IS2150/TEL2810代做、代写Java编程、代写Crypto Techniques、代做Java程序

日期：2018-11-26 10:54

IS2150/TEL2810 Introduction to Security

Programming Project

1. Crypto Techniques

The objective of this exercise is to use Java features to write some security mechanisms

that can be used in applications. You will be using the classes from Java Cryptographic

Extension to implement them.

You will need to consult Java API documentation. You can download and install the

documentation yourself, or you can access them from this URL:

http://java.sun.com/j2se/1.4.2/docs/api/index.html

Java books that you can reference

Inside Java 2 Platform Security, 2nd Edition, L. Gong, G. Ellision, M. Dageforde

Java Security, Scott Oaks, O’Reilly

For each part of the assignment, skeleton Java code has been provided. These skeletons

will NOT compile. You will need to make modifications on them before they can be

successfully compiled and run.

A) Authentication (15 points)

For the first part of the assignment, you should use the skeleton Java code to implement

double-strength password login using message digest. The following diagram illustrates

the double strength password.

Note that you need to generate 2 rand

om numbers and 2 timestamps. There are three classes defined:

Protection, which provides three functions makeBytes, makeDigest (version 1),

and makeDigest (version 2).

o makeBytes takes in a long integer and a double, then converts them into a

single byte array. makeBytes has already been implemented for you.

o makeDigest (version 1) takes in a byte array, a timestamp, and a random

number, then generates a digest using SHA. This function has already

been implemented for you.

o makeDigest (version 2) takes in a user name, a password, a timestamp, and

a random number, then generates a digest using SHA. You need to

implement this function. You may have to consult MessageDigest API in

the documentation.

ProtectedClient, which implements the client. There are two functions: main and

sendAuthentication.

o main is the starting point of the client program and has already been

implemented for you. Make sure the host variable is set to the correct

server address (it is currently set to paradox.sis.pitt.edu).

o sendAuthentication is the function that you need to implement. It takes in

user name, password, and an output stream as the function inputs. In this

function, you should implement double-strength password authentication

and send to the server by writing to the variable ‘out’. Consult

DataOutputStream API on how to write different data types to ‘out’.

ProtectedServer, which implements the server. There are three functions: main,

lookupPassword, and authenticate.

o main is the starting point of the server program and has already been

implemented for you. It creates a server process that waits for an

incoming connection. Once a connection is established, authenticate is

called to authenticate the user. If the user successfully authenticate, your

program should print out “Client logged in.”

o lookupPassword, which simply returns the password of the user stored on

the server.

o authenticate is the function which you need to implement to authenticate

the user trying to log in. Consult DataInputStream API on how to read

data from the ‘in’ stream. The function should return either true or false

depending on whether the user is authenticated.

B) Signature (15 points)

In this part of the assignment, you are to implement the ElGamal Signature scheme

described in the textbook in section 10.6.2.2.

There are two classes in this assignment, ElGamalAlice and ElGamalBob, corresponding

to the sender (Alice) and the receiver (Bob). The main functions for both the classes have

been written for you. Your assignment is to write various functions that implement

ElGamal key generation and signature creation algorithms (for Alice), and signature

verification algorithm (for Bob). The functions you have to implement are indicated in

the source files.

C) Public-Key System (15 points)

In this part of the assignment, you will need to demonstrate the use of RSA Public-key

system to exchange messages that achieve confidentiality and integrity/authentication as

well as the combination of both. You can assume a simple way of sharing public keys

between the two communicating parties. You can reuse the basic code provided for above

for this assignment.

D) X.509 certificates (15 points)

In this part of the assignment, you will need to demonstrate the use of X.509 certificate to

exchange messages that achieve confidentiality. The client loads the server’s certificate

and proceeds to verify its authenticity and validity. This includes checking the expiration

date and verifying if the certificate was signed using the private key that corresponds to

the specified public key. Also, you need to print the content of the certificate you

received. If the certificate received is valid, proceed to exchange confidential messages

between the two parties. You can reuse the code previously provided for part C.

