FACULTY

OF INFORMATICS
COURSEWORK COVERSHEET

SUBJECT’S INFORMATION:
Subject: CSCI368 Network Security
Session: July 2019
Programme / Section: BCS
Lecturer: Mohamad Faizal Alias
Coursework Type q Individual Assessment
(tick appropriate box)
Coursework Title: Assessment 2 Coursework Percentage: 10%
Hand-out Date: Week 7 Received By :
(signature)
Due Date: Week 12 Received Date :
STUDENT’S INFORMATION:
Student’s Name & ID: Phartheben Selvam 6186038

Contact Number / Email: 0162341801 phartheben@gmail.com

STUDENT’S DECLARATION
By signing this, I / We declare that:
1. This assignment meets all the requirements for the subject as detailed in the relevant Subject Outline, which I/ we have
read.
2. It is my / our own work and I / we did not collaborate with or copy from others.
3. I / we have read and understand my responsibilities under the University of Wollongong’s policy on plagiarism.
4. I / we have not plagiarised from published work (including the internet). Where I have used the work from others, I / we
have referenced it in the text and provided a reference list at the end of the assignment.

I am / we are aware that late submission without an authorised extension from the subject co-ordinator may incur a penalty.
(See your subject outline for further information).

Name & Signature: Phartheben Selvam

------------" -------------------" ------------------" -------------------" --------------------" ---------------------" --
COURSEWORK SUBMISSION RECEIPT
Subject: CSCI368 Network Security Session: July 2019
Programme / Section: BCS Lecturer: Mohamad Faizal Alias
Coursework Type: q Individual Assessment
(Tick appropriate box)
Coursework Title: Assessment 2 Coursework Percentage: 10%
Hand-out Date: Week 7 Received By:
(Signature)
Due date: Week 12 Received Date:
STUDENT’S INFORMATION:
Student’s Name & ID: Phartheben Selvam 6186038

Contact Number / Email: 0162341801 phartheben@gmail.com




Assessment Criteria Total Marks Given Marks

1. Part 1: Online Quiz 3 – PKI (Must be completed within Week 7) 2

2. Part 2: Single Sign-on System (Submission by Week 12)
• Client code with all the crypto requirements: 2 marks
• Trusted Authority with all the crypto requirements: 2 marks
• Server code with all the requirements: 2 marks 8
• Report and presentation: 2 marks

Note: Part 2 – presentation on Week 12

10
Penalty

Final Mark (10 %)
Marked by: _____________________ Date: ________

Lecturer’s Comments

Penalty for late submission:
1 day – minus 20% of total mark awarded
2 days – minus 50% of total mark awarded
3 days – 0 mark for this piece of coursework

 University of Wollongong
CSCI368 NETWORK SECURITY
JULY 2019
Individual Assessment 2 (10 %)

Aims
This assignment consists of TWO parts. Part 1 consists of an Online Quiz 3 covering topic of Public Key Infrastructure. While Part 2 is a
program development for Single-Sing On Simulated System

Objectives
On completion of this assignment you should be able to:
• Understand the Public Key Infrastructure covering Key Management, Digital Certificates and Key Distribution
• Applying network programming.
• Applying Cryptographic techniques such as Key Generator, Hashing, block cipher and PKC into a Single Sign-on Simulated
system (Programming)
• Creating a complete simulated system consisting Client program, Trusted Authority program and server program for Single-
Sign On system.

Part 1 – Online Quiz 3 – PKI (2%) – Week 7

• Quiz 3 is an online quiz on Moodle which consist of 10 MCQs. You are given only 20 minutes to complete the quiz.
• The coverage for this quiz is on Chp04 – Public Key Infrastructure.
• Make sure you have done necessary reading before attempting this quiz.
• Quiz will be open for the whole Week 7.

Part 2 – Single Sign-on System (8%)

Aims
This Part 2 assignment aims to establish a basic familiarity with an authentication system with “single-sign-on” features.

Part 2 Objectives

The assignment involves the following tasks:
• Implementation of a working prototype of single-sign-on authentication system.
• Socket programming.
• Security programming including public-key certification and RSA signatures, SHA-1 hashing and Block Cipher.

On completion of this assignment you should be able to:

• Understand and apply advanced authentication systems.
• Understand and apply public-key certification and RSA signatures.
• Write security code for communications in computer networks.
• Write socket code.

