FIT3031: Information and Network Security Assignment Summer B Semester 2019
Submission Guidelines
Deadline: Assignment is due on Friday 25th January 2019, 11:55 PM.
Submission Files:
1. A report in PDF file format. On various text editor software you can use ”Save as PDF”
option or use free converters to convert your file to PDF.
2. A python file for password management.
3. A python file for dictionary attack on SSH.
4. An imn file containing the configuration for Core Network Emulator.
Notes:
1. Do not submit a compression of multiple files. Such submissions may risk losing partial or
complete assignment marks.
2. A handwritten document is not acceptable and will not be marked even if converted and
submitted electronically.
Submission Platform: Electronic submission via Moodle.
Filename Format: Name your files for different assignment tasks as follows,
1. report SID.pdf
2. mypass SID.py
3. jtrssh SID.py
4. core SID.imn
where SID is your Student ID.
Note: You must strictly follow the provided file name format or penalties will apply.
Python Code Version: The python code must be written in version 3.
Late Submission Policy: Submit a special consideration form (available on moodle) to formally
request a late submission.
Late Submission Penalty: A late submitted assignment without prior approval will receive a
late penalty of 20% deduction per day (including Saturday and Sunday) or part thereof, after the
due date and time.
Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will
be awarded for the whole submission if there is any evidence of copying, collaboration, pasting
from websites, or copying from textbooks.
Note: Plagiarism policy applies to all assessments.
IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.
Marks
This assignment is worth 20% of the total unit marks.
The assignment is marked out of 100 nominal marks.
For example if you obtain 60 marks for this assignment, it will contribute 60
100 × 20 = 12 marks to
your final unit grade.
1
FIT3031: Information and Network Security Assignment Summer B Semester 2019
1. [20 Marks] Joe is using the following algorithm to generate RSA keys.
import gmpy2 as gmp
from gmpy2 import mpz
def rsa_keygen (N):
’’’To generate RSA key pair
of size N bits ’’’
UB = 2**( N // 2) - 1
LB = 2**(( N // 2) - 1)
status = True
p = rand_n (LB , UB)
p = gmp . next_prime (p)
q = gmp . next_prime (p)
e = mpz (65537)
n = mpz (p * q)
phi_n = mpz ((p - 1) * (q - 1) )
if gmp . gcd (e, phi_n ) == 1:
d = gmp . invert (e, phi_n )
else :
status = False
d = -1
return status , n, e, d
Since you have done Information and Network Security subject in your undergraduate degree, the
CIO of the company you are currently employed at asks you to analyse the security of Joe’s
algorithm. To assist you in this task Joe has provided a sample public key generated using his
method and an encrypted message. You can download these values from moddle under ”My
Assessment” section named ”Download Individual Sample of Public Key and Ciphertext”. If you
find Joe’s algorithm to be secure then you must justify it by explaining the difficulty of recovering
the plaintext from the ciphertext and the knowledge of public key. If you find Joe’s algorithm to
be vulnerable then you must first explain how you can recover the plaintext from the ciphertext
and the provided public key. You must then include the recovered plaintext in your report.
If you are able to factor the modulus as well then you must include the factors (p and q) as well as
the private exponent d.
Note: The rand n() function generates a random mpz number between lower and upper bounds.
You can assume that this function is secure or in other words the security of this function is not
the focus of this task. You can implement rand n() function if you wish to run the given code
however that is not required to be able to answer this question.
2. [20 Marks] Write a simple personal password management application with python. Use the
provided Virtual Machine for Lab exercises to test your code as it comes with pyca library
installed. The application must have the following command line options (you can use argparse):
-add followed by a name to add a password under the given name
-show followed by a name to show a previously added password under the given name on
standard output (without newline)
-update followed by a name to update a previously added password under the given name
The provided name with -add option must be used as a file name that will contain the encrypted
password. You must use RSA public key algorithm to encrypt the passwords. Generate a
self-signed X.509 certificate using openssl tool where the private key file is password protected.
For simplicity hard code the default location to store the certificate and private key files as well as
encrypted password files to be ~/.mypass directory (use os.path.expanduser(’~/.mypass/’) to
make the path absolute). You must use OAEP for padding. OAEP requires a hash function for
the padding for which use SHA1 to be compatible with openssl tool.
To have a starting point, complete the following code:
#!/ usr / bin / env python3
from cryptography . hazmat . primitives import serialization
from cryptography . hazmat . backends import default_backend
2
FIT3031: Information and Network Security Assignment Summer B Semester 2019
from cryptography . hazmat . primitives import hashes
from cryptography . hazmat . primitives . asymmetric import padding
import getpass
import argparse
import os
def read_pubkey () :
pass
def read_prvkey () :
pass
def do_add ( pubkey , file , pass_to_store ) :
pass
def do_show ( prvkey , file ):
pass
def do_update (pubkey , file , pass_to_store ):
pass
def main () :
pass
if __name__ == ’__main__ ’:
main ()
Note:
You will only receive marks if your code functions correctly.
Do not include the code in the report. Instead briefly explain the overall logic of the code as
well as individual functions. The explanation will receive 25% of the task’s marks and the
remaining 75% will be awarded to a correctly implemented code.
