|
T. Andrew Yang
|
Last updated: August 22, 2011 |
|||
|
CSCI 5234 Web Security Note: Total points: 100 1.A (5 pts) Visit
the class discussion group in this class’s Blackboard page (see the syllabus page). Throughout this class, you are
responsible for regularly visiting the discussion group to find recent
announcements, reminders, and discussions. Send a brief message to the discussion group to
introduce yourself (including your full name) and one item you most desire to
learn in this class. 1.B
A refresher of Java Security: Study the source
codes SignatureAuthenticationClient.java and SignatureAuthenticationServer.java, both
of which are available at http://sce.uhcl.edu/yang/teaching/proJavaSecurityCode.html. 1) (15 pts) Run
the programs and hand in appropriate screen snapshots to show the execution
results. Add a statement to the beginning of the programs such that the
first output line shows your full name. Attach the screen output as part
of this assignment. 2)
(10 pts) When receiving a digital signature from the client,
how does the authentication server verify the client's signature? That
is, how would the server know that the signature is really the client's? 1.C Study
the textbooks and/or applicable web sites to find answers for the following
questions. Online glossaries such as those listed in the syllabus page may also be used. Note: It
is important that you clearly identify the source(s) of your information. 1)
(5 pts) What is a
‘man-in-the-middle attack’? 2)
(5 pts) What
is a ‘replay attack’? 3)
(5 pts) Is
a replay attack a type of man-in-the-middle attack? Justify your answer. 4)
(5 pts) What
is ‘pagejacking’? 5)
(5 pts) What
is a ‘session hijacking attack’? 6)
(5 pts) What
is ‘web access management’? 7)
(5 pts) What
is ‘end-to-end security’? 8)
(5 pts) Explain what 'input sanitization' is and why it is
critical for secure web operations. Note: Your discussion may be related
to the setuid command and/or html form processing. You may want to
refer to this
link. 9)
(5 pts) What
is ‘out-of-band communication’? 10) (5 pts) What
is 'two-factor authentication'? Why is using more than one factor important
in authenticating a user? 11) (5 pts) What
is a 'server certificate'? 12) (5 pts) How
is a 'server certificate' used in providing authentication in a Web-based
application? 13) (5 pts) What is a ‘payment gateway’? 14)
(5 pts) In a network, there are
two general forms of authentication service: data origin authentication service and peer entity authentication service. Explain their relationships
(common features vs differences). Go to the Index Total points: 100 2.A Authentication & Certificates 1) (25 pts) Extend
the authentication example programs from Assignment 1 such that mutual
authentication is supported. That is, the client should be able to verify
the server's identity, before sending its signature to the server.
a. Explain what revisions are needed to add this
feature to the sample programs. Attach the revised source codes of the
programs.
b. Attach screen snapshots that illustrate mutual
authentication between the server and the client. 2) (25 pts) In
the authentication example programs, it is assumed that the server has got
the correct public key of the client. In real-world applications, this is
usually achieved by the client's sending a certificate to the server. Modify
the original authentication example programs by adding a step where the
client sends its certificate to the server. Once receiving the client’s
certificate, the server first verifies the certificate to determine whether
the certificate is trustable and, if the answer is yes, it extracts the
client's public key from the certificate (in order to verify that
client’s signature later). 2.B Read VeriSign's Technical Brief "Building an E-Commerce Trust
Infrastructure: SSL Server Certificates and Online Payment Services",
and answer the following questions: 1) (5 pts) To
succeed in the fiercely competitive e-commerce marketplace, businesses must
become fully aware of Internet security threats, take advantage of the
technology that overcomes them, and win customers’ trust. Internet
security threats are discussed in this article. With respect to each
of the security goals (that is, confidentiality, data integrity,
origin integrity, availability, and nonrepudiability), choose a threat as an example
violation of that security goal. 2)
(5 pts) In section IV, it was stated "SSL server
certificates satisfy the need for confidentiality, integrity, authentication,
and nonrepudiation". Do you agree with the statement? Justify your
answer by arguing for or against the statement. 3)
(5 pts) What necessary functions to establish e-commerce
trust are fulfilled by SSL server certificates? Explain how. 4)
(5 pts) What size of the private key should a web
administrator select in order to establish a 128-bit SSL server certificate
using veriSign's Global Server ID? 5)
(5 pts) In complex, multiserver environments, SSL server
certificates must be used carefully in order to satisfy the three
requirements of online trust. Explain what the requirements are in
multiserver environments. 6)
(5 pts) Explain the term Fail-Safe Backup. 7)
(5 pts) Explain what Load Balancing mean. 8)
(5 pts) Explain the relationship between ‘transport
security’ and ‘system security’. 2.C Answer
the following questions, based on the paper “Ten Risks of PKI: What
You’re not Being Told about Public Key Infrastructure” (Ellison and Schneier, 2001,
local copy is here). 1.
