University of Sunderland School of Computer Science MODULE CODE: CET324 MODULE TITLE: Advanced Cyber Security MODULE ASSESSOR: Matthew Banton ASSESSMENT: 2 of 2 TITLE OF ASSESSMENT: Authentication Tokens ASSESSMENT VALUE: 60% PLEASE READ ALL INSTRUCTIONS AND INFORMATION CAREFULLY. This assignment contributes 60% to your final module mark. Please ensure that you retain a duplicate of your assignment work as a safeguard, in the unlikely event of your work being lost or corrupted online. THE FOLLOWING LEARNING OUTCOMES WILL BE ASSESSED: 2. Critical analysis of the tradeoffs of balancing the range of key security properties taking into account the concepts of trust and trustworthiness in cybersecurity 3. Application of the principles and techniques from Computer Science to deal with the complex issues involved in effectively designing and implementing computer systems whilst identifying and minimising the security risks, effectively implementing a reliable and effective security protocols and identify suitable metrics to quantify and measure levels of security IMPORTANT INFORMATION You are required to submit your work within the bounds of the University Infringement of Assessment Regulations (see your Programme Guide). Plagiarism, paraphrasing and downloading large amounts of information from external sources, will not be tolerated and will be dealt with severely. The coursework submission for this module is largely based upon your own practice, but where you do use material from other sources, for example an occasional short quote, this should be duly referenced. It is important to note that your work WILL BE SUBJECT TO CHECKS FOR ORIGINALITY, which WILL include use of an electronic plagiarism detection service.
Where you are asked to submit an individual piece of work, the work must be entirely your own. The safety of your assessments is your responsibility. You must not permit another student access to your work at any time during the inception, design or development of your coursework submission and must take great care in this respect. Where referencing is required, unless otherwise stated, the Harvard referencing system must be used (see your Programme Guide or university library website).
Submission Date and Time: Detailed in CANVAS assignment area Submission Location: Electronic submission to CANVAS assignment area Assessment This assignment consists of creating an authentication system for a group of related computing systems. You should create a system that will verify a user’s identity, determine what access level they are allowed and give that user an authentication token. That token should have security mechanisms in place to ensure that it cannot be forged or modified, either by the original genuine user or by an imposter.
You are required to create a system that will create an authentication token. This token should contain the user who requested it to begin with, and the permissions that the user has within the system. It should also include the name of the system that granted it, the time it was requested and how long it is valid for. Finally, it should include some kind of digital signature. The token should not be able to be forged (i.e. by someone wanting to pretend to be a legitimate user) or modified (i.e. by a legitimate user wanting more permissions than have been granted). You will need to think about encryption and hashing to secure the token.
Scenario You have been employed as a programmer for a small company that builds custom management tools for clients. Potential clients can specify almost every aspect of the system they are purchasing, including whether it is a web-enabled management tool or more bespoke software to run on the clients’ own systems. As you have some cyber security experience you have been tasked with designing the login interface for a client’ssystem. The client wants a token-based authentication system. A staff member should be able to register on the system, gain an authentication token and login using that token.
Task The task will be split into three sections. You will need to create the system itself, write a brief report summarising the system and do a video presentation explaining your code.
PART 1 – System Design (50 Marks) You have been tasked with creating an authentication system that will allow a group of employees to log into a group of related computing systems only once, while being able to access all of those related systems and resources. The company you are developing for have decided that authentication tokens will be perfect for their needs. The system you are developing needs to do several things: 1. Allow a user to log in 2. Issue the user with an authentication token 3. Read an existing authentication token and determine whether it is valid. The token should not be able to be forged (i.e. it should include some level of encryption) and it should not allow a user to alter it (i.e. it should include some level of hashing.)
PART 2 – Report (25 Marks) The report should include your rationale for your approach and why you have made the design decisions you have made (e.g., the chosen programming language, framework, architecture, encryption and/or hashing method etc). You should support your design decisions with appropriate literature research and references. For example, if you have chosen a specific encryption method, you should include a reference to support that choice of encryption. Guidance for the report length is 750 words.
PART 3 – Demonstration (25 Marks) Prepare up to 10 minutes of recorded visual presentation with audio showing all the features and functionalities of your implemented software. Your presentation should show at least the following aspects of your system: 1. Clear view of a generated access token. 2. All the system functionalities as stated in part one of the assignment. 3. Clear view of the source code generating the access token.
