Network Security: continuous assessment

Network Security lecture notes

Copyright �‚© 2006 Mark Dermot Ryan
Permission is granted to copy, distribute and/or modify this document
(except where stated) under the terms of the GNU Free Documentation License,

Network Security: continuous assessment

Basic information

Please write a report about the question you have been assigned, and hand it in by Monday 12 March 2007, at 1200. You must submit in two formats:

In hard copy, at the School's reception, in exchange for a receipt. The hard copy version must be accompanied by a cover sheet and must adhere to the usual requirements (in particular, it shouldn't have your name on it).
Electronically: when you login to BOSS, choose: "Network Security", "Continuous Assessment Report", and "The Report". Your file should be in PDF format, and should be named NS_xxxxxx.pdf where xxxxxx is your student ID. The contents should not include your name.

The marks will be returned by Friday 30 March.

In order to ensure a balance of students doing each exercise, and to ensure that everyone works individually and is not tempted to work with friends, you will be allocated an exercise number, based on your preferences. You must answer the question you have been assigned. It is not possible to gain credit by answering a different question.

Credit is given for the research you have done, as documented in your report. Your intended reader should be a well-informed expert in computer security and network security, e.g., a graduate from a Computer Security MSc. Your aim is to teach that person something s/he doesn't already know. Your answer should be a maximum of two sides of A4 (excluding references). It means you have to choose every word carefully, and be very economical. You should expect to go through several drafts, trying to fit as much information as you can into two pages. Please remember the quote, apparently due to Mark Twain: "Sorry this is such a long letter. I didn't have time to write a shorter one." For this exercise, you must take the extra time required to produce a short, crisp report instead of a longer, rambling one. This is excellent training for report-writing in your professional life, where page limitations are typical and you have to learn to express yourself consisely.

Please adhere to these writing hints.

The questions

You will be asked to nominate three numbers, representing your preference. Later, a number will be assigned to you, based on your preference and other criteria. You must answer a question that corresponds to your assigned number, but you can choose whether to answer a theoretical question or a practical question.

Theoretical questions

Note: it is impossible to answer these questions properly without doing a substantial quantity of research and reading. Remember that your reader is a well-informed expert in computer security and network security. There is no point in filling your report with things that you already know, because your reader will already know them as well. Your aim is to inform the reader, and most of the content of your report should be things s/he doesn't know.

Why is it easier to fake the sender of an email message than to fake the sender of an SMS? Could email sender authentication be made as reliable as SMS sender authentication?
A bank wants to introduce biometric authentication to verify the identities of customers when they use on-line banking. It proposes to issue customers with a USB fingerprint reader (such as one of these), and comes to you for advice. Identify the security properties that the bank would need of such a system. Discuss the obstacles in achieving them, and ways they might be addressed.
Bill Gates says that computational proof will be built into MS Outlook, as a means of combating spam. How will this work? Are there alternative variations on the idea of computational proof than what what Gates proposes?
In the 1980s, David Chaum invented the possibility of anonymous digital cash -- that is, cash in electronic format which could be stored on disk or on a USB memory stick, and sent as payment by email or uploaded onto a website. Such cash offers security and privacy guarantees, such as: (a) the receiver gets only the amount of cash that the giver sends; (b) neither the receiver nor the bank (the cash provider) can trace the identity of the sender; (c) neither the sender nor the bank can trace the sender or the receiver. This proposal was not adopted by banks and governments because the privacy/anonymity guarantees are too strong (the would enable crimes such as money laundering). In the 1990s and 2000s, a plethora of schemes offering reduced privacy properties were proposed, often called revocable anonymity. Explore, categorise and analyse these reduced privacy properties.

To start, I suggest searching for "anonymous digital cash" and related things on Google Scholar. You will find a lot of papers proposing new schemes with reduced anonymity. Look at some of those proposals, and write a report about them as you understand them. You will find that the mechanisms people propose are very technical, but you don't need to worry about the mechanisms; just focus on the properties that they deliver: what kind of anonymity does this system actually give?
The US system for electronic voting has been shown to be fraught with problems, such as the possibility of massive vote fraud. Protocols exist which address not only vote accuracy, but provide more sophisticated properties like vote privacy and coercion resistance. How could a protocol like the one by Fujioka-Okamoto-Ohta (discussed in lectures) be deployed in a real election?