You will need to create an X.509 certificate for the Server, using RSA as the key

generation algorithm. Each team should create a unique certificate with one of

the team member’s name on it. This certificate can be self-signed with your name.

You can use keytool for this purpose. keytool is installed as part of the standard Java

SDK/Runtime library, and is located in its bin subfolder. Refer to the keytool’s

documentation for further instructions.

http://download.oracle.com/javase/1.5.0/docs/tooldocs/windows/keytool.html

Finally, answer these questions in the report. What are the limitations of using self-signed

certificates? What are they useful for?

2. Password Cracking

The goal of this component is to implement a password authentication mechanism and a password

cracker to study the vulnerabilities of choosing weak passwords. It consists of two sub-parts.

Part 1: Implementation of password authentication mechanism (10 points)

In the first part, you need to implement a password authentication mechanism. You will create two

programs. The first program registers and adds a new user into the system and stores the user’s

password information in a file. The second program is a user login program which asks for the

username and password from the user and verifies it based on the information stored in the password

file.

The password file in the system can be a text file that has the list of all usernames and the

corresponding passwords. However, instead of storing the passwords in plain texts, the password list

contains the message digests (hash) of the passwords to prevent attacks. You may use MD5 message

digest scheme to create the message digest (hash) of the password.

For example, if Tom and Harry are two existing users and if their passwords are “authentic” and

“prevention”, then the password file will contain:

where “973d98ac221d7e433fd7c417aa41027a” is the MD5 message digest of the password string

“authentic”. Similarly, “7fd9a35dfa69c58a7ef0ecb4d53a1651” is the MD5 message digest of the

password string “prevention”.

Your first program should be able to register a new user by accepting a new username and password

string and add the corresponding entry to the password file shown above.

Your second program should accept a username and password as input and check if the username is

already a registered user. If so, it computes the MD5 message digest of the entered password and

checks if it matches the MD5 digest of the corresponding user password stored in the password file.

The program accepts the user only if the message digests match.

Part 2: password cracker (30 points)

The second part of your project should implement a password cracker that cracks a given user’s

password from the message digest information present in the password file. The password cracker

uses a dictionary of English words to aid the dictionary attack.

For example, to crack the password of user “Tom”, the attacker knows that

“973d98ac221d7e433fd7c417aa41027a” is the message digest of user Tom’s password. To facilitate

the dictionary attack, the attacker uses a dictionary that contains a list of common English words.

For your convenience, a small subset of English words is provided as a file called dictionary.txt and

it is attached with this project description. Your password cracker program can use this dictionary to

aid the dictionary attack.

In general, you can assume that there are two kinds of passwords used by the users.

Type 1: the password string is just exactly one of the words present in the dictionary

Type 2: the password string is a combination of a dictionary word, numerical characters 0-9 and

special characters, {@, #, $, %, &}. You can assume that there are no other special characters and no

upper case letters in the password.

For Type 1 passwords, your program should compute the MD5 message digest of each dictionary

word in the dictionary and check if it matches the MD5 message digest of the user in the password

file. When a match is found, the corresponding English word is displayed as the cracked password.

For Type 2 passwords, your program should first generate a set of possible type 2 passwords for a

given English word. For example, for the word, “authentic”, you can create a number of type 2

passwords such as

$authentic%4

authentic#@

5&authentic

Authen8tic

You may assume that the number of special characters and numerical characters in any password is

less than 7 but they may be present at any position within the password string. Your program should

create all possible type 2 passwords for each given English word and for each possible type 2

password, your program computes the MD5 digest and checks if it matches the MD5 digest present

in the password file and thereby knows if the guessed password is correct.

In addition to the above mentioned approach, you may implement other additional optimizations in

the password cracking logic to minimize the password cracking time.

Your password cracker program should also display the time taken to crack the given password.

Project Submission: Submit a single ZIP file with your Pitt email ID as its filename via

the CourseWeb system. The package should contain all your source files and a readme

file including the answers to the above questions. You also need to demonstrate your

programs, where you may be asked to explain about different parts of your code.