The Hash Kit

Technical Document
DSS-14-S1-12

Project Members (SS14/1C) Ian Chua Zhi Ying Ng Yuet Yong Ong Wei Liang Eugene Sim Aik Chun Weng Xian 4442416 4235320 4235289 4234716 4443822 zyichua001@mymail.sim.edu.sg yyng011@mymail.sim.edu.sg wleong004@mymail.sim.edu.sg acsim001@mymail.sim.edu.sg xweng004@mymail.sim.edu.sg

Contents
The Hash Kit .................................................................................................................................... 1 Introduction .................................................................................................................................... 4 Purpose........................................................................................................................................ 4 Scope ........................................................................................................................................... 4 Software development methodology ......................................................................................... 5 Rational unified Process (RUP) ................................................................................................ 5 Four phases of RUP .................................................................................................................. 5 Why Rational Unified Process (RUP)? ..................................................................................... 6 Project Summary............................................................................................................................. 7 Overview ..................................................................................................................................... 7 User Characteristics..................................................................................................................... 7 Risk Analysis ................................................................................................................................ 8 Risk Management and Countermeasure .................................................................................... 8 Constraints .................................................................................................................................. 9 Implementation constraints .................................................................................................... 9 Physical constraints ................................................................................................................. 9 Security features ....................................................................................................................... 10 Use Case Diagrams ........................................................................................................................ 11 Administrator ............................................................................................................................ 11 User ........................................................................................................................................... 11 Sequence Diagram (Admin) .......................................................................................................... 12 Create ........................................................................................................................................ 12 Delete ........................................................................................................................................ 13 Read ........................................................................................................................................... 13 Update ....................................................................................................................................... 14 Sequence Diagram (Users) ............................................................................................................ 15 Login .......................................................................................................................................... 15 View ........................................................................................................................................... 16 Save ........................................................................................................................................... 16 2

Start test with email option ...................................................................................................... 17 Start test without email option ................................................................................................. 18 Activity Diagram (Admin) .............................................................................................................. 19 Create ........................................................................................................................................ 19 Delete ........................................................................................................................................ 20 Update ....................................................................................................................................... 21 Read ........................................................................................................................................... 22 Activity Diagram (Users) ............................................................................................................... 23 Login .......................................................................................................................................... 23 Basic Hashing ............................................................................................................................. 23 Compute and Compare ............................................................................................................. 24 Update Information................................................................................................................... 25 View Result ................................................................................................................................ 25 Database Diagram ......................................................................................................................... 26 Class diagram ................................................................................................................................ 27 Functional Requirements Summary ............................................................................................. 28 User Functional Requirements.................................................................................................. 28 Administrator Functional Requirements................................................................................... 28 System Functional Requirements ............................................................................................. 29 User Functional Requirements Description .............................................................................. 30 Administrator Functional Requirements Description ............................................................... 32 System Functional Requirements Description .......................................................................... 33 Non-Functional Requirements Summary ..................................................................................... 35 Non-Functional Requirements Description............................................................................... 36 Test Plan ........................................................................................................................................ 37 Description of test for each feature .......................................................................................... 38 Glossary ......................................................................................................................................... 41

Introduction
Purpose
This document provides a detailed description of all the functions and specifications listed in the Hash Kit. This System Requirements Specification also describes all the nonfunctional requirements and other necessary factors for the Hash Kit.

Scope
Our scope of this project is to provide users with an online hash kit application to do analysis of hash functions. This application is to generate informative properties such as collision rates, pre-image and second preimage attack resistance. Not only does the application analyse hash functions, the user will receive an email once the computation results have been processed and the server will immediately send it to their email addresses. Hence, the user does not need to wait for the computation results and the job will be queued. The whole idea was to make it useable everywhere, no installers required, easy to use. As for the rest of the portion, it is separated into five major sections (introduction, project overview, functional requirements, non-functional requirements and glossary). The project overview will give readers a general outline of the entire project; the functional requirements/non-functional requirements provide informative processes.