Submission Requirements The assignment deliverables should be submitted via ‘Canvas in the assignment area of the Canvas area only by the date and time shown on the front of this assignment. No paper copy should be submitted. You should submit: • A zip file containing all the code for your assignment, • A well as a Microsoft Word document containing the report • A video file in MPEG or MOV format. • The University AI Declaration form
NOTE: The assignment must be submitted to “Canvas” in the assessments area only, failure to submit an electronic copy will result in a mark of zero.
Paper submissions will not be accepted! Help with Referencing Whenever you need to refer the reader to the source of some information, e.g., a book/journal/academic paper/WWW address, provide a citation at that point within the main body of your report.
Example 1: ... as we are all now aware referencing is not trivial (Kendal, 2017)
Provide a reference list towards the end of your research paper (after your conclusions section but before any appendices) that contains:
• References, a list of books/journals/academic papers/URLs etc. that have been directly cited from within the report (see example citation above). • Any material from which text, diagrams or specific ideas have been used, even if this has been presented in your own words, must be cited within the main body of the paper and listed in the reference list. It is not enough to list this material in a bibliography.
Example 2: For Example 1, (using Harvard system) the reference list would contain the following:
Kendal S., 2017, Referencing standards, International Student Journal, Vol 55, Pages 25 – 30, Scotts Pub., ISBN 1-243567-89
This shows the authors, date published, title of paper (in single quotes), title of journal or conference (in italics), volume, page numbers, and publisher (ISBN desirable but not essential).
For further help see the following book which is available in the library: • Cite Them Right: The Essential Guide to Referencing and Plagiarism by Richard Pears and Graham Shields
An interactive online version of this guide is available by logging into My Sunderland with your User ID and password and then clicking on Me and Library Resources.
Cite Time Right Website: • University of Sunderland also provides access to the Harvard Referencing Style resources available on the Cite Them Right website Grading Criteria 0 1-39% 40-49 50-59 60-69 70-79 80-89 90-100 Missing Very Poor Acceptable Good Very Good Excellent Outstanding Exceptional System Design(50%) User Login(10%) Missing The system does not allow a user to login System allows a user to log in using a hard coded username/password combination, but will not allow a user to register System will allow a user to log in and could be expanded to allow user registration through storage of login details. System will allow a user to register and login. System will allow a user to register and login. The user's password will be hashed. System will allow a user to register and login. The user's password will be hashed. System will allow a user to register and login. The user’s password is hashed and salted Creation of Token(15%) Missing The system will not issue an authentication token System will create an authentication token using an easily broken encryption algorithm and hash function The system will create a token that either has one of easily broken encryption or a hashing function. System will create a token that uses a good system of encryption and hashing, but it may reveal the user's username, access level or hashed password. System will create a token that uses a good system of encryption and hashing. The token will not reveal any sensitive information. System will create a token that uses a good system of encryption and hashing. The token will not reveal any sensitive information. System will create a token that uses a good system of encryption and hashing. The token will not reveal any sensitive information. Reading of Token(15%) Missing The system will not read an authentication token The system will read a token, but if the token is invalid it will crash The system will read a token and determine whether it is valid but will not return a useful denial or confirmation message. The system will read a token and return a message. System will check whether the token matches the hash of the unique user. The system will read a token and return a message. The system will check whether the token matches the hash of the user. System will check token time. The system will read a token and return a message. The system will check whether the token matches the hash of the user. System will check token time. The system will read a token and return a message. The system will check whether the token matches the hash of the user. System will check token time. Code Structure(10%) Missing Code is difficult to parse and illogically structured or laid out. Functions or classes havenot been used Code may not be logically arranged or thought out. It may be confusing or difficult to parse. Code has not been structured using functions or classes Code may not be logically arranged or well thought out; however, an attempt has been made to structure the code using functions or classes Code may be confusing, but functions or classes have been used, and an attempt to manage the code structure has been made. Private class functions may not have been used. Code is well structured, and functions and classes have been used. Private class functions have been used where it makes sense. Appropriate error handling is used. Code is well structured, and functions and classes have been used. Private class functions have been used where it makes sense. Appropriate error handling is used. Code is well structured, and functions and classes have been used. Private class functions have been used where it makes sense. Appropriate error handling is used. Input is sanitized to prevent injection. Report