(5 pts)
In the paper, the authors
discussed ten types of risks associated with certificates and PKI. Risk #4,
for example, is related to “Which John Robinson is he?” Explain
what this risk means and its implications in web security. 2.
(5 pts)
Identify a risk which you
think is most related to web security. Explain what the
risk is and why you think it would have a major impact upon the
security of a web application. Go to the Index Note: This
is an individual project. The
goal of this project is for you to visit refereed publications (as well as
some relevant web sites) to perform a detailed investigation of a chosen research
topic. The topic you choose ideally should be related to Web technologies and
their security issues/control. See sample research
projects for some potential topics. If you need suggestions when choosing
the topic, feel free to discuss with the instructor.
Items
to be submitted:
A
preliminary abstract of your presentation topic is due early in the semester. Each student should publish his/her
abstract in the class discussion board by the due date. The abstract should be 1-2
pages long, and contains the following sections: (1)
Class name
(i.e., CSCI5234 Web Security) (2)
Your name and
an email address that you check regularly (that is, at least once a day) (3)
Topic of your
investigation (4)
General
description of the topic (5)
Why is the
topic worth investigating? How
is it related to web security? (6)
Survey of
related work Discuss at least three
articles related to the topic. VERY Important: Make sure you properly cite the work of other researchers or
professionals. Visit http://sce.uhcl.edu/yang/citing.htm
for more information about cited references. Warning: Missing
or improper cited references in your abstract and final report will result in
poor score for your presentation. (7)
A tentative
outline (agenda) of your final report. That is, the sections/subsections that
you plan to include in the final paper.
1.
The written
report should include your findings about the chosen topic. 1.
A draft of the
final report should be published in the class discussion group to solicit
comments from your classmates and the instructor. Warning: Missing
or improper cited references in your abstract and final report will result in
poor score for this assignment. 2.
The following
is a suggested outline of your final report:
i. Title
ii.
Your name (and
email address)
iii.
An abstract
(50-100 words)
iv.
Introduction to
the topic
v. Significance of the chosen topic with respect to
the security of web-based applications
vi.
Survey of
related work
vii.
Your findings
viii.
Future work:
research ideas and projects possibly related to the topic
ix.
Conclusion
x. Appendix (if any) Go to the Index
Each
team shall select one of the projects from the project
list and notify the instructor the chosen topic. A detailed design, along
with a prototype, is due for in-class presentation and demo around the
midterm time (that is, project 1 demo in the syllabus page). If you’d like to have
individual programming projects, be sure to check with the instructor first
concerning the nature of your project.
1) The design of your project shall consist of three
or more tiers, including the front tier (a web client), the middle tier
(a web application), and the back tier (a DBMS). The front tier provides the web
clients proper user interface to the web application, which processes the
clients' requests and, if necessary, forwards the request to the DBMS at the
back end. 2)
In your design, potential vulnerabilities of the
whole application shall be identified and discussed. 3)
The prototype
shall properly demonstrate how the three tiers would work together,
although details may be filled in later in the projects. If you have any
doubt concerning what should be completed in each stage of the project, feel
free to consult the instructor.
1) Preliminary Design
a. The preliminary design of your project should
illustrate the system architecture (front end, middle tier, back end,
etc.) of the application you plan to build.
b. Identity the potential
vulnerabilities of the application. For each of the vulnerabilities,
propose at least one appropriate mechanism that you plan to implement to
counter that vulnerability. Note: Do not limit yourself to user
authentication. In addition to authentication, vulnerabilities associated
with secure communications between the web browser and the web server, and
between the server-side application(s) and the database server should be
taken into consideration. Appropriate methods such SSL/TLS should be used to
provide secure data transmission.
c. Publish your preliminary design in the class
discussion board to solicit your classmates’ and the instructor’s
comments. 2)
Detailed
Design and Prototype demonstration a)
Each team
should publish, in the discussion group, its project’s detailed design,
which contains the following: ·
A UML
diagram illustrating the design of the application, the source programs, a
readme file explaining how the source programs would be used or installed, as
well as any specific configuration files and/or steps. ·
A relational
database model for the data stored in the database server. ·
A list of at least four vulnerabilities in your application
and the mechanisms that you plan to implement in your application to mitigate
those vulnerabilities. b) Each team needs to give an in-class demonstration of
the prototype. See the class schedule
for the demo date. 3)
Final report The final project
report should contain the system
architecture, the final detailed design, the source programs (if applicable),
responses to comments made by the instructor and the classmates. Publish the
final project report in the class discussion board. Note: Security features
you proposed in the detailed design should have been successfully implemented
in your final application. When possible, demonstrate the security features. Go to the Index |
|