Description

INM443 Cryptography

MSc in Cyber Security

MSci in Computer Science with Cyber Security

Ethical Hacking (Term 1)

Description

The scope of this coursework is to sharpen your computing skills and practice

security in computing/communication systems.

In term 1, you play the role of ethical hacker. Note that an ethical hacker is an

expert who attacks a security system on behalf of its owners, seeking

vulnerabilities that a malicious hacker could exploit.

You are challenged to identify flaws in an ecommerce company’s network device,

e.g. an SQL server, which contains customers private data. In particular, you will

need to break SQL server’s crypto components and retrieve customer’s

encrypted credit card secret code (3-digit) of an e-commerce company. The

crypto algorithm used in the encryption of the credit card secret code is RSA

with weak security components. A weak password is also applied to the

administrator account (admin). More information at the Coursework Manual file

in MOODLE.

Output/Report Structure

It is expected to document in detail your methodology and work plan to achieve

your goals. Your submitted report should have the following structure and

include the following information (use screenshots to justify your work):

TERM 1: Report Structure/Contents

1. Work Plan (Team Work)

In this section identify the network system you will attack (i.e., OS software

installed, IP addresses). In addition, discover your environment by creating a

map diagram/figure of the computer network found in the company.

[10 marks]

2. Breaking the system (2000-3000 words)

In this section identify potential methodologies of attacking the system. As an

example,

1. a) Perform a dictionary attack in the admin password to gain access to the SSH

server. Justify your answer.

Clever solutions will earn full marks. Note that in real-life environment

your dictionary or username files are very large.

[20 marks]

1. b) Cryptanalyze (by hand) the encrypted email which you will find in your

mailbox to gain useful information. Provide details.

Clever solutions will earn full marks. Consider you don’t have access to

online resources.) [20 marks]

1. c) Brute force the admin account password in the SQL server to access the

database. Clever solutions will earn full marks. How would you approach

the brute force if the database is too large? [20 marks]

1. d) Retrieve customer’s credit card secret code from the accessed database and

find the RSA private key d.

RSA public key e must be calculated using Shamir’s secret sharing scheme in

a 4 members group (see Table 1 – Coursework Manual pdf file). This part can

be a group/team effort. [20 marks]

1. e) Decrypt the secret code using the SageMath tool (more in tutorials).

Clever solutions will earn full marks – Discuss in the report how would you

decrypt the code if you didn’t had access to RSA tools.

Justify your answers.

[10 marks]

4. Concluding Remarks

Conclude your work and summarise what you have achieved/what went wrong

(if any) in this coursework.

Grading Criteria

Your mark will cover the coursework assessment component found in module

specifications for INM443. The exact weighting of the current security

assessment report is shown below:

• INM443 Cryptography module (coursework: 30%)

Note that Coursework Report Marking follows the University Assessment and

Feedback Policy:

https://www.city.ac.uk/__data/assets/pdf_file/0009/365292/Assessment-and-Feedback-Policy-Senate-

October-2016-2.pdf

Submission Dates

INM443 MSc/MSci students: The final report submission is due to the 8th of

December (17:00). It is essential to upload a single report in MOODLE under

“Submission Coursework” area.

Working environment

Instructions on your working environment will be given in tutorials/labs of

Cryptography (INM443).