202**024 ASSESSMENTS Undergraduate Individual Programming Assessment Weighting [30%] SCC.363 Security and Risk Academic Honesty and Integrity Students at Lancaster University are part of an academic community that values trust, fairness and respect and actively encourages students to act with honesty and integrity. It is a University policy that students take responsibility for their work and comply with the university’s standards and requirements- found in the Manual of Academic Regulations and Practice. By submitting their answers students will be confirming that the work submitted is completely their own. By submitting their answers the group of students will be confirming that the work submitted is that of the group. Academic misconduct regulations are in place for all forms of assessment and students may familiarise themselves with this via the university website: https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-andcommittees/manual-of-academic-regulations-and-procedures/ Plagiarism Plagiarism involves the unacknowledged use of someone else’s work and passing it off as if it were one’s own. This covers every form of submitted work, from written essays, video vignettes, and coding exercises. However, deliberately plagiarism with the intent to deceive and gain academic benefit is unacceptable. This is a conscious, pre-meditated form of cheating and is regarded as a serious breach of the core values of the University. More information may be found via the plagiarism framework website. All coursework is to be submitted electronically and will be run through our plagiarism detection mechanisms. Please ensure you are familiar with the University's Plagiarism rules and if you are in any doubt please contact your module tutor. https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-andcommittees/principles-policies-and-guidelines/plagiarism-framework/ General Guidance: This is an individual assessment that will count for 30% of your overall mark for this module. Learning objectives • Develop appreciation and understanding of security concepts. • Formulate troubleshooting methods to identify/solve problems. • Evaluate information to argue solution choices critically. • Effectively communicate ideas. Submission requirements Prepare and submit your coding solutions on Coderunner. For all coding solutions, you must use Python3. You can use modules from standard Python3 and cryptography.io. Your code should include appropriate comments explaining what you do and why. All implementations must be in Python3, and the cryptography.io library must be used for any cryptographyrelated functions (if needed). If you must consider padding in any task, you should use PKCS7. Your code should include appropriate comments explaining your solution. Example of the type of comments you SHOULD AVOID -- the comments don't explain the solution: def avalancheCalculator(string1, string2): # I hash the strings and generate the hexdigest values hexstring1 = hashlib.sha256(string1.encode()).hexdigest() hexstring2 = hashlib.sha256(string2.encode()).hexdigest()
# I convert the hexdigest to integers int1 = int(hexstring1, 16) int2 = int(hexstring2, 16) # I XOR the integers intResult = int1 ^ int2
# I return the 1's in the binary representation. return ( bin(intResult).count('1') ) Examples of types of comments that provide adequate information – the comments explain the solution to the problem: def avalancheCalculator(string1, string2): # A solution to the problem is to xor the integer representation # of the two values and count in the resulting int the number of bits # having the value of 1. hexstring1 = hashlib.sha256(string1.encode()).hexdigest() hexstring2 = hashlib.sha256(string2.encode()).hexdigest()
# The "1"s in the binary representation of the XOR operation # represent which bits from int1 and int2 are different. # This is due to applying the XOR operation. 0^1 = 1, 1^0 = 1 # Counting the "1"s will provide how many bits differ return ( bin(intResult).count('1') ) You have to upload the implementation of your functions on CodeRunner. Marking Guidelines: • You have to answer all three (3) tasks. Marks will be allocated based on the clarity of your solution, comments in the code, and correctness. More information is provided within the individual questions. • The name of functions, type/number of variables, and return values must follow the tasks’ guidelines. Failing to adhere to this may result in not receiving marks. Deadline for submissions: Friday 16 th February 16:00 TASK 1 -------- You are provided with the ds_hash hash function. The function receives a finite message as input and produces a non-negative integer, which we consider to be the hash value of the given message. The size of input messages is fixed and always equals 64 bytes. Implement an appropriate attack to check if the hash function ds_hash is strong