Advanced Network Security
Assignment Details
Instructions
Attempt all questions. This is an
individual assignment, and it is expected students answer the questions
themselves. Discussion of approaches to solving questions is allowed (and
encouraged), however each student should develop and write-up their own
answers. See CQUniversity resources on Referencing and
Plagiarism. Guidelines
for this assignment include:
•
Do not exchange files (reports,
captures, diagrams) with other students.
•
Complete tasks with virtnet yourself – do not use results from
another student.
•
Draw
your own diagrams. Do not use diagrams from other sources (Internet, textbooks)
or from other students.
•
Write
your own explanations. In some cases, students may arrive at the same numerical
answer, however their explanation of the answer should always be their own.
•
Do
not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.
•
Perform
the tasks using the correct values listed in the question and using the correct
file names.
Discuss, Explain, Design Style
Questions
A number of questions in this
assignment require short, specific answers. These will normally be marked on
correctness. That is, if the answer given is correct, then full marks,
otherwise 0 marks. In some cases, partial marks may be given.
Other questions require more
elaborate answers. They typically include words such as discuss, explain,
design, compare or propose. For such questions, to achieve full marks your
answer should not only be correct, but also clear and detailed. While your
answers don’t necessarily have to be long (many paragraphs), the level of
detail should be similar to that covered in lectures. Some hints on writing
your answers to these style of questions include:
•
Use
terminology that has been used throughout the lectures. Using non-standard
terminology, or terminology that significantly differs from that in this topic,
is an example of unclear writing.
•
Be specific, referring to files,
algorithms, keys or other relevant data elements.
•
When
relevant, use examples to assist your explanation (although don’t use just
examples; give a general explanation as well).
• Including
wrong or irrelevant information in your answer will result in low marks. An
answer with multiple wrong/irrelevant statements as well as a correct
statement, may receive 0 marks.
•
Don’t
rely heavily on images (unless they are asked for). If you do include images,
then draw them yourself – don’t take images from the Internet, textbook or
lecture notes.
For this question you must use virtnet (as used in the tutorials) to perform an interception attack.
This assumes you have already setup and are familiar with virtnet. See Moodle and tutorial instructions for information on
setting up and using virtnet. The tasks and sub-questions are
grouped into multiple phases. You must complete all phases, in order.
Phase 1: Setup
1. Create topology 5 in virtnet. node1 will be referred to as the client, node2 the router,
and node3 the server.
2.
The attacker has access to the
router, and will run tcpdump
to capture packets.
3. Users on the client and server will
use applications to communicate. For this task, netcat and scp will be used to generate the application traffic.
4. Server port numbers must be assigned
based on the last three (3) digits of your student ID, xyz, as defined below. Examples are given for a student ID of
12345678.
•
For netcat server use port 8xyz. Example port: 8678
Phase 2: Create Test Data
For netcat
and scp, a file will be transferred from client (node1) to server
(node3). Create the file on the client using a text editor such as nano. Name the file [StudentID]-data.txt and add the following four (4) lines:
COIT20262
Assignment
1
[StudentID]
[StudentName]
Be sure to replace [StudentID] and [StudentName] with your actual ID and your full
name. Phase 3: Intercept Netcat
Application Traffic
The attacker should capture traffic
on the router (node2) for the following Netcat (nc)
application traffic. When performing the capture, make sure there are no other
applications or traffic in the background (e.g. from your own SSH connections).
The resulting capture file must only contain packets relevant to the following
steps.
1. Start the netcat TCP server using the assigned port on the server (node3),
and redirecting received output to the file [StudentID]-netcat.txt. For example:
nc -l 8678 > 12345678-netcat.txt
2. Start the netcat TCP client on the client (node1), redirecting the file [StudentID]-data.txt as input. For example:
nc 192.168.2.21 8678 < 12345678-data.txt
3. On the server, check the contents of
the received data in [StudentID]-netcat.txt match those on client.
The use of redirection (< and
>) means the data from the file [StudentID]-data.txt is read at the client and sent via a TCP connection to the
server, where the data is saved in
[StudentID]-netcat.txt.
The
attacker should then stop the capture, and save the file as:[StudentID]-netcat.pcap.
Phase 4: Intercept scp Application
Traffic
The attacker should capture traffic
on the router (node2) for the following scp
application traffic. When performing the capture, make sure there are no other
applications or traffic in the background (e.g. from your own SSH connections).
The resulting capture file must only contain packets relevant to the following
steps.
1. Use scp
on the client (node1) to copy the file [StudentID]-data.txt to the server (node3), saving it as [StudentID]-scp.txt. For example:
scp 12345678-data.txt
192.168.2.21:/home/network/12345678-scp.txt
2. On the server, check the contents of
the received data in [StudentID]-scp.txt match those on client.
The
attacker should then stop the capture, and save the file as:[StudentID]-scp.pcap.
Phase 5: Analysis
Answer
the following sub-questions regarding the previous phases.