Practical questions

Some of these exercises require you to use your own equipment, and/or to spend your own money. If you are not comfortable with this, please do the theoretical exercise instead. Neither I nor the University accepts liability for any consequence of your doing these exercises.

Investigate and compare the NFS and SMB/Samba (also called CIFS) file system protocols, using Ethereal to analyse the messages sent between the client and server. Analyse the security properties of each system. You have to do this under linux (NFS is not available for Windows, although SMB is).
(Note about University facilities. Pleaser remember that it is an offence to interfere with the University or the School network in any way, and in particular it is forbidden to misuse any school or university fileserver. All your activity on this project must be carried out on your own private equipment.)

(If you want to do the original project mentioned here about on-line games, that's fine. You can do it. Please send me an email.)
Explore the network attacks you get on your broadband network connection at home, using tools such as Snort, Ethereal, and others. Document and categorise the kinds of attacks you found. You will need to connect a PC directly to the network connection (not via a router), in order to see all the incoming traffic -- and you'll need to keep it like that for a couple of weeks. To overcome problems with your housemates:
- Set up your computer as a gateway, which serves the router your housemates are connected to.
- Alternatively (and better), connect your PC and your usual router in parallel (via a hub) to the broadband connection. This might or might not work, depending on the broadband provider. In the case of Telewest, this setup would require you to register the MAC address of your PC as well as the MAC address of your router (you've probably already registered that one) -- this can be done on-line.
Conduct a practical investigation the security of WEP, as implemented by a consumer router box or software system of your choice. Your report will be a full analysis of the pitfalls of using WEP.
(Note about University facilities. Pleaser remember that it is an offence to interfere with the University or the School network in any way, and in particular it is forbidden to run WEP key discovery software on the School's wireless network or the University wireless network. All your activity on this project must be carried out on your own private network.)
Install linux on a home router, cable modem, network storage device, or other consumer box. Most of these boxes already run embedded linux, and the firmware can be re-flashed to enable you to obtain a more open system on which you can choose what software to install, in order to extend the services offered by the box. For example, you could install your own web server or file system which would be available even when your computer is switched off. There are many websites available to help you, depending on what box you have; for example, I recently installed OpenLink on my Buffalo Linkstation NAS. What are the security implications of such an action?
(Warning. You can easily fry your consumer box in this way. Don't attempt this project unless you are confident about your abilities and unless you can afford to lose the box.)
jTPM Tools provide a set of command line utilities in Java which interact with your system's TPM (or with the open-source TPM emulator, if you don't have a TPM). Make it work on your machine, for example, by demonstrating attestation: set up a client/server system where the server gets a guarantee that the client is running the right software before it offers a download. NB: jTPM relies on TrouSerS, the linux implementation of the Trusted Software Stack. This project probably has to be done under linux. Useful links:
- Forum for Open SW based on TC - TPM-Drivers and support forum for LINUX etc.
- TrouSerS, the open-source TCG Software Stack, with a good FAQ,

Summary of topics

	Theoretical questions	Practical questions
1	SMS vs email sender authentication	Game protocols
2	Biometric authentication for online banking	Attacks on broadband connections
3	Computational proof for spam fighting	WEP security analysis
4	Anonymity levels and digital cash	Linux on consumer box
5	Electronic voting protocols	Programming the TPM

Marking criteria

Substantialness of achievement. We will assess the quality and quantity of your investigation and analysis. (40%)
Presentation of material. Your writing should demonstrate critical analysis and the ability to evaluate evidence. Your document should be properly structured, with correct grammar and spelling (see writing hints). (30%)
Factual correctness, accuracy and precision. (20%)
Use of source material, including acknowledgment and correct citation. (10%)

Plagiarism

Copying from the internet, from papers or books, or copying between students is a grave offence. We ask you to submit on BOSS so that we can use plagiarism detection software. Please see our pagiarism policy.