T. Andrew Yang

Email: yang@uhcl.edu

Web page : http://sce.uhcl.edu/yang/

Tel.: (281) 283-3835

Last updated:

 

Jan. 21, 2009

CSCI 5234 Web Security
Spring 2009

Note:
In composing your answers, make sure you give the original author(s) the necessary credits if your answer contains information from sources other than your own brain. :-)
Please refer to http://sce.uhcl.edu/yang/citing.htm if more information is needed in using proper citing.

 

Assignments

 

Assignment 1

1.A (5 pts) Visit the class discussion group (see the syllabus page) and join the group as a member.  Throughout this class, you are responsible for regularly visiting the discussion group to find recent announcements, reminders, and discussions.  Alternatively, you may set up the account so messages posted to the group will be automatically forwarded to your chosen email account. Print out the confirmation message in response to your membership request, and attach it to this assignment.

1.B  A refresher of Java Security

  1. (10 pts) Run the sample programs in the authentication example (pp.140-152) of the GS book. Source codes are available at http://sce.uhcl.edu/yang/teaching/proJavaSecurityCode.html.
    1. Run the programs and hand in appropriate screen snapshots to show the execution results. Add a statement to the beginning of the programs such that the first output line shows your name. Attached the screen output as part of this assignment.
    2. Question: When receiving a digital signature from the client, how does the authentication server verify the client's signature? That is, how would the server know that the signature is really the client's?
  1. (20 pts) Extend the authentication example programs such that mutual authentication is supported. That is, the client should be able to verify the server's identity, before sending its signature to the server.
    1. Explain what revisions are needed to add this feature to the sample programs. Attach the revised source codes of the programs.
    2. Attach screen snapshots that illustrate mutual authentication between the server and the client.
  2. (20 pts) In the authentication example programs, it is assumed that the server has got the correct public key of the client. In real-world applications, this is usually achieved by the client's sending a certificate to the server. Modify the original authentication example programs by adding a step where the client sends its certificate to the server. Once receiving the client’s certificate, the server first verifies the certificate to determine whether the certificate is trustable, and, if the answer is yes, it extracts the client's public key from the certificate.

1.C  Study the textbooks and/or applicable web sites to find answers for the following questions. Online glossaries such as those listed in the syllabus page may also be used. It is important that you clearly identify the source(s) of your information.

  1. (10 pts) Explain what 'input sanitization' is and why it is critical for secure web operations. Note: Your discussion may be related to the setuid command and/or html form processing. You may want to refer to this link.
  2. (10 pts) What is 'two-factor authentication'? Why is using more than one factor important in authenticating a user?
  3. (10 pts) What is a 'server certificate'? How is it used in providing authentication in a Web-based application?

 

Assignment 2

 

2.A Read VeriSign's Technical Brief "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services", and answer the following questions:

    1. (5 pts) To succeed in the fiercely competitive e-commerce marketplace, businesses must become fully aware of Internet security threats, take advantage of the technology that overcomes them, and win customers’ trust. What are the Internet security threats discussed in the article? Classify each of the threats as violation of one of the security goals, that is, confidentiality, data integrity, origin integrity, availability, and nonrepudiability.
    2. (5 pts) In section IV, it was stated "SSL server certificates satisfy the need for confidentiality, integrity, authentication, and nonrepudiation". Do you agree with the statement? Justify your answer by arguing for or against the statement.
    3. (5 pts) What necessary functions to establish e-commerce trust are fulfilled by SSL server certificates? Explain how.
    4. (5 pts) Explain the differences between the 40-bit SSL server certificates and the 128-bit SSL server certificates.
    5. (5 pts) What size of the private key should a web administrator select, in order to establish a 128-bit SSL server certificate using veriSign's Global Server ID
    6. (5 pts) In complex, multiserver environments, SSL server certificates must be used carefully in order to satisfy the three requirements of online trust. Explain what the requirements are in multiserver environments
    7. (5 pts) Explain the term Fail-Safe Backup
    8. (5 pts) Explain what Load Balancing mean.
    9. (5 pts) Explain what an Internet payment gateway is, and its role in a typical online payment transaction.

2.B Answer the following questions, based on the paper “Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure” (Ellison and Schneier, 2001, local copy is here).

1.      (5 pts) In the paper, the authors discussed ten types of risks associated with certificates and PKI. Risk #2, for example, is related to ‘Who is using my key?’ Explain what this risk means and its implications in web security.

