IN-COURSE ASSESSMENT (ICA) SPECIFICATION

Module Title: Module Leader: Chunyan Mu

System Administration and Security

Module Code: CIS-4017-N

Assignment Title: Deadline Date: 30 April 2020

Cryptography basics, security analysis, Deadline Time: 4:00pm

design and implementation
Submission Method:

Online (Blackboard)

Online Submission Notes:

 Please follow carefully the instructions given on the Assignment Specification

 When Extenuating Circumstances (e.g. extension) has been granted, a fully

completed and signed Extenuating Circumstances form must be submitted to the
School Reception or emailed to [email protected].

Central Assignments Office (Middlesbrough Tower M2.08) Notes:

 All work (including DVDs etc) needs to be secured in a plastic envelope or a folder
and clearly marked with the student name, number and module title.

 An Assignment Front Sheet should be fully completed before the work is submitted.

 When Extenuating Circumstances (e.g. extension) has been granted, a fully

completed and signed Extenuating Circumstances form must be submitted to the
School Reception or emailed to [email protected].

FULL DETAILS OF THE ASSIGNMENT ARE ATTACHED

INCLUDING MARKING & GRADING CRITERIA

Page 1
System Administration and Security
CIS4017-N SAS
ICA 2019-20

Part I Cryptography basics (30%)

RSA
1. Assume a public key for RSA encryption given by the pair (143,11). Find the private key
corresponding to this pair.
[5 marks]
2. Using the pair (143, 11), decode the encrypted message (111 4 88 57 116 67) assuming
the letters were represented by ASCII values
(recall that the ASCII values are 65->A, 66->B, … and 97->a, 98->b, …)
[5 marks]

Feige-Fiat-Shamir scheme

3. Describe in detail the simplified Feige-Fiat-Shamir accreditation scheme between Peggy

and Victor?
[6 marks]
4. Consider the simplified Feige-Fiat-Shamir scheme with parameters n=15 and r=11. Trace
with these values the contents of all the messages that Peggy and Victor will send/receive.
[6 Marks]

Diffie-Hellman protocol

5. Describe in detail the Diffie-Hellman protocol for three parties Alice, Bob and Carol.
[8 Marks]

Page 2
Part II Security analysis and design (70%)
Scenario I - Security models [15 Marks]

ABC Ltd. is a company providing security solutions to public services. You are asked to help the ABC Ltd to
design a security model for the national defence department - a part of an e-government project on secure
information control in managing troops. Assume the armed forces be classified as: {army, navy, air force,
marines}, the security levels are typed as: {high, low}.

Your tasks: You should produce a short report (around 500 words) to formalise a Bell Lapadula model to
address the confidentiality properties for the specified scenario, and to discuss the strength and weakness of
your model.

Hint: You need to describe the model (specify subjects, objects, possible operations – which can be flexible,
design your own but need to show your understanding of specifying and applying the BLP model in a real case),
the security lattice (a graph can be helpful), the policy and the security properties for the given scenario above.

Scenario II - Security Analysis and Solutions to Conference

Management Systems [25 Marks]
A conference manage system is a web-based management system which allows researchers submit research
papers, the program committee (PC) members (reviewers) to browse papers and contribute reviews, scores
and discussion, and release decisions (such as rejection or accept) via the Web. In one arrangement, the
conference chair downloads and hosts the appropriate server software.

The system allows users to submit papers, enter reviews & scores and access reviews & scores associated with
events (conferences or workshops) regarding to the role of the uses. A user is granted access to the system by
providing a role (chair, reviewer, or author) along with a user-id and associated password. Permissible roles for
each user are specified at the time a new event is added to the management system. Reviews & scores on
papers are initially assigned by chairs (chairs assign papers to reviewers for reviewing, one reviewers can be
assigned multiple papers, one paper can be allocated to multiple reviewers). Reviewing are done by reviewers.
And a chair can perform any and/or all of these actions, but a chair’s updates can only be changed by the chair.
An author, in addition to learning about his or her reviews & grades on individual papers, is entitled to learn the
acceptance statistics (but not other papers’ reviews), and the conference program.

Threat model: The adversary is a user who desires to learn the reviews & scores, changes reviews & scores, or
prevent others from learning or changing reviews & scores. The adversary has access to the management
system and also can read, delete, and/or update network messages in transit. The adversary cannot physically
access or run programs on a user’s machine that is running a browser to access the management system. And
the adversary can not physically access or run programs on the server hosting the management system.

Your tasks: You are asked to produce a report (1500-2000words) to provide contemplate descriptions of the
above Web-based Conference Management System and identify the following:
1. Assets and security properties: what objects should be protected, what security properties might we
expect the system to enforce? For each such security property, label it with one of: confidentiality,
integrity, or availability?
2. Vulnerability: explain the vulnerability in the system and use an attack tree/model to describe how an
attack could be mounted. Restrict your consideration to the threat model provided.

Page 3
 3. Protection: explain what cost-effective protections are available against the threats that you identify.
Remember the focus is on software vulnerabilities.

Hint: Assuming that the manager is not a technical person, craft your explanation in a way that can be
explained to a layman and include figures where necessary.

Scenario III- Design and Implementation of a Secure Server Network

[30 marks]
This task involves designing and implementing an Internet-connected secure server network for a medium
sized company named Smith Logistics, UK. They want to implement a secure network that uses Class C
network address with two subnets in total – server subnet and one LAN subnet and has approached you. They
have asked you for a price quote as well. But they want to see a virtual machine implementation and
simulation results before they commit to purchase anything.

