1     Overview

This assignment will test your ability to develop protocols that are focused on security. Cryptography is all about securing messages. This assignment examines the following:

•    your understanding of basic cryptographic concepts incorporated with secure protocols.

•    your ability to implement a secure protocol via Python and Java.

•    your ability to conduct some reconnaissance in order to discover how much information an attacker would be able to gather.

Student teams will be expected to submit a video to demonstrate the secure transmission of the values (demo of scanning with for instance Wireshark which shows data is not in the plaintext format).

The first objective will be for the student to gain experience at conducting packet sniffing, which can be done by using Wireshark (and potentially other tools you’ve learned in this course).

Wireshark is a very versatile packet sniffer. You have practiced specific instances to learn that        running a packet sniffer can be quite useful. While there are certainly other packet sniffers that you became familiar with in this course, Wireshark is one of the most widely known. Please visit the    Wireshark website if you were interested in learning more:

2    Learning Outcomes

This assessment relates to the following learning outcomes:

•    [CLO1]: Apply security, cryptography and risk management concepts to the design and development of medium-sized software applications.

•    [CLO3]: Demonstrate the ability to communicate effectively with industry professionals and peers.

•    [CLO4]: Demonstrate skills for self-directed learning, reflection, and evaluation of your own and your peers work to improve professional practice.

•    [CLO5]: Demonstrate adherence to appropriate standards and practice of Professionalism and Ethics.

3     Specification

The original Python API that you have used in Assignments 1 & 2 is insecure, making it vulnerable to  all  manner  of attacks by  malicious  actors,  e.g., you try to build  a wall  for your house  in Assignment 1, but your message gets compromised, and a flower is added instead.

In this assignment you will learn how to build an efficient Chosen Ciphertext Attack (CCA) secure protocol (which uses blockcipher that was discussed in this course) to provide confidentiality and message integrity at the same time. The overall process will include:

a.   Ensuring both confidentiality and integrity of the transmission of values across an insecure channel.

b.   Securely verifying that the message was received correctly.

In this Assignment you need to first form messages as follows:

M=(chat.post (msg))

For instance, M may look something like: chat.post('Hello World')\n

Note: Every MCPI API call is terminated by a newline (\n character).

Phase1 (5 marks)

Use a WLAN sniffing tool to establish the security weaknesses of the original Python API that you have been using in Assignment 1 and 2. You will need to demonstrate this via a video submission  detailed in Phase 3.

Phase2 (15 marks)

In this phase you will need to design an efficient CCA secure protocol (which uses blockcipher) technique to simultaneously achieve confidentiality and message integrity. Note that you can choose and implement only one technique.

•    Phase2-1 (5 marks): Summarise and briefly explain the four techniques. Please submit a 1 page + references report to discuss your choice and to analyse pros and cons.

•    Phase2-2 (10 marks): Discuss your chosen technique in more detail including efficiency/security trade-off. Please submit a 2-pages + references report to describe your findings and explain them with clear technical detail.

Phase 3 (10 marks)

Implement your secure protocol by extending the Raspberry Juice plugin used by the Spigot           Minecraft server. Demonstrate the effectiveness of your implemented technique by submitting a 5- minute video to demonstrate the following in this order:

a.   The security weaknesses of the original Python API (phase 1) by showing that the original message can be sniffed and manipulated.

b.   Message to be encrypted is given as input – show the student IDs of the team         members and that the message is formed based on the last two digits of all the IDs.

c.   Give a brief demo of your code (1-2 minutes) and explain the main functions in your code and how you extended:

1.   The Raspberry Juice plugin.

2.   The client MCPI library.

d.   Run the implemented code.

e.   Show the decrypted value on the other end (e.g., in Spigot’s console).

f.   Perform an eavesdropping attempt to establish the security of the connection.

g.   Demonstrate the message being sent back correctly to the client.

4     Teamwork Guidelines

Group membership remains the same as for the first assignment. Exceptions need written approval from the course coordinator.

All group members are expected to attend the group consultations with the teaching staff. These will be held in the final two hours of each studio class. Remote students will attend these           consultations on Microsoft Teams.

If there are problems with the communication in your group, or some members appear to absent or not contributing, it is crucial that you alert the teaching staff early on. This is not about “dobbing”; we have a duty of care to check on students who are not showing up. At the same time, we are      unlikely to be sympathetic if you assign a major piece of the assignment to an unresponsive   teammate and only tell us about the issue a few days before the deadline. However, if you       communicate with the teaching team early on, we will do our best to resolve the issue, and may     adjust the requirements of the assignment if you are significantly disadvantaged.