Software development methodology

Rational unified Process (RUP) A comprehensive process framework provides industry-tested practices for software and systems delivery and implementation and for effective project management. It promotes iterative development of software and systems into four phases, each consisting of one or more executable iterations of the software at the stage of development. Four phases of RUP Inception - to scope the system adequately as a basis for validating initial costing and budgets -Purpose and scope of our project -Identify target audience -Identify constraints -Initial risk assessment -Identify software architecture -Identity core functionality of project and main use-case scenarios -Deciding the role of members -Test plan Elaboration - to mitigate the key risk items identified by analysis up to the end of this phase -Finalize functional requirements and non-functional requirements -System diagrams (Use case, sequence diagrams and etc.) -Revised risk list -Prototype -User manual

Construction - to build the software system -Coding and unit testing -integration and system test
Introduction 5

Transition - to transit the system from development to production -Finalize products -Beta testing to validate system Why Rational Unified Process (RUP)? After much consideration, Rational Unified Process stands out the most, and is the most suitable for this project. It encourages concurrent workflows across the entire cycle and it mainly focuses on the scope thus the group will not side-track instead of using a project backlog after every iteration. It is also due to time constraint that the concurrent workflow property of RUP could help us in completing the project punctually. Rational Unified Process is also recommended for long-term projects with medium-to-high complexity instead of scrum, quick organizations that are not dependent on deadline.

Project Summary
Overview
In the summary, it gives a general outline of the project, the functional requirements and non-functional requirements, graphs which provide more inside in each process in each application and all is based on the thorough analysis and the research done on the current existing hash kit software and also to fulfil our objectives in our proposal. Program structure

User Characteristics
Web Administrator: the person responsible for the operations of the website which includes the web servers, hardware and software, the design of the website and generation/revisioning and examining the traffic. Registered User: the non-registered users must register and sign in the website before able to use the hash kit tools. Users are also required to have internet access throughout the computation of the result or opted for email to be send to their email addresses.

Project Summary 7

Risk Analysis
At this stage, the risk analysis is required to prevent the hindrance or unforeseen problems at a later stage of software development. Here are some potential risks which we might face: Malicious attacks such as DDOS (distributed denial of services), cross script attacks, SQL injection and etc. Security measures such as a proper user authentication and/or end-to-end point protection which can be a problem to implement in the website. Server overload can occur due to heavy traffic from malicious attacks or users use the applications at the same time Database corruption can affect the usage of the website due to the power failure or hardware failure of the server may lead to corruption.

Risk Management and Countermeasure

Risk Management is to identify, control, and minimize the impact of uncertain events, and the objectives are to reduce and control the risks. What we are identified so far from the analysis might be resolved with the countermeasures below: Malicious attacks can be mitigated by implementing good security features such as framework security features. As for server side, the database will be protected by the framework by salting and other features and a proper firewall should be added. If the user finds out that their account is be misused, the user can reset the password with the help of the users email and SSL certificates protection for end -to-end protection Server overload could not be prevented unless the server can have more bandwidth and resources to accommodate to more users at the same time and request the administrator/moderators to resolve issues such DDOS (distributed denial of services) and errors.

Project Summary 8

In order to reduce the chances of database corruption on the server side, a regular backup of database should be done so that the database can reverted back to previous state.

Constraints
Implementation constraints Implementation of an online hashkit requires us to handle web languages (PHP, JavaScript). Limited knowledge of web languages (e.g. PHP, JavaScript) propels us to make full use of web development framework (Cakephp). Physical constraints Limited monetary resources to purchase quality servers or web hosting services for the final implementation of our product The performance of the hash kit is limited to the capabilities of the hardware (e.g. server): Host server - The host servers CPU / resources to process the end results for all computations Storage - Server might have limited storage space for the users computation files or results. Download/upload speed (network) - Network protection is also required in case of any form of malicious attack e.g. DDOS and etc. The server might have capped speed for the administrator.

Project Summary 9

Security features
After much deliberate consideration and discussion, the team decided to use Cakephp framework for development. The framework comes with some security features which will be listed below: Form tapering and Cross-site request forgery protection The framework will check the fields in the form and if any input is deemed as an improper, it will be rejected immediately and the form submission will not accepted after a certain period of inactivity. Requiring the SSL is to be used and restricting which HTTP methods your application accepts There will be a check if the SSL is used between the user and server and if the SSL is not present, the website can limit the http requests and its capabilities. Additional Features not included in the Framework Captcha might be present to prevent bots to sign up accounts or maximize the traffic on the server end. User password checks to ensure the user using a strong password to protect against brute force or dictionary attacks