You do not need to submit your generated certificate as the code must work with any X.509
certificate.
Name the file mypass SID.py and submit via moodle. Replace SID with your student ID.
Incorrectly named files will incur 5 penalty marks.
3. [20 Marks] You need John the Ripper tool for this task which is installed on the prepared
Virtual Machine for Lab exercises. For each of the following tasks, write down the steps,
commands, and the rationale behind the steps in the report.
(a) Use the tool to generate a new password list file using the jtr rules (the password list
supplied with the tool is stored in /usr/share/john/password.lst).
(b) Use the generated password list in previous step and write a python program to perform a
dictionary attack on a SSH server. Do not include the code in the report but rather discuss
its logic.
(c) User must be able to stop the execution.
(d) The tool must have the following command line arguments
-u to specify the username (required);
-p to specify the password list file (required);
-host to specify the target host (required);
-port to specify the SSH service port number (optional, if not specified must default to
22).
(e) Discuss how dictionary attack on a local password file differs from an attack over the network
(e.g. SSH) in terms of the time and other difficulties (from attacker’s point of view).
(f) Describe at least three settings to protect SSH against dictionary attacks.
Notes:
3
FIT3031: Information and Network Security Assignment Summer B Semester 2019
Use the paramiko library for python that provides the SSH protocol capability for python
programs. You can test your code to ssh to localhost. You may need to change some
default settings of the ssh service to accelerate your dictionary attack (make the service less
secure to test your attack). Discuss any changes you make to the configuration of ssh service
(/etc/sshd config).
The points discussed in the report receives 25% of the task mark and a correctly
implemented code the remaining 75%.
Name the file jtrssh SID.py and submit via moodle. Replace SID with your student ID.
Incorrectly named files will incur 5 penalty marks.
4. [40 Marks] For this task you will be using the Core Network Emulator. The required file is
available on moodle under ”My Assessment” section named ”assignment core config.imn”. The
aforementioned file will be readable by the Core Netwrok Emulator. You must complete the
following tasks:
(a) VPN tunnel between the branch office gateway and head office gateway of talos.com named
phoenix and griffin respectively. You must use the strongswan service that wraps the
IKE and IPSec configuration in one package. This service is available under the Extension
section of the configuration feature of the layer 3 nodes (i.e. routers, servers, etc.) Your
configuration must satisfy the following requirements:
The VPN must provide confidentiality and must be in tunnel mode.
You must use public key certificates (self-signed) for authentication of IPSec endpoints.
You must use Fully Qualified Domain Name (FQDN) for end point identities (the DNS
records are already defined as phoenix.talos.com and griffin.talos.com)
The clients on either side must be able to access the servers on the other side through
the VPN tunnel (e.g. client1Syd and clio, client1Mel and calliope)
You must choose security parameters according to today’s security requirements.
(b) Configure the firewall service on griffin using iptables to satisfy the following
requirements:
Allow servers in DMZ to be accessed from any machine anywhere but the access must be
limited to the service provided by the server.
The internal servers clio (providing web service) and thalia (providing FTP service)
must only be accessible from local clients directly and from branch office through VPN.
The internal clients and servers must be able to initiate connection to external network
however no external machine should be able to initiate a connection to internal clients
and servers.
The gateway griffin must respond to ICMP protocol messages if coming from the
trusted sources (local clients, DMZ, internal servers, branch office gateway pheonix)
The gateway griffin must be able to communicate with DNS server to resolve domain
name queries and must be able to communicate with phoenix for VPN traffic.
No other traffic must be allowed and this must be set as the default policy.
(c) Configure the firewall service on phoenix using iptables to satisfy the following
requirements:
The internal server calliope (providing web service) must only be accessible from local
clients directly and from branch office through VPN.
The internal clients and servers must be able to initiate connection to external network
however no external machine should be able to initiate a connection to internal clients
and servers.
The gateway phoenix must respond to ICMP protocol messages if coming from the
trusted sources (local clients, internal servers, branch office gateway phoenix)
The gateway phoenix must be able to communicate with DNS server to resolve domain
name queries and must be able to communicate with griffin for VPN traffic.
No other traffic must be allowed and this must be set as the default policy.
4
FIT3031: Information and Network Security Assignment Summer B Semester 2019
Briefly explain the security of your configuration and your choices of parameters and rules.
Notes:
Your configuration will be tested when marked by teaching staff and you will receive marks
for correct functionality according to aforementioned requirements. Make sure that all
required configuration elements are included in the submission file.
Make sure that you use the provided interface by core GUI to add your changes and save
when finalised. If you close the core GUI interface without saving the changes you will lose
all the changes as there is no auto-save setting.
You do not need to include any screen shots or explain the configurations line by line. It
suffices to explain the logic of configuration related to security parameters or best practices.
The provided explanation in the report will receive 25% of the task marks and the remaining
75% will be awarded to correct configuration.
Name the final configuration file core SID.imn and submit via moodle. Replace SID with
your student ID.
Incorrectly named files will incur 5 penalty marks.
因为专业,所以值得信赖。如有需要,请加QQ:99515681 或邮箱:[email protected]
微信:codinghelp