(a)
Add [StudentID]-data.txt to [StudentID]-files.zip.
(b)
Add [StudentID]-netcat.pcap to [StudentID]-files.zip.
(c) Add [StudentID]-scp.pcap to [StudentID]-files.zip.
(d)
Draw a message sequence diagram that
illustrates all the TCP packets generated by
using nc
in phase 3. Do not draw any packets generated by other applications or
protocols, such as ARP, DNS or SSH, and do not draw the UDP packets. Only draw
TCP packets. A message sequence diagram uses vertical lines to represent events
that happen at a computer over time (time is increasing as the line goes down).
Addresses of the computers/software are given at the top of the vertical lines.
Horizontal or sloped arrows are used to show messages (packets) being sent
between computers. Each arrow should be labelled with the protocol, packet type
and important information of the message. Examples of message sequence diagrams
are given in tutorials. Note that you do not need to show the packet times, and
the diagram does not have to be to scale. You must draw your own diagram; you
cannot use the diagram generated by Wireshark.
(e) As the attacker you can learn
information from intercepting the packets. Based on the packet capture file
from phase 3 (nc) only, answer the following questions.
i.
What port number did the client
application use?
ii.
What was the duration of the TCP
connection? Give your answer in microseconds.
iii.
What is the absolute sequence number
of the first TCP segment containing data?
iv.
What is the length of the data
(payload) in the first TCP segment containing data?
v.
An
attacker can sometimes learn useful information from knowing when a TCP
connection occurs, relative to other TCP connections. TCP senders optionally include timestamps in all packets.
For the first TCP segment sent by the client in the connection, what is the
hexadecimal value of the timestamp?
vi.
Attackers
often create fake IP packets, e.g. with fake source addresses. To do so, the
checksum must be calculated. What is the hexadecimal value of the IP checksum
in the first TCP segment containing data?
vii.
If
an attacker had to write code to automatically detect TCP segments that contain
data based on the binary value of the flags field, what binary value would they
search for?
Now consider the information
captured from intercepting scp traffic in phase 4. scp uses SSH as the
underlying protocol. Hint: you can use the ssh
filter keyword in Wireshark to show only the scp/SSH packets.
(f) As the attacker you can learn
information from intercepting the packets. Based on the packet capture file
from phase 4 (scp) and any research you do about scp/SSH, answer the following
questions.
i.
What port number did the server
application use?
ii.
OpenSSH
is one implementation of SSH. What version of OpenSSH did the server advertise?
iii.
SSH
clients and servers inform each other of the algorithms they support in order
of preference (that is, listing their first preference first), and then the
client selects algorithms to use by identifying the client’s highest preference
algorithm that is also supported by the server. What is the name (as referred
to by SSH) of the key exchange algorithm selected and used by the client?
iv.
After
the client and server agree upon algorithms, a key exchange is performed using
a public key exchange protocol. What is the name of that key exchange protocol
(also referred to as a key agreement scheme)? (Hint: the answer is NOT the same
as the above).
v.
In
the key exchange protocol, the client sends a public key to the server. What
are the last 4 hex digits of that public key?
vi.
The
data transfer between client and server should be encrypted. How many encrypted
packets are sent by the client to the server?
vii.
For
the first encrypted packet sent by client to server, what are the last 4 hex
digits of the message authentication code?
Answer the following questions based
on your captures and understanding of the protocols and algorithms.
(g) In phase 3 and 4 you transferred the
exact same data file from client to server. Compare the two approaches to data
transfer with respect to: authentication, confidentiality, performance
(specifically, number of packets).
(h) Consider the SSH encryption
algorithm chacha20-poly1305. A widely used encryption cipher is
AES. Discuss why chacha20 may be used instead of AES.
Question 2. Cryptography
For this question you must use openssl to perform a set of cryptographic operations. When
performing cryptographic operations you must be very careful, as a small
mistake (such as a typo) may mean the result is an insecure system. Read the
instructions carefully, understand the examples, and where possible, test your
approach (e.g. if you encrypt a file, test it by decrypting it and comparing the
original to the decrypted). It is recommended you use virtnet to perform the operations.
The tasks and sub-questions are
grouped into multiple phases. You must complete all phases. Phase 1: Download
Normally in public key cryptography
you generate your own public/private key pair. However in this assignment to
simplify the tasks, the Unit Coordinator has generated a key pair for you. Your
key pair will be available to you on Moodle to download, with filename:
•
[StudentID]-keypair.pem
In addition to your key pair, a
number of files will be available to all students on Moodle to download. Each
file starting with [StudentID] must
be downloaded by you. You may also need to download files with other student’s
IDs (see the next phase).
The
download URL will be published on Moodle.
Phase 2: Read the Messages
The
files for download have been created by another student, denoted as the sender:
1. Sender student created a message to
you [StudentID]-message[N].txt, where [N] is an integer, e.g. 1, 2, 3, …
2.
The sender signed the message to
produce [StudentID]-message[N].sgn.
