讲解FIT3031留学生、辅导Information and Network Security Assignment Summer

- 首页 >> Python编程


FIT3031: Information and Network Security Assignment Summer B Semester 2019

Submission Guidelines

Deadline: Assignment is due on Friday 25th January 2019, 11:55 PM.

Submission Files:

1. A report in PDF file format. On various text editor software you can use ”Save as PDF”

option or use free converters to convert your file to PDF.

2. A python file for password management.

3. A python file for dictionary attack on SSH.

4. An imn file containing the configuration for Core Network Emulator.

Notes:

1. Do not submit a compression of multiple files. Such submissions may risk losing partial or

complete assignment marks.

2. A handwritten document is not acceptable and will not be marked even if converted and

submitted electronically.

Submission Platform: Electronic submission via Moodle.

Filename Format: Name your files for different assignment tasks as follows,

1. report SID.pdf

2. mypass SID.py

3. jtrssh SID.py

4. core SID.imn

where SID is your Student ID.

Note: You must strictly follow the provided file name format or penalties will apply.

Python Code Version: The python code must be written in version 3.

Late Submission Policy: Submit a special consideration form (available on moodle) to formally

request a late submission.

Late Submission Penalty: A late submitted assignment without prior approval will receive a

late penalty of 20% deduction per day (including Saturday and Sunday) or part thereof, after the

due date and time.

Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will

be awarded for the whole submission if there is any evidence of copying, collaboration, pasting

from websites, or copying from textbooks.

Note: Plagiarism policy applies to all assessments.

IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.

Marks

This assignment is worth 20% of the total unit marks.

The assignment is marked out of 100 nominal marks.

For example if you obtain 60 marks for this assignment, it will contribute 60

100 × 20 = 12 marks to

your final unit grade.

1

FIT3031: Information and Network Security Assignment Summer B Semester 2019

1. [20 Marks] Joe is using the following algorithm to generate RSA keys.

import gmpy2 as gmp

from gmpy2 import mpz

def rsa_keygen (N):

’’’To generate RSA key pair

of size N bits ’’’

UB = 2**( N // 2) - 1

LB = 2**(( N // 2) - 1)

status = True

p = rand_n (LB , UB)

p = gmp . next_prime (p)

q = gmp . next_prime (p)

e = mpz (65537)

n = mpz (p * q)

phi_n = mpz ((p - 1) * (q - 1) )

if gmp . gcd (e, phi_n ) == 1:

d = gmp . invert (e, phi_n )

else :

status = False

d = -1

return status , n, e, d

Since you have done Information and Network Security subject in your undergraduate degree, the

CIO of the company you are currently employed at asks you to analyse the security of Joe’s

algorithm. To assist you in this task Joe has provided a sample public key generated using his

method and an encrypted message. You can download these values from moddle under ”My

Assessment” section named ”Download Individual Sample of Public Key and Ciphertext”. If you

find Joe’s algorithm to be secure then you must justify it by explaining the difficulty of recovering

the plaintext from the ciphertext and the knowledge of public key. If you find Joe’s algorithm to

be vulnerable then you must first explain how you can recover the plaintext from the ciphertext

and the provided public key. You must then include the recovered plaintext in your report.

If you are able to factor the modulus as well then you must include the factors (p and q) as well as

the private exponent d.

Note: The rand n() function generates a random mpz number between lower and upper bounds.

You can assume that this function is secure or in other words the security of this function is not

the focus of this task. You can implement rand n() function if you wish to run the given code

however that is not required to be able to answer this question.

2. [20 Marks] Write a simple personal password management application with python. Use the

provided Virtual Machine for Lab exercises to test your code as it comes with pyca library

installed. The application must have the following command line options (you can use argparse):

-add followed by a name to add a password under the given name

-show followed by a name to show a previously added password under the given name on

standard output (without newline)

-update followed by a name to update a previously added password under the given name

The provided name with -add option must be used as a file name that will contain the encrypted

password. You must use RSA public key algorithm to encrypt the passwords. Generate a

self-signed X.509 certificate using openssl tool where the private key file is password protected.

For simplicity hard code the default location to store the certificate and private key files as well as

encrypted password files to be ~/.mypass directory (use os.path.expanduser(’~/.mypass/’) to

make the path absolute). You must use OAEP for padding. OAEP requires a hash function for

the padding for which use SHA1 to be compatible with openssl tool.

To have a starting point, complete the following code:

#!/ usr / bin / env python3

from cryptography . hazmat . primitives import serialization

from cryptography . hazmat . backends import default_backend

2

FIT3031: Information and Network Security Assignment Summer B Semester 2019

from cryptography . hazmat . primitives import hashes

from cryptography . hazmat . primitives . asymmetric import padding

import getpass

import argparse

import os

def read_pubkey () :

pass

def read_prvkey () :

pass

def do_add ( pubkey , file , pass_to_store ) :

pass

def do_show ( prvkey , file ):

pass

def do_update (pubkey , file , pass_to_store ):

pass

def main () :

pass

if __name__ == ’__main__ ’:

main ()

Note:

You will only receive marks if your code functions correctly.