Specifications
Write a C++ socket program to implement a working prototype of single-sign-on authentication system. The working program will be
using Crypto++ library and working on the physical network of computers.



Single-sign-on:

Single-sign-on is a system where a user who holds a valid identity and a valid password can access multiple networked servers via
strong authentication (i.e., using digital signatures). Intuitively, when a user logs on a computer using her password, the computer (or
client code) verifies the validity of her identity and password. If the verification is passed, a credential of the user will be generated.

With the credential, the user can then access services provided by multiple servers with a single-sign-on.
Since our single-sign-on system requires strong authentication, the problem we are facing is how to store users’ private keys. The
obvious solution is to utilise a file to store the credentials and keys.

Our single-sign-on system consists of the following components:

1. Key generator that generates RSA keys for each user.
2. Users. Each user possesses a pair of RSA keys.
3. A client program that handles user login.
4. Servers that provide services to users. All servers possess the public key of a trusted authority (T).
5. The trusted authority (T), performs the following functions:
• Generate RSA keys.
• Generate public-key certificates for users.
• Store private keys and public-key certificates for users.
• It is assumed that T holds a permanent RSA public/private key pair (e_T, d_T).

Reference diagram:

There are 3 different programs to be created:
1. Client program - C
2. Trusted Authority program - T
3. File Server program – S_i

For demo purposes:

1. Execute T with input of port number (IP can be detected by
code)
2. Execute two File Server S_1 & S_2. During execution, S_i will
ask the admin to find T (IP and port number). S_i then get T
public Key and stored locally (in a file)
3. File Servers S_1 and S_2 now open a port number for C
connection
4. Execute C, C need to connect to T for Registration or
Authentication.
5. Upon Authentication, C connected directly to any S_i
6. S_i is just a simple server program that reads a local file and
displays the file content to C.

Use on 2 computers on the same network:

Computer 1 executes C and S_2
while Computer 2 executes T and S_1





Protocol:
Suppose U_i denotes a user, C a client program, T the trusted authority program, and S_i a server program.

New User Registration:

1. U_i uses a C, with C, U_i register to the system via T by sending his/her U_i (User Name) and his/her password p_i.
2. T generates RSA key pair (e_i, d_i) for this U_i.
3. T also having its own RSA key pair of (e_T, d_T). e_T is public key of T where d_T is the private key of T.
T RSA keys are store in individual file at T named “ta_e_keystore” and “ta_d_keystore”.

4. During registration of U_i, T also generates the corresponding public-key certificate:
cert_i = Sign_d_T(U_i, e_i, timestamp_i),

where e_i denotes the public key, d_i the private key, and cert_i the corresponding public-key certificate.
Sign_d_T uses RSA scheme with T private key.

5. Then, T hide U_i private key that is d_i by encrypting it with AES of key length128 bits (16 bytes) , that is as follows:
k_i = E(p_i, d_i)

Note: user password p_i can be of any length. If the password is more than 16 characters, the program on use the first 16
characters. If shorter, the program repeat the characters to achieve 16 characters length, example password of “EARTHBOUND”
only has 10 characters, the program will repeat characters as “EARTHBOUNDEARTHB”

6. T stores (U_i, hash(p_i)), (e_i, k_i) and cert_i in a file named “users_keystore”. Arrange the user’s crypto components in this file
for easier searching. Hashing is using SHA-1.
7. T acknowledge U_i upon successful registration on C. And ask U_i to login if would like to continue or exit.

Existing user login and request for authentication

1. When an existing/registered user U_i wants to access server S_j in the system, she enters (U_i, p_i) on the client computer C.
Meanwhile on the network:
S_i executes and communicate with T to get T public key, e_T.

2. C then forwards (U_i, hash(p_i)) to T. Hashing is using SHA-1.
3. Upon receiving (U_i, hash(p_i)), T verifies their validity by searching the “users_keystore” file.
If they are valid/found, T will return (U_i, k_i) and cert_i to C.
Remember, cert_i = Sign_d_T(U_i, e_i, timestamp_i),

4. Upon receiving (U_i, k_i) and cert_i, C asks U_i which Server (S_i) he/she would like to access and then sends a request to S_j on
behalf of U_i.
At the same time, C Decrypt k_i by:
d_i = D(p_i, k_i) ; this is AES decryption using p_i. Note: Again, AES decryption here is similar to Encryption above
(Registration protocol).