3.
The sender wrote their student ID
into a text file [StudentID]-sender[N].txt.
4.
The sender signed the sender file to
produce [StudentID]-sender[N].sgn.
5. The sender used openssl to generate
a random 256-bit secret key, in Hex, and saved it in [StudentID]-key[N].txt.
6.
The sender generated a random
Initialisation Value (IV), in Hex, and saved it in
[StudentID]-iv[N].txt.
7. The sender encrypted the message
using symmetric key encryption, the random secret key, and the random IV,
producing [StudentID]-message[N].enc.
8. The sender encrypted the random
secret key file using public key encryption, producing [StudentID]-key[N].enc.
9.
The
sender encrypted the
IV file using
public key encryption,
producing
[StudentID]-iv[N].enc.
The
sender then sends to you the necessary files from above.
Note that the files were actually
created by the Unit Coordinator, but in this assignment you can assume they
were created by a student. The “sending” of files to you is performed by the sender (Unit Coordinator) uploading
them to Moodle, and you downloading them from Moodle.
Your task is, for every message,
decrypt and verify the files. Be careful: there may have been attacks on some
messages!
The
algorithms used in this question are:
•
Public key: RSA, 2048 bit
•
Symmetric key: AES-256-CBC
•
Hash: SHA256
Phase 3: Report Your Results
After downloading, decrypting and
verifying all messages, you need to create a summary of the results for each
message. The summary must be in a text file called [StudentID]-summary[N].txt.
The summary must contain exactly two lines, of the format:
ResultType
Message
where
ResultType
is one of the following strings:
•
Success –
means all files successfully decrypted and successfully verified.
•
FailDecryptKey – means the decryption of secret key was unsuccessful.
•
FailDecryptMessage – means the decryption of message was unsuccessful.
•
FailVerifySender – means the verification of sender file was unsuccessful.
•
FailVerifyMessage – means the verification of message was unsuccessful.
If ResultType
is Success, then include the contents of the message on the next line.
If ResultType is another value, then include “NoMessage” on the next line. Examples of possible summary files are:
Example 1:
Success
12345678-3-hello
Example 2:
FailDecryptMessage
NoMessage
Example 3:
FailVerifySender
NoMessage
You
must sign each summary file, producing [StudentID]-summary[N].sgn.
Phase 4: Analysis
(a) Add all summary text files, e.g.
[StudentID]-summary1.txt, [StudentID]-summary2.txt, [StudentID]-summary3.txt, ... to [StudentID]-files.zip.
(b) Add all summary signature files,
e.g. [StudentID]-summary1.sgn, [StudentID]-summary2.sgn, [StudentID]-summary3.sgn, … to [StudentID]-files.zip.
(c) Consider the information that was
encrypted and sent to the receiver in phase 2. Different encryption algorithms
were used to encrypt different types of information. Explain why different
algorithms are typically used for different information.
(d) Assume that MD5 was used instead of
SHA256. Explain a successful attack that takes advantage of the fact MD5 is
used. The attack description should be at a level of detail similar to the
steps in phase 2, referring to files. In your description, refer to the
entities involved as “sender”, “receiver”, “attacker” or similar. Assume the
keys you downloaded from Moodle are trustworthy (i.e. not compromised).
In this question the Unit
Coordinator created your public/private key pair. For the following
sub-questions, assume you create your own key pair on your own computer.
Consider the following scheme. You
create your own key pair on your computer, extract the public key .pem file,
and then encrypt that file with AES and a secret key known by the entire class
(including the Unit Coordinator). You then send the encrypted public key to the
Unit Coordinator.
(e) Explain how a masquerade attack
could be performed on the above scheme, including how/why that attack would be
successful.
(f)
Design a scheme for which a
masquerade attack would not be successful.
(g)
Explain why your above designed
scheme defeats the masquerade attack.
Assume a university has been
infected by ransomware, affecting primarily their grading system (such as
Moodle). You must write a short report to university staff addressing the
following:
•
What
is ransomware? Give a short introduction/overview so that management can
understand.
•
What
are the possible ways in which an organisation can be infected? Again, aim this
at university management.
•
What
is the role of cryptography in ransomware? This should be explained for a
technical audience, that is, the IT staff in the university. Refer to types of
algorithms used and how they are used.
•
If the university decides not to pay
the ransom, what are the options?
•
If
the university is considering paying the ransom, what are the advantages and
disadvantages? How is payment normally made (and why)?
•
Recommend
methods the university should take in the future to avoid becoming infected.
Your report must have six (6)
sections, each section addressing a point above. While there is no page limit,
each section should be less than half a page, and a good answer could be given
in 1 to 3 paragraphs. Do NOT include pictures or tables in the report. Use text
only. While you may use numbered lists and dot points, the report cannot
entirely be lists. References are not necessary (although the normal rules of
academic integrity are expected).
To get solution visit our website www.sourceessay.com
Comments
Post a Comment