COIT20262 Term 1, 2020 Advanced Network Security

COIT20262 Term 1, 2020
Advanced Network Security Page 1 of 11
COIT20262 – Advanced Network Security, Term 1, 2020
Assignment 2
Due date: 11.45 pm Friday 5 June 2020 (Week 12) ASSESSMENT
Weighting: 40%
Length: N/A 2
Instructions
Attempt all questions. Submit the following on Moodle:
 Answers: A Microsoft Word document containing answers to the questions.
 Question 1: [studentID]-keypair.pem, [studentID]-pubkey.pem, [studentID]-
message.txt, [studentID]-signature.bin, [studentID]-key.txt,
[studentID]-ciphertext.bin, [studentID]-secretkey.bin, [studentID]-
commands.bash
 Question 2: [studentID]-csr.pem, [studentID]-ca-cert.pem, [studentID]-
cert.pem, [studentID]-https.pcap
This is an individual assignment, and it is expected students answer the questions themselves.
Discussion of approaches to solving questions is allowed (and encouraged), however each
student should develop and write-up their own answers. See CQUniversity resources on
Referencing and Plagiarism. Guidelines for this assignment include:
 Do not exchange files (reports, captures, diagrams) with other students.
 Complete tasks with virtnet yourself – do not use results from another student.
 Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks)
or from other students.
 Write your own explanations. In some cases, students may arrive at the same numerical
answer, however their explanation of the answer should always be their own.
 Do not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.
Marking Scheme
 Each sub-question is allocated marks in [square brackets].
 Questions which require a specific answer will be marked on correctness.
 Questions which require explanations will be marked on correctness, depth and clarity
of the answer. To receive full marks, the explanation must be correct, must include
significant depth to demonstrate understanding of the topic (but does not include
irrelevant information), and must be clear to the intended audience. Unless otherwise
stated, assume the audience has a background similar to Master of IT students that have
successfully completed 1st year of study.
 Questions which require diagrams will be marked on the correctness and clarity of the
diagram.
 Submitted files will be marked on correctness of the information included.
COIT20262 Term 1, 2020
Advanced Network Security Page 2 of 11
Question 1. Cryptographic Operations with OpenSSL [8 marks]
Your task is to use OpenSSL to perform a set of cryptographic operations. When performing
cryptographic operations you must be very careful, as a small mistake (such as a typo) may
mean the result is an insecure system. Read the instructions carefully, understand the examples,
and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and
comparing the original to the decrypted). It is recommended you use virtnet to perform the
operations.
Perform the following steps:
(a) For all the following steps, record the command(s) you used in a file called
[studentID]-commands.bash. This file should be a Bash shell script, containing only
commands that can be executed and optionally comments (starting with # character).
(b) Generate your own RSA 2048-bit key pair. Use the public exponent of 65537. Save
your key pair as [studentID]-keypair.pem.
(c) Extract your public key and save it as [studentID]-pubkey.pem.
(d) Create a text file called [studentID]-message.txt and include your student ID and
full name inside the file. This file is referred to as the message or plaintext.
(e) Sign your message file using SHA256, saving the signature as [studentID]-
signature.bin.
(f) Generate a 128 bit random value using OpenSSL. This value will be used as a secret
key. Store the key as a 32 hex digit string in a file [studentID]-key.txt.
(g) Encrypt your message file using AES-128-CBC and the key generated in step (f). Use
an IV of all 0’s (that is, 32 hex 0’s). Save the ciphertext as [studentID]-
ciphertext.bin.
(h) Encrypt your [studentID]-key.txt file using RSA so that only the Unit Coordinator
can view the contents. Save the encrypted key as [studentID]-secretkey.bin.
Multiple files are output from the above steps. You must submit the following files on Moodle:
 [studentID]-keypair.pem
 [studentID]-pubkey.pem
 [studentID]-message.txt
 [studentID]-signature.bin
 [studentID]-key.txt
 [studentID]-ciphertext.bin
 [studentID]-secretkey.bin
 [studentID]-commands.bash
The file names must be exactly as listed above (replacing [studentID] with your actually student
ID, e.g. 12345678-keypair.pem). Use lowercase for all files and double-check the extensions
(be careful that Windows doesn’t change the extension).
