Computer Security 4th Year

You can use any programming language for these projects. The projects will be evaluated as black boxes. Each student should complete all parts of her/his project personally. Cheating will be treated harshly. If two students share a project (and report this!!) each will get a maximum of 80%. At most three students can share a project (and report that beforehand!!) to get a maximum of 60% each. Deadline of all projects is May 29th 2010. You must select your project by April 3rd 2010 and register it with Dr. Yasser. You will not be allowed to change your project after April 10th 2010 for ANY reasons. Some projects will get extra credit if completed adhering to the specification and based on qualitative judgment of the instructor. The maximum possible grade of each project is written with its name. You can suggest new projects (using email and before April 3rd 2010) and we will inform you about the maximum grade for these projects by April 3rd 2010. Project discussion will be personal even in case more than one students had collaborated in the same project(s).

1. Safe Chat (MAX 10)

A chatting system that supports confidential communication, authentication of users using only passwords, and optionally non-repudiation.

2. Obfuscating compiler for a scripting language (MAX 12)

Write a program (in any language you like) that reads a Javascript code segment and obfuscate it so that it is not easily readable. No need to be perfect (it is very hard to be perfect in this). The quality of the project will be judged by how difficult it will be to read the final javascript.

3. BAN logic use in analyzing security protocols (Kerberos and SSL) (MAX 10)

This is NOT programming. Learn BAN logic and its use in analyzing security protocols and use it to evaluate Kerberos and SSL security.

4. Kerberos without timestamps (MAX 11)

Simply re-design Kerberos Ver. 4 exchange to use no time stamps. Hint: use nonces. Implement the resulting protocol

5. Replacing Login Process in Windows (MAX 12)

Until Windows XP this could be done by what is called a GINA DLL. Since Windows VISTA you need to write a Credential Provider. In this project you should replace the GUI logon dialog of any version of Windows since XP with your own dialog that should use standard UNIX pass files for authentication.

6. Linux PAM module (MAX 12)

Write a simple Linux PAM module that checks user's password strength against brute force attacks.

7. Authentication using Face Recognition (MAX 14)

Write a C++ program to authenticate users using a single camera. You can use any free libraries for face detection BUT you MUST write your own face recognition code.

8. Firewall Implementation (MAX 12)

The purpose of this project is to provide a prototype implementation of a firewall, based on RFC 1928 (SOCKS Protocol Version 5). The firewall toolkit from Trusted Information Systems may be used as a starting point. The firewall should handle forwarding of Telnet, HTTP, FTP, and SMTP traffic. http://www.fwtk.org/

9. Anonymous Message Broadcast (MAX 12)

Anonymous message broadcast is a scheme based on the famous Dining Cryptographers Problem. The purpose of anonymous message broadcast is to enable clients to be able to communicate among one another without divulging the identity of who said what. All the chat participants are, however, aware of who the other participants are. A useful application of this type of system can be having discussion between, for example, a manager and her employees, in which none of the employees wanted the manager to know who said what. Although the manager maybe able to guess, she will not have a way of conclusively proving it (i.e. by performing some kind of IP trace).

Implement a system composed of two components: the Server software and the Client software. The Server software is where the communication is hosted and clients must connect and authenticate with the server in order to participate in a discussion. The client software implements the mechanism required for the client to anonymously communicate with the server. Discussions are formed in groups that are pre-configured on the server. In order for the discussion to take place all the group members must be present. The reason this is done will become clear later on in the discussion. The group is assigned a single password that all members must know in order to be able to authenticate with the server. A client has to enter their name as well in order to initially identify himself with other group members so that everyone is aware of who is currently present in the discussion.

10. Web Based Secure Purchase Order (MAX 12)

Implement a secure purchase order system that allows the user to enter a purchase request and routes it (by secure email) to a supervisor for signature and then to the purchasing department.

• All user interactions will be Web-based.

• All connections between parties will be preceded by public-key mutual authentication.

• The signatures of both the purchaser and the supervisor will be public key based, and will be performed on a hash of the purchase order. The signature of the purchaser will be sent to both the supervisor and the orders department along with a timestamp. If an order is approved by the supervisor, the orders department can cross-check the digest signed by the supervisor with the digest signed by the purchaser. The signature and time-stamping is obviously important in preventing repudiation. I am purposely ignoring the possibility that a user will "publish" their key to back up a repudiation. Ideally, the user's key will not be easily accessible and, since the whole process takes place in one organization, the possible means of revealing a key are very limited. The biggest threat is a user using another user's machine the forge an order.

• All messages will be encrypted using RSA public-key cryptography. Depending on performance (and time) this might be optimized by using RSA to only send a one-time secret key.

11. An Evaluation of SDSI: A Simple Distributed Security Infrastructure (MAX 9)

NO PROGRAMMING: SDSI is a proposal for a public-key security infrastructure designed to provide an efficient and secure means of defining group membership and certification of such groups that is being developed by Ronald Rivest of MIT and Butler Lampson of Microsoft.

Some of the design goals of the SDSI proposal are:

• To design a public-key infrastructure that is simpler than existing proposals (such as X.509-based schemes) by not requiring global certificate hierarchies.

• To borrow from and expand upon similar design efforts (such as that of the IETF SPKI: Simple Public-Key Infrastructure working group)

• To provide ideas and techniques that facilitate the construction of secure systems by providing simple clear data structures and emphasizing clarity and readability at the expense of economical encodings, although efficient representations of its data structures are provided.

For this project

• Provide a functional description of SDSI.

• Identify issues with the way it handles group-membership and certification.

• Identify its strengths and weaknesses with respect to it actually being placed into general use (e.g., complexity and performance issues).

http://theory.lcs.mit.edu/~cis/sdsi.html

12. GSM Security and Encryption (MAX 9)

NO PROGRAMMING: The motivation for security in cellular telecommunication systems is to secure conversations and signaling data from interception as well as to prevent cellular telephone fraud. Investigate the security system embedded in GSM (Group Special Mobile) system, which is a European standard, is currently in use on almost every continent. Topics to cover: overview, authentication, signaling and data confidentiality, subscriber identity confidentiality, encryption algorithms, and conclusions.

http://www.gsmworld.com/index.shtml