bank system, including the internal and external sub-systems, is used by different users.
Based on the security requirements, these accesses should be protected in different ways
depending on access methods. We will focus on network security for internal and external
access to the bank system in this task.
• There are two types of users: bank customers and bank employees.
• The bank system provides a range of services, such as personal savings, bank
statements, money transfer, internal message management, and account
management.
• As a customer, it is allowed to use web browsers to access the bank website and make
transactions.
• A customer can also use the mobile app to access the services. In this case, The
customer is likely to use a mobile network or WiFi connection.
• As a bank employee, it is allowed to access the bank system via the website or desktop
application.
• When an employee is travelling for business, it may need to connect the bank servers
via a secure connection.
Your task.
a. Consider the security of the above system, discuss three potential security issues and
provide countermeasures.
For each of the issues, specify the related security service(s), attack(s) and
mechanism(s). The demonstrated issues must not relate to the same security
service(s). (3 marks)
b. Consider that a bank employee requests to modify a bank customer’s daily cash
transfer limit. Briefly describe the essential security-related step(s) that demonstrate
the security checks for the operation. For each step, specify the aimed security
service(s). (3 marks)
c. An employee accesses the internal system with proper authentication and
authorisation. Consider Kerberos, SAML, and OAuth, which one is better for internal
system authentication and authorisation? Justify your answer. (2 marks)
d. To provide secure connection services for the travelling employees, which of IPSec,
SSL/TLS, and SSH, would be a better option? Justify your answer. (2 marks)
2. Programming Task (15 marks)
A client and a server are planning to do data exchange. They decide to use a simplified SSL
handshake (see Figure 1) to establish a secure channel (session key) then exchange data. The
simplified SSL handshake removes the messages for alert, change cipher spec, certificate, etc.
Figure 1. Secure data exchange.
IDC: client ID; IDS: server ID; SID: session ID;
Your task: implement the above mechanism in Java. (You are also allowed to use C++/Python.)
The following components are mandatory for implementation.
• Fast modular exponentiation (2 marks)
• RSA signature scheme. (3 marks)
o RSA key generation: randomly generate two primes 𝑝𝑝, 𝑞𝑞 (for 2048-bit RSA).
Set the public key as the fixed 𝑒𝑒 = 65537. Server’s RSA public key will be sent
to the client in the Steup message. Assume this message can be securely
delivered, no security protection is needed. Note that the client DOES NOT
have client RSA keys.
o RSA signature generation: using SHA256 for message digest computation.
o RSA signature verification: using SHA256 for message digest computation.
o The underlying hash function is SHA256. You can use it from the Java library.
o Key generation needs to be implemented using (Java) BigInteger.
o RSA signature generation and verification need to be implemented using your
own fast modular exponentiation method.
• Diffie-Hellman key exchange (2 marks)
o Use the parameters 𝑝𝑝, 𝑔𝑔 from the System Parameters section.
• HMAC (2 marks)
o Use SHA256 as the underlying hash function.
o Use the DH key (e.g., 𝑘𝑘 = 𝑔𝑔𝑥𝑥𝑥𝑥) to generate the authentication key 𝑘𝑘′, such
that 𝑘𝑘′ = 𝐻𝐻(𝑘𝑘), where 𝐻𝐻() is the SHA256 hash function.
o HMAC is calculated as (refer to lecture 2)
𝐻𝐻(𝑘𝑘′
, 𝑚𝑚) = 𝐻𝐻((𝑘𝑘′ ⊕ 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜)||𝐻𝐻(𝑘𝑘′ ⊕ 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖)||𝑚𝑚)
• CBC mode (2 marks)
o Assume a message is always a multiple of 16-byte, i.e. no padding needed.
• The simplified SSL handshake message flow. (2 marks)
• Data exchange (2 marks)
o When a shared session key is created, they use 256-bit AES encryption with
CBC and HMAC to protect data confidentiality and integrity, respectively.
o Demonstrate at least two message exchanges, where each message is exactly
64 bytes.
You may refer to the FAQ for more information.
Compilation
• Please provide a readme.txt file for compilation and execution instructions.
• Uncompilable or unexecutable program may receive zero marks.
Input/Output
• Print (to standard input/output) all messages exchanged between the client and
server.
• Use a proper output format to demonstrate the message exchange.
System Parameters
Hash function: you should use SHA256 whenever a hash function is needed.
Diffie-Hellman Key Exchange parameters (𝒑𝒑, 𝒈𝒈)
𝒑𝒑 =
17801190547854226652823756245015999014523215636912067427327445031444
28657887370207706126952521234630795671567847784664499706507709207278
57050009668388144034129745221171818506047231150039301079959358067395
34871706631980226201971496652413506094591370759495651467285569060679
4135837542707371727429551343320695239
𝒈𝒈 =
17406820753240209518581198012352343653860449079456135097849583104059
99534884558231478515974089409507253077970949157594923683005742524387
61037084473467180148876118103083043754985190983472601550494691329488
08339549231385000036164648264460849230407872181895999905649609776936
8017749273708962006689187956744210730
Notes
• Your implementation MUST be able to handle large numbers. Otherwise, 3 marks will
be deducted.
o Java
https://docs.oracle.com/javase/7/docs/api/java/math/BigInteger.html
o C++ users should use NTL library.
https://www.shoup.net/ntl/doc/tour-examples.html
• Your implementation MUST use socket programming. Otherwise, 2 marks will be
deducted.
o Java tutorial
https://docs.oracle.com/javase/tutorial/networking/sockets/
o C manual (This can be used with C++ with a few modifications)
https://man7.org/linux/man-pages/man2/socket.2.html
o C++ tutorial (uses boost, you would want build tool to manage that, such as
https://cmake.org/)
https://theboostcpplibraries.com/boost.asio-network-programming
o Python example and documentation
https://docs.python.org/3/library/socket.html#example
FAQ
1. What is about the “Setup_Request: Hello” message?
It is just the text “Hello” that initiates the setup phase.
2. Can I use modpow() (or some function like that from the library) for modular
exponentiation computation?
No. You need to implement the function based on the pseudocode of the Lab 2 task.
3. What should I do to create 2048-bit RSA keys?
You need to choose two 1024-bit prime numbers for 𝑝𝑝 and 𝑞𝑞, respectively, then
follow the RSA scheme.
4. What are the identities like IDs?
They are random character/number string of your choice.
5. Which is the shared session key for (CBC-AES256) encryption and HMAC?
It is 𝑘𝑘′.
6. Can I use the “CBC” encryption mode from the library?
No. You need to implement CBC encryption and decryption processes.
7. What should I send for the data exchange demonstration?
Anything, as long as 64 bytes of each message.
8. Can I use the external cryptography library?
Yes, but you have to implement the required components.
9. Can I reuse the code from the labs?
Yes.
Submission
All assignments must be submitted via Blackboard (Assessment tab for SENG2250). If you submit more
than once, then only the latest will be graded. Your submission should be one ZIP file containing:
• Assessment item cover sheet.
• A PDF file which contains answers to Question 1 and screenshot(s) of Question 2 program
execution.
• All source code files of the program and the readme.txt.
The mark for an assessment item submitted after the designated time on the due date, without an
approved extension of time, will be reduced by 10% of the possible maximum mark for that
assessment item for each day or part day that the assessment item is late. Note: this applies equally
to week and weekend days.
Plagiarism
A plagiarised assignment will receive ZERO marks (and be penalised according to the university rules).