Examples of the OpenSSL operations needed to complete this task are on Moodle.
COIT20262 Term 1, 2020
Advanced Network Security Page 3 of 11
Marking Scheme
Once files are submitted, they will be decrypted/verified using the reverse operations of what
you were expected to do.
 If your files successfully decrypt/verify, and the commands ([studentID]-
commands.bash) submitted are correct, then you will receive 8 marks.
 If your files successfully decrypt/verify, but the commands contain errors, then you will
receive between 5 and 7 marks, depending on the severity of the errors (e.g. small typo
vs wrong command).
 If your files do NOT successfully decrypt/verify, then your commands will be reviewed
to determine what mistakes you made. You will receive between 0 and 6 marks,
depending on the severity of the errors.
Up to 5 marks may be deducted for incorrect submissions (e.g. not all files submitted,
additional files submitted, wrong files submitted, wrong filenames).
COIT20262 Term 1, 2020
Advanced Network Security Page 4 of 11
Question 2. HTTPS and Certificates [15 marks]
For this question you must use virtnet (as used in the workshops) to study HTTPS and
certificates. This assumes you have already setup and are familiar with virtnet. See Moodle
and workshop instructions for information on setting up and using virtnet, deploying the
website, and testing the website.
Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are
grouped into multiple phases.
Phase 1: Setup Topology
1. Create topology 5 in virtnet.
2. Deploy the MyUni demo website, with node3 being the real web server.
Phase 2: Certificate Creation
1. Use your RSA key pair from Question 1 to generate a Certificate Signing Request called
[StudentID]-csr.pem. The CSR must contain these field values:
 State: state of your campus
 Locality: city of your campus
 Organisation Name: your full name
 Common Name: www.myuni.edu
 Email address: your @cqumail address
 Other field values must be selected appropriately.
Now you will change role to be a CA. A different public/private key pair has been created for
your CA as [StudentID]-ca-keypair.pem. As the CA you must:
2. Setup the files/directories for a demoCA
3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem.
4. Using the CSR from step 1 issue a certificate for www.myuni.edu called [StudentID]-
cert.pem.
Phase 3: HTTPs Configuration
1. Configure Apache web server on node3 to use HTTPS where the domain name is
www.myuni.edu.
2. Load the CA certificate into the client on node1.
Phase 4: Testing
1. Start capturing on node2 using tcpdump.
2. On node1, use lynx to visit https://www.myuni.edu/grades/ and login to view some
grades.
COIT20262 Term 1, 2020
Advanced Network Security Page 5 of 11
3. Demonstrate to your tutor that your secure website is operating correctly. [4
marks]
4. Exit lynx.
5. Stop the capturing and save the file as [StudentID]-https.pcap.
When capturing, make sure you capture a full HTTPS session, and avoiding capturing multiple
sessions.
For on-campus students: Step 3 of above should be demonstrated in your allocated Week 9, 10,
11 or Week 12 tutorial class. Your local tutor will be informed you when your demonstration
is passed.
For distance students: Unit Coordinator will organise a time for you to demonstrate step 3.
Phase 5: Analysis
(a) Demonstration of secure web site [4 marks]
(b) Submit the following files on Moodle. Each will be analysed to ensure they include
correct information (e.g. values specific to you).
 Submit the CSR [StudentID]-csr.pem. [0.25 mark]
 Submit the CA self-signed certificate [StudentID]-ca-cert.pem. [0.25 mark]
 Submit the issued certificate [StudentID]-cert.pem. [0.25 mark]
 Submit the packet capture [StudentID]-https.pcap. [0.25 mark]
(c) Draw a message sequence diagram that illustrates the TLS/SSL packets belonging to
the first HTTPS session in the file. Refer to the instructions in assignment 1 for drawing
a message sequence diagram, as well as these additional requirements:
 Only draw the TLS/SSL packets; do not draw the 3-way handshake, TCP ACKs
or connection close. Hint: identify which packets belong to the first TCP
connection and then filter with “ssl” in Wireshark. Depending on your
Wireshark version, the protocol may show as “TLSv1.2”.