2.      (20 pts, 5 pts per risk) Identify four of the risks which you think are most related to web security. Explain what each of these risks is and why you think it would have a major impact upon the security of a web application.

 2.C (10 pts) Study Chapter 9 of the GS book and answer concisely (< 100 words each) the following questions.

a.       Explain the significance of server certificate in SSL handshake. How is the certificate processed by the client?

b.      Communication in SSL between the client and the server is encrypted with a session key. Explain how the session key is generated.

Go to the Index

 

Research Project

Note: This is an individual project.

 

The goal of this project is for you to visit refereed publications (as well as some relevant web sites) to perform a detailed investigation of a chosen research topic. The topic you choose ideally should be related to Web technologies and their security issues/control. See sample research projects for some potential topics. If you need suggestions when choosing the topic, feel free to discuss with the instructor.

 

Items to be submitted:

 

  1. The abstract

A preliminary abstract of your presentation topic is due early in the semester.

Each student should publish his/her abstract in the class discussion board by the due date.

The abstract should be 1-2 pages long, and contains the following sections:

(1)   Class name (i.e., CSCI5234 Web Security)

(2)   Your name and an email address that you check regularly (that is, at least once a day)

(3)   Topic of your investigation

(4)   General description of the topic

(5)   Why is the topic worth investigating?  How is it related to web security?

(6)   Three or more articles related to the topic.

VERY Important: Make sure you properly cite the work of other researchers or professionals. Visit http://sce.uhcl.edu/yang/citing.htm for more information about cited references.

Warning: Missing or improper cited references in your abstract and final report will result in poor score for your presentation.

(7)   A tentative outline (agenda) of your final report. That is, the sections/subsections that you plan to include in the final paper.

 

  1. The final written report
    1. The written report should include your findings about the chosen topic.
    2. A draft of the final report should be published in the class discussion group to solicit comments from your classmates and the instructor.

Warning: Missing or improper cited references in your abstract and final report will result in poor score for this assignment.

    1. The following is a suggested outline of your final report:

                                                              i.      Title

                                                            ii.      Your name (and email address)

                                                          iii.      An abstract (50-100 words)

                                                          iv.      Introduction to the topic

                                                            v.      Significance of the chosen topic with respect to the security of web-based applications

                                                          vi.      Your findings

                                                        vii.      Future work: research ideas and projects possibly related to the topic

                                                      viii.      Conclusion

                                                          ix.      Appendix (if any)

 

Go to the Index


Projects 

  • Project description

Each team shall select one of the projects from the project list and notify the instructor the chosen topic. A detailed design, along with a prototype, is due for in-class presentation and demo around the midterm time (that is, project 1 demo in the syllabus page).

o    Requirements

1.      The design of your project shall consist of three or more tiers, including the front tier (a web client), the middle tier (a web application), and the back tier (a DBMS). The front tier provides the web clients proper user interface to the web application, which processes the clients' requests and, if necessary, forwards the request to the DBMS at the back end.

2.      In your design, potential vulnerability of the whole application shall be identified and discussed.

3.      Use diagrams (UML, EER, etc.) and textual descriptions to present your design.

4.      The prototype shall properly demonstrate how the three tiers would work together, although details may be filled in later in the projects. If you have any doubt concerning what should be completed in each stage of the project, feel free to consult the instructor.

o    Deliverables of the Projects

(1)   Preliminary Design

The preliminary design of your project should illustrate the system architecture (front end, middle tier, back end, etc.) of the application you plan to build. Publish your preliminary design in the class discussion board to solicit your classmates’ and the instructor’s comments.

(2)   Detailed Design and Prototype demonstration

a)      Each team should publish, in the discussion group, its project’s detailed design, which contains the following: 

a.       A UML diagram illustrating the design of the application, the source programs, a readme file explaining how the source programs would be used or installed, as well as any specific configuration files and/or steps;

b.      A relational database model for the data stored in the database server.

b)      Each team needs to give an in-class demonstration of the prototype.  See the class schedule for the demo date.  Note: Each team has about 15 minutes to demonstrate its application. Peer evaluation will be part of the evaluation process.

(3)   Final report

The final project report should contain the system architecture, the final detailed design, the source programs (if applicable), responses to comments made by the instructor and the classmates. Publish the final project report in the class discussion board.