collision resistant. Your alphabet should include all lower-case and upper-case letters of the English alphabet and all numbers from 0 to 9. # -- START OF YOUR CODERUNNER SUBMISSION CODE # INCLUDE ALL YOUR IMPORTS HERE def ds_hash(message: str) -> int: hash_value = 0 for ch in message: hash_value = (hash_value * 71) + ord(ch)
return hash_value & 0x7FFFFFFF def myAttack() -> bool: # YOUR IMPLEMENTATION return # True or False # -- END OF YOUR CODERUNNER SUBMISSION CODE #You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION) as follows: # MAIN if __name__ == "__main__": print( myAttack() ) Marking scheme: This task's weight is 35% for providing a valid attack and commenting on your code. TASK 2 -------- Implement an HMAC based on the RFC-2104 definition (Section 2). The RFC is available at the following link: https://www.rfc-editor.org/rfc/rfc2104 Below is the extract from the RFC that describes how the HMAC can be implemented, and this is what you need to implement. The text is amended to provide specific information about the selected H cryptographic hash function, i.e., SHA256. The definition of HMAC requires a cryptographic hash function, which we denote by H, and a secret key K. In your implementation, assume H to be the SHA256 cryptographic hash function. We denote by B the byte-length of such blocks (B=64 for SHA256), and by L the byte-length of hash outputs (L=** for SHA256). The authentication key K can be of any length up to B, the block length of the hash function. Applications that use keys longer than B bytes will first hash the key using H and then use the resultant L byte string as the actual key to HMAC. In any case the minimal recommended length for K is L bytes (as the hash output length). We define two fixed and different strings ipad and opad as follows (the 'i' and 'o' are mnemonics for inner and outer): ipad = the byte 0x36 repeated B times opad = the byte 0x5C repeated B times. To compute HMAC over the data `text' we perform H(K XOR opad, H(K XOR ipad, text)) Namely, (1) append zeros to the end of K to create a B byte string (e.g., if K is of length 20 bytes and B=64, then K will be appended with 44 zero bytes 0x00) (2) XOR (bitwise exclusive-OR) the B byte string computed in step (1) with ipad (3) append the stream of data 'text' to the B byte string resulting from step (2) (4) apply H to the stream generated in step (3) (5) XOR (bitwise exclusive-OR) the B byte string computed in step (1) with opad (6) append the H result from step (4) to the B byte string resulting from step (5) (7) apply H to the stream generated in step (6) and output the result The function's name has to be CustomHMAC and defined as follows. # -- START OF YOUR CODERUNNER SUBMISSION CODE # INCLUDE ALL YOUR IMPORTS HERE def CustomHMAC(key: bytes, text: str) -> str: # YOUR IMPLEMENTATION return # YOUR RESULT # -- END OF YOUR CODERUNNER SUBMISSION CODE #You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION) as follows: # MAIN if __name__ == "__main__": k = os.urandom(16) # k is <class 'bytes'> txt = "hello world!!!!" # txt is <class 'str'>
print( CustomHMAC(k, txt) ) # The output will be a string of hexadecimal values, e.g.: a51b … 35fa
You can debug your code against the result from the following function: from cryptography.hazmat.primitives import hashes, hmac def HMAC_from_Cryptography(key: bytes, text: str) -> str: h = hmac.HMAC(key, hashes.SHA256()) h.update(text.encode()) signature = h.finalize().hex()
return signature Marking scheme: This task's weight is 40%, which will be allocated equally for correctly implementing the steps and commenting on your code. TASK 3 -------- Using the AES-ECB encryptor from the cryptography.io module, implement the AES mode in Figure 1. You can instantiate an AES-ECB encryptor as follows: from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes key = # SELECT AN APPROPRIATE KEY FOR AES cipher = Cipher(algorithms.AES(key), modes.ECB()) encryptor = cipher.encryptor() Figure 1 - The figure describes a mode of AES for encrypting plaintext to ciphertext The function's name has to be CustomAESmode and defined as follows: # -- START OF YOUR CODERUNNER SUBMISSION CODE # INCLUDE ALL YOUR IMPORTS HERE def CustomAESMode(key: bytes, iv: bytes, plaintext: str) -> str: # YOUR IMPLEMENTATION return # THE CIPHERTEXT # -- END OF YOUR CODERUNNER SUBMISSION CODE #You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION) as follows: # MAIN if __name__ == "__main__": key = bytes.fromhex("06a9214036b8a15b512e03d534120006") iv = bytes.fromhex("3dafba429d9eb430b422da802c9fac41") txt = "This is a text"
print( CustomAESMode(key, iv, txt) ) # The result using the above input should be: 1827bfc04f1a455eb101b943c44afc1d Marking scheme: This task's weight is 25%, which will be allocated equally for correctly implementing the steps and commenting on your code. 如有需要,請加QQ:99515681 或WX:codehelp