5. Selection of which server the U_i would like to connect will make the S_i generates a nonce N and returns it to C.
6. Upon receiving the challenge N from S_i, C computes an RSA signature with U_i’s signing key d_i (d_i produced in step 4 above).
The RSA signature is: Sign_i = RSA_ d_i(U_i, N).

7. Then, C sends Sign_i and cert_i to a server S_j.
8. Upon receiving Sign_i and cert_i, S_j checks the validity of the cert_i and Sign_i with the corresponding public keys.
cert_i = Sign_d_T(U_i, e_i, timestamp_i) is decrypted with e_T (public key of T) and U_i, e_i and timestamp_i is known.
Sign_i = RSA_ d_i(U_i, N) is decrypted with e_i (public key of U_i) and U_i and N is known.
Verification happen when:
Both U_i from cert_i and Sign_i is similar and N from Sign_i is simlar to N generated by S_i on step 5 above.
9. If they are valid, the service is then granted. Otherwise, return an error message.

A Sample Run for your guide:

We take two servers as an example.
(1) Start T (T has IP and open a Port_number)
(2) Start S_1 and S_2 (we use only two servers)

$ S_1 (Has IP_number and open Port_number)

$ S_2 (Has IP_number and open Port_number)

Note: Here, $ is the prompt.
In the back group S_1 and S_2 contacted T to get T public key. And both S_1 and S_2 store T public key in a file locally.

(3) Execute C. It outputs the following options:
1. New User
2. Existing User
3. Exit

If 1 is entered, it then outputs a prompt:

Username:
Password:
After entered by the user, it is passed to T, which in turn generates a RSA key pair along with the associated certificate, and the value
of k_i.

If 2 is entered, it outputs the prompt:
Username: Alice
Password:
where “Password” appears after Username (say, Alice) is entered. The entered username and hash of password are sent to T.

T in turn checks their validity. If they are valid, (k_i, cert_i) is sent to C. C then computes Sign_i and outputs a prompt:
Connect to S_1 or S_2 (or Exit)
%
Where % denotes a prompt.
One of S_1, S_2 and Exit can be entered.

If S_1 is entered, (Sign_i, cert_i) is then sent to S_1 (similar for S_2). S_1 checks the validity of cert_i and Sign_i, if they are valid it
returns the following message to the screen of C:
Connected to S_1
%
Otherwise, it outputs an error message.

Following the prompt %, there are only two options:
Option 1 allows the user Alice to read a short text file stored in S_1:
% Read file1.txt
It should be “Read file2.txt”, if S_2 was selected.

Option 2 allows Alice to exit:
% Exit
% Connect to S_1 or S_2 (or Exit)
% Exit
1. New User
2. Existing User
3. Exit
% 3

Following the first Exit, C goes back to the original prompt.
The second Exit makes U_i quit the system and the original prompt returns. The third Exit quits the client.

Files to be submitted:
• All source code (C, T and S) in separated folders
• readme (text file) containing user accounts and password created during testing
• Executable EXE files of C, T and S if running on Windows
• A report in pdf format.

Report Contents:

1. Cover page, Introduction, TOC
2. Each C, T and S program segments with explanation, screen captures of the execution and other remarks
3. User Registration steps – screen captures and explanation
4. User Accessing servers – screen captures and explanation.
5. Contents of crypto components files (i.e. “users_keystore” etc.)

Generate a zip file named <yourname><assign2>.zip that includes all the above files to be submitted. Put your name and student
number in all source codes.

Submission
This assignment should be submitted electronically via the assignment submission link on Moodle:
Comments in code files should be concise. A header should give your information (including name, student ID) and briefly summarize
the contents of the file - identifying purpose of program, listing classes etc.
Classes may have brief header comments if these are considered necessary.
Individual functions should only require comment if they are complicated or result in non-obvious side effects etc.


The code that does not compile or/and failure of client/server connection will receive a zero.
Note: A presentation slots will be prepared for you to show case your Single Sign-on system during Week 12. Date/time will be
announced later and will consider your FYP schedule.

Late Submission:
Penalty is 25% deduction per day.

Plagiarism
A plagiarised assignment will receive a zero mark and be penalised according to the university rules. Plagiarism detection software
will be used.