EE5815 - Topics in Security Technology

Assignment 3

Electronic submission only on Canvas

Submission guidelines:

-     Please prepare your assignment in “PDF” format.

-     For observe the departmental rules for late submission (i.e. 10% deduction per day).

-     10 points for each question.

Security Management

1)  Assume that you area manager responsible for the security of e-Banking systems in a bank. You heard that HongKong Monetary Authority (HKMA) had a guideline called the “Supervision of E-banking”

a)    Google for the document, and give the URL showing where the above HKMA guideline fore-Banking can be found.

b)   Read  the  HKMA  guideline.  Briefly  describe  at  least  three   major technology-related controls relevant to e-banking that you need to consider in youre-Banking infrastructure.

[Hint: you only need to give a brief description (that is, a few lines) summarizing  the  main  points.  Please  don’t  simply  copy  pages  of paragraphs from the HKMA document without understanding. ]

c)    Your  HK  e-Banking  system  is  using  a  Cisco firewall to protect the Internet  perimeter  and  your  IT  colleagues  are  familiar  with  this firewall. Now, to strengthen the security, it is proposed to purchase for another firewall to set up another tier of internal firewall.  Your IT colleagues proposed to purchase the same Cisco firewall and use itas an internal firewall. Would you approve this proposal? Why?

d)   Goto the bank’s website of your account, is this website secure? Why? Identify  the  digital  certificate  from  the  website,   and  collect  the following information:  1)  Issue to,  2)  Issue  by,  3) Validity  Period, and 4) Fingerprints.

e)    Please collect the information in d) with the help of CityUGPT. Please notify the differences and analyze them

Public Key Systems

2)  In the RSA cryptosystem, it is possible that M = C, that is the plaintext and the  ciphertext  are  identical.  For  modulus  N  =  667,  and  encryption exponent e = 3, how many messages M would encrypt to itself? Please do not consider M = 0 or 1 in this question.

Technical Tools

3)  Network packet sniffing.

a)     Install Wireshark to your machine. Please show evidence (e.g. screen dump) that you have downloaded and installed this package into your personal computer.

b)     Describe the purpose of this program.  How do you start capturing the packets, and how do you use filters for just TCP packets?

c)     Start capturing the packets. While packet collection is still running, attempt to access to your email.

Describe:

How you access to your email (e.g. using webmail, or pop3, etc)

Can your username and password be seen during the sniffing process?

During  the  sniffing  process,  can  you  observe  other  network protocols in addition to the protocol that you used for email access? If so, name two such protocols and briefly explain why they exist.

d)     Compare the operations in b), c) and the operations you have done in the team-based  learning  class.  Briefly  describe  the  similarities and differences.

4)  Install a mobile banking app to your iOS or Android device (if you don’t have these devices, do this exercise with a web browser connecting to an e-banking site).

a)    Name the app or web environment you will use in this exercise.

b)   Google for “web debugging proxy”. Pick one of such tools (e.g. “Fiddler Web Debugger”, “Burp Suite”, etc) and attempt to use it as a proxy to capture the list of URLs visited by your chosen mobile banking app.

Go to the login name, and arbitrary input values to attempt to login (You don’t really need to login with a valid username / password; a failed login is good enough.  But please only try it once)

Show the list of URLs that will be involved in the login process. Are all requests to the bank protected by SSL?

c)    Display  the  digital certificate of the BOCHK website, and elaborate what kind of encryption standards are being used in this certificate.

Sage Questions

5) ECC Question,please show your code and results in your answers.

a.)  Define  an  elliptic  curve  over  the  finite  field  with  suitable  parameters where p should be a 11-bit prime.

b.)  Encrypt  the  message  M="2024EE5815"  using  ECC  with  the  NIST's secp521 elliptic and decrypt back the plaintext.

6) RSA Question, please show your code and results in your answers.

a.)  The RSA key ‘n’ is 4819. What are the factors (pand q) of ‘n’?

b.) Using (a),when e = 7, what are the corresponding public and the private keys?

c.)  The RSA encrypted message ‘C’ is received by both Alice and Bob whose

private   and    public    keys    are    ‘da,     (ea,    na)’    and    ‘db,     (eb,    nb)’ respectively. If the original message before the encryption is ‘M’,who is the intended recipient of the message? [M=190,  C=1912,  (ea,  na)=(31, 5293),   da=2491,   (eb,   nb)=(31,   4891),   db=3679].  Please  show  your detailed process of computing.

Hands-on Practice Question

7) In this exercise, you need to create a free account on Google Cloud Product and learn  one  tutorial   on https://cloud.google.com/docs/tutorials to  use  Google Cloud to use function and products to realize some design on the website.

The followings are some instructions for this lab session.

Requirements:

a)   Please  notify which tutorial you read and what you have learned in Google Cloud,or

b)   (10 points) You can also learn other products of cloud products. Please also introduce the content as shown in a).

c)   (Bonus:  10 points) You can finish one tutorial with the help of guidance and generate certain outputs. Please show your results and introduce what you have learned in this process.