Submission Guidelines

Deadline: Assignment is due on Friday 25 th January 2019, 11:55 PM.

Submission Files:

1. A report in PDF file format. On various text editor software you can use ”Save as PDF” option or use free converters to convert your file to PDF.

2. A python file for password management.

3. A python file for dictionary attack on SSH.

4. An imn file containing the configuration for Core Network Emulator.

Notes:

1. Do not submit a compression of multiple files. Such submissions may risk losing partial or complete assignment marks.

2. A handwritten document is not acceptable and will not be marked even if converted and submitted electronically.

Submission Platform: Electronic submission via Moodle.

Filename Format: Name your files for different assignment tasks as follows,

1. report SID.pdf

2. mypass SID.py

3. jtrssh SID.py

4. core SID.imn

where SID is your Student ID.

Note: You must strictly follow the provided file name format or penalties will apply.

• Python Code Version: The python code must be written in version 3.
• Late Submission Policy: Submit a special consideration form (available on moodle) to formally request a late submission.
•  Late Submission Penalty: A late submitted assignment without prior approval will receive a late penalty of 20% deduction per day (including Saturday and Sunday) or part thereof, after the due date and time.
• Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will be awarded for the whole submission if there is any evidence of copying, collaboration, pasting from websites, or copying from textbooks. Note: Plagiarism policy applies to all assessments.
• IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.

Marks

• This assignment is worth 20% of the total unit marks.
• The assignment is marked out of 100 nominal marks.
• For example if you obtain 60 marks for this assignment, it will contribute 100 60 × 20 = 12 marks to your final unit grade.

1. [20 Marks] Joe is using the following algorithm to generate RSA keys.

import gmpy2 as gmp from gmpy2 import mpz

def

rsa_keygen (N): ’’’To generate RSA of size N bits ’’’

key pair

UB = 2**(N // LB = 2**((N // status = True

2) - 1

2) - 1)

p = p = q =

rand_n(LB , UB) gmp. next_prime (p) gmp. next_prime (p)

e = mpz (65537) n = mpz(p * q) phi_n = mpz ((p - 1) * (q - 1)) if gmp.gcd(e,phi_n) == 1:

d = gmp.invert(e, phi_n) else:

status = False

d = -1

return

Since you have done Information and Network Security subject in your undergraduate degree, the CIO of the company you are currently employed at asks you to analyse the security of Joe’s algorithm. To assist you in this task Joe has provided a sample public key generated using his method and an encrypted message. You can download these values from moddle under ”My Assessment” section named ”Download Individual Sample of Public Key and Ciphertext”. If you find Joe’s algorithm to be secure then you must justify it by explaining the difficulty of recovering the plaintext from the ciphertext and the knowledge of public key. If you find Joe’s algorithm to be vulnerable then you must first explain how you can recover the plaintext from the ciphertext and the provided public key. You must then include the recovered plaintext in your report.

If you are able to factor the modulus as well then you must include the factors (p and q) as well as the private exponent d.

Note: The rand n() function generates a random mpz number between lower and upper bounds. You can assume that this function is secure or in other words the security of this function is not the focus of this task. You can implement rand n() function if you wish to run the given code however that is not required to be able to answer this question.

2. [20 Marks] Write a simple personal password management application with python. Use the provided Virtual Machine for Lab exercises to test your code as it comes with pyca library installed. The application must have the following command line options (you can use argparse):

• -add followed by a name to add a password under the given name

• -show followed by a name to show a previously added password under the given name on standard output (without newline)

• -update followed by a name to update a previously added password under the given name

The provided name with -add option must be used as a file name that will contain the encrypted password. You must use RSA public key algorithm to encrypt the passwords. Generate a self-signed X.509 certificate using openssl tool where the private key file is password protected. For simplicity hard code the default location to store the certificate and private key files as well as encrypted password files to be ~/.mypass directory (use os.path.expanduser(’~/.mypass/’) to make the path absolute). You must use OAEP for padding. OAEP requires a hash function for the padding for which use SHA1 to be compatible with openssl tool.

To have a starting point, complete the following code:

#!/ usr/bin/env python3 
from cryptography .hazmat.primitives import serialization 
from cryptography .hazmat.backends import default_backend
from cryptography .hazmat.primitives import hashes from cryptography .hazmat.primitives . asymmetric import import getpass import argparse import os

def

read_pubkey (): pass

def

read_prvkey (): pass

def

do_add(pubkey , pass

file , pass_to_store ):

def

do_show(prvkey , pass

file):

def

do_update(pubkey , file , pass

pass_to_store ):

def main ():

padding

pass

if __name__ main ()

• You will only receive marks if your code functions correctly.

• Do not include the code in the report. Instead briefly explain the overall logic of the code as well as individual functions. The explanation will receive 25% of the task’s marks and the remaining 75% will be awarded to a correctly implemented code.