Rationale(10%) Missing There is no or limited rationale for most or all of the design decisions There is some rationale, but the rationale is poor or poorly explained. There is a rationale for most design decisions, but the rationale could be clearer or better explained. There is a clear rationale for all design decisions, though the rationale could be better explained. There is a clear rationale for the design decisions, and the rationale is well explained. There is a clear rationale for the design decisions, and the rationale is well explainedand suits the task given There is a clear rationale for the design decisions and the rationale is excellently explainedand suits the task given. References(5%) Missing No references have been used to back up design decisions Most rationales have not been referenced. There are only useful 2 references within the document Most of the rationales have been referenced to back them up. There are 3 or 4 useful references within the document. All the rationales were referenced to back them up. There are at least 5 useful references in the document relevant to the design decision made. All rationales have been backed up with references supporting them. There are at least 7 useful citations and references throughout the document, all of which support the design decisions. All rationales have been backed up with references supporting them. There are at least 9useful citations and references throughout the document, all of which support the design decisions. All rationales have been backed up with references supporting them. There are at least 10 useful citations and references throughout the document, all of which support the design decisions. Code Snippets(10%) Missing There is no example code or code snippets, or these have not been used to discuss what the code is doing There are only 1 or 2 examples of code, or the code snippets are not well explained Most design decisions have code snippet examples, and these examples are explained. There are 3 or 4 code snippets with clear explanations. Most of the code is included within the document, with clear explanations as to its purpose and how it relates to the design decisions. Most of the code is included in the document, along with examples of code for all the main design decisions. There are clear explanations of all code, and how they relate to the design decisions made. Most of the code is included in the document, along with examples of code for all the main design decisions. There are clear explanations of all code, and how they relate to the design decisions made. All relevantcode is included in the document, including all code showcasing any design decisions. There are clear explanations of how the code relates to the design decisions. Demonstration Generated Access Token(10%) Missing There is no view of a generated access token, and there is no connection to the user the token has been generated for The access token is shown briefly, but there is no explanation for it. The access token is shown, along with an explanation of it, and the various parts of it (i.e. a signature, encrypted string, etc) - however the explanation is unclear in some parts. The access token is shown, along with a clear explanation of its various parts (signature, encrypted string, etc) The access token is shown, along with a clear explanation of all of its component parts (signature, encrypted string, etc). A rationale was provided for all component parts. The access token is shown, along with a clear explanation of all of its component parts (signature, encrypted string, etc). Agoodrationale was provided for all component parts. A generated access token is shown, with clear and logical explanation of its parts (signature, encrypted string etc). An excellent rationale is provided for all parts. System Functionality(10%) Missing There is no view of the functionalities that are required. Some of the system functionalities are shown, but the view of the code generating them is unclear, or the explanation of the code or functionality is unclear. Most of the system functionality is shown, along with the code generating the functionality. There is some explanation of the code, but some of that explanation may be unclear. All the system functionality is shown, along with clear explanations of the code generating that functionality. All system functionality has been shown, along with clear explanations of the code generating that functionality. The rationale for the code is included. All system functionality has been shown, along with clear explanations of the code generating that functionality. A goodrationale for the code is included. All system functionality is shown, along with clear explanations of the code generating the functionality. A goodrationale is included, along with clear explanations for the rationale (i.e. password was hashed and salted, as this reduced the chance of brute force attacks). Source Code(5%) Missing There is no view of the source code generating the access token There is a view of the source code generating the access token, but no explanation of the code or how it works, or the explanation is unclear. There is a view of the code generating the access token, and there is an explanation of that code that is clear. There is a view of the code generating the access token, and there is a clear explanation of the code and how it works. There is a clear view of the code generating the access token, and a clear explanation of the code and how it works. The rationale for the code and how it works is included. There is a clear view of the code generating the access token, and a clear explanation of the code and how it works. There is a goodrationale for the code,and how it works is included. There is a clear view of the code generating the access token, and a clear explanation of the code and how it works. An excellent rationale for the code and why it was coded in this way has been made.