Do not include the code in the report. Instead briefly explain the overall logic of the code as

well as individual functions. The explanation will receive 25% of the task’s marks and the

remaining 75% will be awarded to a correctly implemented code.

You do not need to submit your generated certificate as the code must work with any X.509

certificate.

Name the file mypass SID.py and submit via moodle. Replace SID with your student ID.

Incorrectly named files will incur 5 penalty marks.

3. [20 Marks] You need John the Ripper tool for this task which is installed on the prepared

Virtual Machine for Lab exercises. For each of the following tasks, write down the steps,

commands, and the rationale behind the steps in the report.

(a) Use the tool to generate a new password list file using the jtr rules (the password list

supplied with the tool is stored in /usr/share/john/password.lst).

(b) Use the generated password list in previous step and write a python program to perform a

dictionary attack on a SSH server. Do not include the code in the report but rather discuss

its logic.

(c) User must be able to stop the execution.

(d) The tool must have the following command line arguments

-u to specify the username (required);

-p to specify the password list file (required);

-host to specify the target host (required);

-port to specify the SSH service port number (optional, if not specified must default to

22).

(e) Discuss how dictionary attack on a local password file differs from an attack over the network

(e.g. SSH) in terms of the time and other difficulties (from attacker’s point of view).

(f) Describe at least three settings to protect SSH against dictionary attacks.

Notes:

3

FIT3031: Information and Network Security Assignment Summer B Semester 2019

Use the paramiko library for python that provides the SSH protocol capability for python

programs. You can test your code to ssh to localhost. You may need to change some

default settings of the ssh service to accelerate your dictionary attack (make the service less

secure to test your attack). Discuss any changes you make to the configuration of ssh service

(/etc/sshd config).

The points discussed in the report receives 25% of the task mark and a correctly

implemented code the remaining 75%.

Name the file jtrssh SID.py and submit via moodle. Replace SID with your student ID.

Incorrectly named files will incur 5 penalty marks.

4. [40 Marks] For this task you will be using the Core Network Emulator. The required file is

available on moodle under ”My Assessment” section named ”assignment core config.imn”. The

aforementioned file will be readable by the Core Netwrok Emulator. You must complete the

following tasks:

(a) VPN tunnel between the branch office gateway and head office gateway of talos.com named

phoenix and griffin respectively. You must use the strongswan service that wraps the

IKE and IPSec configuration in one package. This service is available under the Extension

section of the configuration feature of the layer 3 nodes (i.e. routers, servers, etc.) Your

configuration must satisfy the following requirements:

The VPN must provide confidentiality and must be in tunnel mode.

You must use public key certificates (self-signed) for authentication of IPSec endpoints.

You must use Fully Qualified Domain Name (FQDN) for end point identities (the DNS

records are already defined as phoenix.talos.com and griffin.talos.com)

The clients on either side must be able to access the servers on the other side through

the VPN tunnel (e.g. client1Syd and clio, client1Mel and calliope)

You must choose security parameters according to today’s security requirements.

(b) Configure the firewall service on griffin using iptables to satisfy the following

requirements:

Allow servers in DMZ to be accessed from any machine anywhere but the access must be

limited to the service provided by the server.

The internal servers clio (providing web service) and thalia (providing FTP service)

must only be accessible from local clients directly and from branch office through VPN.

The internal clients and servers must be able to initiate connection to external network

however no external machine should be able to initiate a connection to internal clients

and servers.

The gateway griffin must respond to ICMP protocol messages if coming from the

trusted sources (local clients, DMZ, internal servers, branch office gateway pheonix)

The gateway griffin must be able to communicate with DNS server to resolve domain

name queries and must be able to communicate with phoenix for VPN traffic.

No other traffic must be allowed and this must be set as the default policy.

(c) Configure the firewall service on phoenix using iptables to satisfy the following

requirements:

The internal server calliope (providing web service) must only be accessible from local

clients directly and from branch office through VPN.

The internal clients and servers must be able to initiate connection to external network

however no external machine should be able to initiate a connection to internal clients

and servers.

The gateway phoenix must respond to ICMP protocol messages if coming from the

trusted sources (local clients, internal servers, branch office gateway phoenix)

The gateway phoenix must be able to communicate with DNS server to resolve domain

name queries and must be able to communicate with griffin for VPN traffic.

No other traffic must be allowed and this must be set as the default policy.

4

FIT3031: Information and Network Security Assignment Summer B Semester 2019

Briefly explain the security of your configuration and your choices of parameters and rules.

Notes:

Your configuration will be tested when marked by teaching staff and you will receive marks

for correct functionality according to aforementioned requirements. Make sure that all

required configuration elements are included in the submission file.

Make sure that you use the provided interface by core GUI to add your changes and save

when finalised. If you close the core GUI interface without saving the changes you will lose

all the changes as there is no auto-save setting.

You do not need to include any screen shots or explain the configurations line by line. It

suffices to explain the logic of configuration related to security parameters or best practices.

The provided explanation in the report will receive 25% of the task marks and the remaining

75% will be awarded to correct configuration.

Name the final configuration file core SID.imn and submit via moodle. Replace SID with

your student ID.

Incorrectly named files will incur 5 penalty marks.



站长地图