 A single TCP packet may contain one or more SSL messages (in Wireshark
look inside the packet for each “Record Layer” entry to find the SSL message
names). Make sure you draw each SSL message. If a TCP packet contains
multiple SSL messages, then draw multiple arrows, one for each SSL message,
and clearly label each with SSL message name.
 Clearly mark which packets/messages are encrypted. [3 marks]
(d) Based on your certificate and the capture, write answers to the following questions in
the table. When giving algorithms, you may use the abbreviation but must accurately
identify the variant. For example, AES128 is different from AES256, and SHA256 is
different from SHA512. [4 marks, 0.5 mark each]
How many bytes is the hash value in the certificate
signature?
What hash algorithm is used to generate the certificate
signature?
COIT20262 Term 1, 2020
Advanced Network Security Page 6 of 11
What encryption algorithm is used to generate the
certificate signature?
How many bytes is the public key modulus in the
certificate?
In the TLS cipher suite used between client and server,
what algorithm is used for:
– Encrypting session data?
– Hashing for the MAC?
– Key exchange?
How many bytes of random data are sent from the client to
server at the start of the handshake?
(e) In practice, some Certificate Authorities use self-signed certificates, while others have
their certificate signed by another CA. Explain why self-signed certificates are needed by
CAs, as well as the benefits of one CA sign another CA’s certificate. [2 marks]
(f) In practice, Certificate Authorities must keep their private keys very secure, usually
storing them offline in special hardware devices. Explain an attack a malicious user could
be perform if they could compromise the CA private key. Use your MyUni website as an
example. [1 mark]
COIT20262 Term 1, 2020
Advanced Network Security Page 7 of 11
Question 3. Access Control and Authentication [7 marks]
TechSolution is a small IT security service provider which is expected to have around 50
employees over the next few years. The employees are classified into the following roles:
 CEO
 Executive Group (including CEO and other employees in leadership positions, e.g.
Manager of the Software Engineering team)
 Software Engineering
 Graphic Design
 Web Development
 IT Administration
 Sales and Marketing
 Human Resources
 Finance
Some employees may take on multiple roles, e.g. an employee may be both in Software
Engineering and Web Development.
The key data resources of the company are classified as:
 Web Content
 Source Code (e.g. for non-web software)
 Multimedia Assets (e.g. images, videos, artwork)
 Trade Secrets (e.g. algorithms, formulas that give the company a significant
commercial advantage over competitors)
 Financial Accounts
 Personnel Records
 Marketing Material
 Company Policies
 Meeting Records
Assume role-based access control is to be used for users in different roles to access the above
listed resources. The access rights are:
 Own: can change the access rights on the resource
 Read: can view the resource
 Write: can create, delete and modify the resource
Consider you are responsible for IT security of TechSolution and answer the below questions.
(a) Create a table that shows the mappings from Role to Resource. Provide a brief
explanation of why you choose this particular mapping. [3 marks]
The company has many trade secrets, some of which are very valuable and known only by the
Executive Group (e.g. it would be a significant financial loss if a competing company knew
them), some are also know by Software Engineers that implement the algorithms, while other
COIT20262 Term 1, 2020
Advanced Network Security Page 8 of 11
trade secrets are important but known by a wider number of employees. The CEO has asked
you to consider implementing Mandatory Access Control on the trade secrets.
(b) Explain how you could apply MAC to the trade secrets, including the levels you would
use and the assignment of roles to security clearance levels. [1 marks]
The company is planning to use only passwords as the authentication mechanism for access
computing systems. There will be no token-based or biometric authentication.
