it cryptography

INM443 Cryptography

MSc in Cyber Security MSci in Computer Science with Cyber Security

Ethical Hacking (Term 1) Description The scope of this coursework is to sharpen your computing skills and practice security in computing/communication systems. In term 1, you play the role of ethical hacker. Note that an ethical hacker is an expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit.

You are challenged to identify flaws in an ecommerce company’s network device, e.g. an SQL server, which contains customers private data. In particular, you will need to break SQL server’s crypto components and retrieve customer’s encrypted credit card secret code (3-digit) of an e-commerce company. The crypto algorithm used in the encryption of the credit card secret code is RSA with weak security components. A weak password is also applied to the administrator account (admin). More information at the Coursework Manual file in MOODLE. Output/Report Structure It is expected to document in detail your methodology and work plan to achieve your goals. Your submitted report should have the following structure and include the following information (use screenshots to justify your work): TERM 1: Report Structure/Contents 1. Work Plan (Team Work) In this section identify the network system you will attack (i.e., OS software installed, IP addresses). In addition, discover your environment by creating a map diagram/figure of the computer network found in the company.

[10 marks] 2. Breaking the system (2000-3000 words) In this section identify potential methodologies of attacking the system. As an example, a) Perform a dictionary attack in the admin password to gain access to the SSH

server. Justify your answer.

Clever solutions will earn full marks. Note that in real-life environment your dictionary or username files are very large. [20 marks]

b) Cryptanalyze (by hand) the encrypted email which you will find in your mailbox to gain useful information. Provide details. Clever solutions will earn full marks. Consider you don’t have access to online resources.) [20 marks]

c) Brute force the admin account password in the SQL server to access the database. Clever solutions will earn full marks. How would you approach the brute force if the database is too large? [20 marks]

d) Retrieve customer’s credit card secret code from the accessed database and

find the RSA private key d. RSA public key e must be calculated using Shamir’s secret sharing scheme in a 4 members group (see Table 1 - Coursework Manual pdf file). This part can be a group/team effort. [20 marks]

e) Decrypt the secret code using the SageMath tool (more in tutorials). Clever solutions will earn full marks - Discuss in the report how would you decrypt the code if you didn’t had access to RSA tools. Justify your answers. [10 marks]

4. Concluding Remarks Conclude your work and summarise what you have achieved/what went wrong (if any) in this coursework. Grading Criteria Your mark will cover the coursework assessment component found in module specifications for INM443. The exact weighting of the current security assessment report is shown below:

§ INM443 Cryptography module (coursework: 30%)

Note that Coursework Report Marking follows the University Assessment and Feedback Policy: https://www.city.ac.uk/__data/assets/pdf_file/0009/365292/Assessment-and-Feedback-Policy-Senate- October-2016-2.pdf Submission Dates INM443 MSc/MSci students: The final report submission is due to the 8th of December (17:00). It is essential to upload a single report in MOODLE under “Submission Coursework” area. Working environment Instructions on your working environment will be given in tutorials/labs of Cryptography (INM443).