You can use Virtual Machines for the implementation and the security attacks. The server network should
consist of one server, i.e. Windows2008/2012 or Linux (Ubuntu or others).
It should be connected to one workstation (at the least), i.e. Windows Server to Windows client or Linux Server
to Linux client. The workstation denotes a different LAN.

Your tasks: You should write a report with the appropriate details (2500 words max, but flexible) documenting
all that you have done including how the servers are setup, how they are tested and how the attacks are done
to them along with countermeasures. Use the tasks below as a guideline to write.

1. Using the Virtual Machines, configure ANYONE server namely Windows2008/2012 or Ubuntu(or other
Linux servers), with the following: (i) DNS server (ii) DHCP server (iii) web server. Use a client computer
to test the three servers to see if it works properly. Capture the appropriate screen shots or illustrate
that through commands and output screens. Draw a simple network or workflow diagram of your
network.
Hints:
 DNS Server: Show that the smithlogistics.com (or similar) domain name is configured and that the
clients could join it. Create some users and login in to the domain. Test what was implemented.
 DHCP Server: Show the dynamic IP address assignment with an address pool along with evidence
of clients receiving dynamic IP.
 Web server: Configure IIS and Apache with web address www.smithlogistics.com (or similar) can be
accessed from the web client. Test the web server with a sample webpage being accessed from the
client. Install an SSL certificate to make it secure.

2. Implement at least four security attacks on the servers through Kali Linux or other independent tools
and suggest countermeasures to stop them. Illustrate the attacks through commands or using GUI
tools. Capture the attacks through screen shots or graphs or tables.

3. Show the detailed cost of implementing your solution, in a table format. You can try to show two
different costs for the company to choose from.
Hints: Research on the costs of servers (hardware and software), switches, workstations, cables, etc.

4. Show all references used in the report, using appropriate referencing.

Hints: Harvard referencing can be used and make sure the format is fully followed.

Page 4
Deliverable and deadline

You should submit your report as a PDF document via Blackboard by the deadline of 1600hrs 30
April 2020.

Advice and assistance

Consult the module leader during a scheduled session or email the module leader.

Assessment criteria

The criteria below is necessarily incomplete as we cannot anticipate every possible ICA submission.

Grade Part I (30)

5 marks for correct solutions of the private key and details provided;
Q1 (5) if correct p is given: 2 marks;
if correct q is given: 2 marks.
Q2 (5) 5 marks for correct decrypt message and details provided;
4 marks if understanding shown but final computation is incorrect,
1 mark for one correct part of the message.
Q3 (6) 1 mark for each step.
Q4 (6) 1 mark for each step.
Q5 (8) 2 marks for each step.

Grade Part II : scenario I (15)

State machine (5) Sound description of the model
Security lattice (3) Correct description on the partial ordering of the security labels
Security properties (3) 1 mark for each property.
Strength and weakness (2) 1 mark for each.
Writing and reference (2)

Grade Part II: scenario II (25)

Excellent

75%/85%/95% An excellent understanding of modern information and network security

properties and system threat & vulnerabilities is demonstrated with excellent
links to the specified scenario. There is clear evidence of work beyond taught
material.

An excellent analysis of security protection techniques and their application

is demonstrated in relation to the specified scenario. There is clear evidence
of work beyond taught material.

Page 5
 A very clear and readable report, with excellent structuring, good use of
grammar and referencing. Document submitted as PDF.

Substantially correct/appropriate (based on taught material & module

requirements)
65%
A very good understanding of modern information and network security
properties and threats is demonstrated with clear linkage to the specified
scenario.

A very good analysis of security protection techniques and their application is

demonstrated in relation to the specified scenario.

A clear and readable report, with appropriate structuring and

referencing. Document submitted as PDF.

Minor errors/omissions/issues

A generally/mostly good understanding of modern information and network

security properties and threats is demonstrated with clear linkage to the
specified scenario.
55%
A generally/mostly good analysis of security protection techniques and their
application is demonstrated in relation to the specified scenario/task.

A clear and readable report, with minor errors in writing, structure or

referencing. Document submitted as PDF.

Major errors/omissions/issues

A limited understanding of modern information and network security

properties and threats is demonstrated and/or limited linkage to the
specified scenario.
45%
A limited analysis of security protection techniques and their application is
demonstrated in relation to the specified scenario/task.

A report, with major issues of writing, structure or referencing. Document

submitted as PDF.

35% Unsatisfactory

A very limited understanding of modern information and network security

properties and threats is demonstrated.

A very limited analysis of security protection techniques and their application

is demonstrated.

A report that is difficult to read or comprehend but includes some attempt at

Page 6
 structure and referencing OR document is not submitted as a PDF.

Inadequate

Little to nothing demonstrated in relation to modern information and

20%
network security properties and threats.

Little to no analysis of security protection techniques and their application.

A report that is very difficult to read and comprehend, and makes no attempt
at referencing.

Grade Part II: scenario III (30)

One server (Windows or Linux) with 3 services and correct configuration (6 marks);
Task 1 (12) SSL creation and installation (2 marks);
One work station and its configuration (2 marks);
Network diagram (2 marks)
Task 2 (8) 2 marks per attack.
Task 3 ( 7) Cost of implementation (one server, client, switch, router for Internet and LAN)
Task 4 ( 3) Professional writing and good use of reference.

Page 7