Project Summary 10

Use Case Diagrams

Administrator

User

Use Case Diagrams 11

Sequence Diagram (Admin)

Create

Sequence Diagram (Admin) 12

Delete

Read

Sequence Diagram (Admin) 13

Update

Sequence Diagram (Admin) 14

Sequence Diagram (Users)

Login

Sequence Diagram (Users) 15

View

Save

Sequence Diagram (Users) 16

Start test with email option

Sequence Diagram (Users) 17

Start test without email option

Sequence Diagram (Users) 18

Activity Diagram (Admin)

Create

Activity Diagram (Admin) 19

Delete

Activity Diagram (Admin) 20

Update

Activity Diagram (Admin) 21

Read

Activity Diagram (Admin) 22

Activity Diagram (Users)

Login

Basic Hashing

Activity Diagram (Users) 23

Compute and Compare

Activity Diagram (Users) 24

Update Information

View Result

Activity Diagram (Users) 25

Database Diagram

Database Diagram 26

Class diagram

Class diagram 27

Functional Requirements Summary

All requirements placed into three tiers of priorities (low, medium and high).

User Functional Requirements

Requirement ID UF1 UF1.1 UF1.2 UF2 UF3 UF4 UF5 Function Name Create Test Input Data Choose Algorithm View results Save results to text file Login and Logout Update profile Priority High HIgh HIgh High Medium High Low

Administrator Functional Requirements

Administrator inherits all users functions and has these additional functions Requirement ID AF1 AF2 AF3 AF4 Function Name Create User Read User Update User Delete User Priority High High High High

Functional Requirements Summary 28

System Functional Requirements

Requireme nt ID SF1 Function Name Interactive website Priority High

SF2 SF2.1 SF2.2 SF2.3 SF2.4

Algorithm computation Computation for preimage resistance Computation for 2nd pre-image resistance Computation for collision resistance Computation for Message Digest

High High High High High

SF3 SF3.1 SF3.2 SF3.3 SF3.4 SF3.5

Output Results Output pre-image resistance results Output 2nd pre-image resistance results Output collision resistance results Output Message Digest Hash function recommendations

High High High High High High

Functional Requirements Summary 29

SF4

Send notification to user email

Medium

SF5

User registration

Medium

User Functional Requirements Description

ID Description: Priority ID Description: Priority ID Description: Priority ID Description: Priority UF1: Create Test User would be able to start a new hashing analysis. High UF1.1: Input Data User can either type the plaintext or upload a file(txt/doc files) for computation High UF1.2: Choose Algorithm User is able to select different types of algorithm to do the computation High UF2: View Results User is able to view the analysis results after computation is done. High

Functional Requirements Summary 30

ID Description: Priority ID Description: Priority

UF3: Save results to text file User is able to save the analysis results to a text file Medium UF4: Login and Logout User is able to identify himself with the system. Analyses done by user would be saved under his/her profile. High

ID Description: Priority

UF5: Update profile User is able to updates his account profile details Low

Functional Requirements Summary 31

Administrator Functional Requirements Description

ID Description: Priority ID Description: Priority ID Description: Priority ID Description: Priority AF1: Create User Admin is able to create new user High AF2: Read User Admin is able to view any registered user account details and status High AF3: Update User Admin is able to update any registered user account details and status High AF4: Delete User Admin is able to delete any registered user High

Functional Requirements Summary 32

System Functional Requirements Description

ID Description: Priority ID Description: Priority ID Description: Priority ID Description: Priority ID Description: Priority SF1: Interactive website Making use of drop-down menus and pop up help tips to guide users along in the application. High SF2.1: Computation for pre-image resistance Application is able to compute the pre-image resistance results from the data given by user. High SF2.2: Computation for 2nd pre-image resistance Application is able to compute the 2nd pre-image resistance results from the data given by user. High SF2.3: Computation for collision resistance Application is able to compute the collision resistance results from the data given by user. High SF2.4: Computation for Message Digest Application is able to compute the message digest from the plaintext given by user. High
Functional Requirements Summary 33

ID Description: Priority

SF3.1: Output pre-image resistance results Application is able to output the pre-image resistance results to the user High

ID Description: Priority ID Description: Priority ID Description: Priority ID Description: Priority ID