• You do not need to submit your generated certificate as the code must work with any X.509 certificate.

• Name the file mypass SID.py and submit via moodle. Replace SID with your student ID.

• Incorrectly named files will incur 5 penalty marks.

3. [20 Marks] You need John the Ripper tool for this task which is installed on the prepared Virtual Machine for Lab exercises. For each of the following tasks, write down the steps, commands, and the rationale behind the steps in the report.

(a) Use the tool to generate a new password list file using the jtr rules (the password list supplied with the tool is stored in /usr/share/john/password.lst).

(b) Use the generated password list in previous step and write a python program to perform a dictionary attack on a SSH server. Do not include the code in the report but rather discuss its logic.

(c) User must be able to stop the execution.

(d) The tool must have the following command line arguments

• -u to specify the username (required);

• -p to specify the password list file (required);

• -host to specify the target host (required);

• -port to specify the SSH service port number (optional, if not specified must default to

22).

(e) Discuss how dictionary attack on a local password file differs from an attack over the network (e.g. SSH) in terms of the time and other difficulties (from attacker’s point of view).

(f) Describe at least three settings to protect SSH against dictionary attacks.

Notes:

• Use the paramiko library for python that provides the SSH protocol capability for python programs. You can test your code to ssh to localhost. You may need to change some default settings of the ssh service to accelerate your dictionary attack (make the service less secure to test your attack). Discuss any changes you make to the configuration of ssh service (/etc/sshd config).

• The points discussed in the report receives 25% of the task mark and a correctly implemented code the remaining 75%.

• Name the file jtrssh SID.py and submit via moodle. Replace SID with your student ID.

• Incorrectly named files will incur 5 penalty marks.

4. [40 Marks] For this task you will be using the Core Network Emulator. The required file is available on moodle under ”My Assessment” section named ”assignment core config.imn”. The aforementioned file will be readable by the Core Netwrok Emulator. You must complete the following tasks:

(a) VPN tunnel between the branch office gateway and head office gateway of talos.com named phoenix and griffin respectively. You must use the strongswan service that wraps the IKE and IPSec configuration in one package. This service is available under the Extension section of the configuration feature of the layer 3 nodes (i.e. routers, servers, etc.) Your configuration must satisfy the following requirements:

• The VPN must provide confidentiality and must be in tunnel mode.

• You must use public key certificates (self-signed) for authentication of IPSec endpoints.

• You must use Fully Qualified Domain Name (FQDN) for end point identities (the DNS records are already defined as phoenix.talos.com and griffin.talos.com)

• The clients on either side must be able to access the servers on the other side through the VPN tunnel (e.g. client1Syd and clio, client1Mel and calliope)

• You must choose security parameters according to today’s security requirements.

(b) Configure the firewall service on griffin using iptables to satisfy the following requirements:

• Allow servers in DMZ to be accessed from any machine anywhere but the access must be limited to the service provided by the server.

• The internal servers clio (providing web service) and thalia (providing FTP service) must only be accessible from local clients directly and from branch office through VPN.

• The internal clients and servers must be able to initiate connection to external network however no external machine should be able to initiate a connection to internal clients and servers.

• The gateway griffin must respond to ICMP protocol messages if coming from the trusted sources (local clients, DMZ, internal servers, branch office gateway pheonix)

• The gateway griffin must be able to communicate with DNS server to resolve domain name queries and must be able to communicate with phoenix for VPN traffic.

• No other traffic must be allowed and this must be set as the default policy.

(c) Configure the firewall service on phoenix using iptables to satisfy the following requirements:

• The internal server calliope (providing web service) must only be accessible from local clients directly and from branch office through VPN.

• The internal clients and servers must be able to initiate connection to external network however no external machine should be able to initiate a connection to internal clients and servers.

• The gateway phoenix must respond to ICMP protocol messages if coming from the trusted sources (local clients, internal servers, branch office gateway phoenix)

• The gateway phoenix must be able to communicate with DNS server to resolve domain name queries and must be able to communicate with griffin for VPN traffic.

• No other traffic must be allowed and this must be set as the default policy.

Briefly explain the security of your configuration and your choices of parameters and rules. Notes:

• Your configuration will be tested when marked by teaching staff and you will receive marks for correct functionality according to aforementioned requirements. Make sure that all required configuration elements are included in the submission file.

• Make sure that you use the provided interface by core GUI to add your changes and save when finalised. If you close the core GUI interface without saving the changes you will lose all the changes as there is no auto-save setting.

• You do not need to include any screen shots or explain the configurations line by line. It suffices to explain the logic of configuration related to security parameters or best practices.

• The provided explanation in the report will receive 25% of the task marks and the remaining 75% will be awarded to correct configuration.

• Name the final configuration file core SID.imn and submit via moodle. Replace SID with your student ID.

• Incorrectly named files will incur 5 penalty marks.