(c) Write a password policy for the company. The policy must give rules for how new users
are registered with the systems, as well as how existing users change their passwords
(including forgotten or wrong passwords). Each rule in the policy must be classified as
“must” (it is required), “should” (it is required unless there is a good reason for not
applying it), or “may” (optional). Each rule be justified/explained. The policy must
make a reasonable trade-off between security and convenience. For example, “All users
must use a 30 character random password” is a poor policy design (too inconvenient),
as is “All users must use their last name as a password” (too insecure). [3 marks]
COIT20262 Term 1, 2020
Advanced Network Security Page 9 of 11
Question 4. Firewalls [6 marks]
An educational institute has a single router, referred to as the gateway router, connecting its
internal network to the Internet. The institute has the public address range 138.53.0.0/16 and
the gateway router has address 138.53.178.1 on its external interface (referred to as interface
ifext). The internal network consists of four subnets:
 A DMZ, which is attached to interface ifdmz of the gateway router and uses address
range 138.53.179.0/24.
 A small network, referred to as shared, with interface ifint of the gateway router
connected to three other routers, referred to as staff_router, student_router, and
research_router. This network has no hosts attached (only four routers) and uses
network address 10.4.0.0/16.
 A staff subnet, which is for use by staff members only, that is attached to the
staff_router router and uses network address 10.4.1.0/24.
 A student subnet, which is for use by students only, that is attached to the
student_router router and uses network address 10.4.2.0/24.
 A research subnet, which is for use by research staff, that is attached to the
research_router router and uses network address 10.4.3.0/24.
In summary, there are four routers in the network: the gateway router, and routers for each of
the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and
research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server
supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and
research subnets can access the web server; members of the staff subnet only can access the
email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address
translation. In addition to the DMZ setup as described above, security requirements for the
educational institute are:
 External Internet users cannot access any internal computers (except in DMZ and as
stated in other requirements).
 Staff, students and researchers can access websites in the Internet.
 The researchers (on the research subnet) run a server for sharing data with selected
research partners external to the educational institute. That server provides SSH access
and a specialised file transfer protocol using TCP and port 6789 to the partners. The
server has internal address 10.4.3.31 and NAT is setup on the gateway router to map
the public address 138.53.179.44 to the internal address. Currently there are two partner
organisations that can access the server, and they have network addresses:
31.13.75.0/24 and 104.55.9.0/24.
 The professor that leads the research staff also wants access to the data sharing server
while they are at home. At home that professor uses a commercial ISP that dynamically
allocates IP addresses in the range 23.63.0.0/16.
Considering the above information, answer the following questions:
COIT20262 Term 1, 2020
Advanced Network Security Page 10 of 11
(a) Specify the firewall rules using the format as in the table below. Describe the effect of
each rule. [3 marks]
Rule
No.
Source
Address Source Port Dest.
Address Dest. Port Action
1
2
3
4

(b) Where should firewall(s) be placed in the above network? Justify your answer. [1 mark]
(c) In the above scenario there are two servers in the DMZ: a web server, and a SMTP
email server. Explain how DMZ works, and also explain the advantages and
disadvantages of using DMZ in the above network. [2 marks]
COIT20262 Term 1, 2020
Advanced Network Security Page 11 of 11
Question 5. Internet Privacy Protection [4 marks]
Encryption is commonly used to provide data confidentiality in the Internet: when two hosts
communicate, other entities in the path between the two hosts cannot read the data being sent.
However, encryption on its own does not privacy of who is communicating. Although the other
entities cannot read the data, they can determine which two hosts are communicating.
Assume you want to have privacy protection while web browsing. Normally, when your client
computer sends a HTTP GET request to a web server, the IP address of both your client
computer (C) and the web server (S) are included in the IP header of the packet. Any
intermediate node on the path between client and server in the Internet can see the values of C
and S, thereby learning who is communicating.
Three common techniques for privacy protection, i.e. hiding both values of C and S from
intermediate nodes, in the Internet are:
 VPNs
 Web proxies
 Tor
(a) Explain how a web proxy works. Your explanation should include what a user needs
to do when using a web proxy, what security it provides, and what are the security and
convenience limitations. [2 marks]
(b) Explain the benefits and limitations of a user gains by using a VPN, compared to a web
proxy. [2 marks]