SF3.2: Output 2nd pre-image resistance results Application is able to output the 2nd pre-image resistance results to the user High SF3.3: Output collision resistance results Application is able to output the collision resistance results to the user High SF3.4: Output Message Digest Application is able to output the hash function results to the user High SF3.5: Hash function recommendations Application is able to compare between different analysis results and recommend the suitable hash function High SF4: Send notification to user email
Functional Requirements Summary 34

Description: Priority ID Description: Priority

Application will send a notification to user email once analysis of message digest is complete Medium SF5: User registration User needs to register with the application before using it Medium

Non-Functional Requirements Summary

ID NF1 NF2 NF3 Functional Requirements Consistent GUI Multi-threading Processing Compatibility across multiple Web Browsers Priority Low High Medium

Non-Functional Requirements Summary 35

Non-Functional Requirements Description

ID: Description: NF1: Consistent GUI Website would have a fixed top navigation bar. This is to ensure consistent navigation throughout the site regardless where the user is currently at. Low NF2: Multi-threading Processing Algorithm would have to be able to run across many CPU cores to maximize efficiency. High NF3: Compatibility across multiple Web Browsers Website layout would have to accommodate for various Web Browsers such as Internet Explorer, and also modern browsers e.g. Google Chrome, Safari, Opera Medium

Priority ID: Description: Priority ID: Description:

Priority

36

Test Plan
Tools needed: PHPUnit.

Features are to be tested for their compatibility among browsers. Below listed the features is to be tested and description of the features: - Login/Logout - Register - Start Test - Compute and Recommend - View results - Save results to text file - Email notification - Add user - Update user - Delete user - View user - Speed test - Stress test

Test Plan 37

Description of test for each feature

- Login/Logout Pass o User must be able to login/logout to/from the website o After 3 tries users account must be locked and administrator notified Fail o If user fails 3 attempts and his account is not locked o Administrator not alerted of the account information - Register Pass o Public must be able to register an account with the website o Only unused email can be used to register with the website o All required files must be validated before creating the account Fail o If an email can be reused to create a new account o Password length/combination uncheck or fails - Start Test Pass o User must be able to run a simple test o User must be able to enter/upload plaintext/file to the website for hash computing Fail o Users uploaded file cannot be identified/ wrong file format accepted o Incorrect Message Digest returned to the user

Test Plan 38

- Compute and Recommend Pass o User must be able to run the compute and recommend test o Server must be able to return test results based on the testing criteria (speed/security) Fail o Users uploaded file cannot be identified/ wrong file format accepted o Incorrect Message Digest returned to the user - View results Pass o User must be able to view their test history and retrieve the results Fail o User cannot find/retrieve their test history - Save results to text file Pass o User must be able to save the results to a text file and download it from the server Fail o User cannot save the result as text file o Downloaded text file corrupted - Email notification Pass o User must be notified when their test are completed via Email if they selected the Email notification option Fail o User does not receive the email notification

Test Plan 39

- Add user Pass o Administrator must be able to add a new user Fail o Server allows invalid user to be created o Administrator unable the create a user even when the information create - Update user Pass o Administrator must be able to update a user Fail o Administrator unable to update a user (lock/unlock) - Delete user Pass o Administrator must be able to delete a user Fail o Administrator unable to delete a user - View user Pass o Administrator must be able to view a users profile Fail o Administrator unable to view a user - Speed test o Determine computational efficiency on different size of input. - Stress test o Push servers load handling capabilities by accepting more tasks from many users. o This would let us understand the limits of the server.
Test Plan 40

Glossary
Pre-image resistance - Describes the difficulty to compute X given the value for H(X) 2nd pre-image resistance - Describes the difficulty to find Y given value for X such that H(X) = H(Y) Collision resistance - A hash algorithm property that describe the unlikelihood to find inputs X and Y such that H(X) = H(Y) GUI (graphical user interface) - a type of user interface that allows user to interact with the electronic devices through graphical buttons Multi thread processing - a way that the system can does their processes more efficiently by creating thread to do it at simultaneously. Graphical User Interface - a type of user interface to allow interaction with the electronic devices or software Message digest - a form of representation of the encrypted message produced from cryptographic functions DDOS - Distributed denial of services, a form of malicious attack which renders the services unusable for every user and this is done on a massive scale from botnets or etc.

Glossary 41