Workshop in Computer Security

Note: The workshop projects will be interesting and "cool" but not easy!

Prerequisite

Software 1.

There is no formal prerequisite requirement regarding cryptography or computer security, although some prior background knowledge and affinity will certainly help. Students will be expected to read and learn on their own any concepts and systems that are needed in order to carry out the project successfully.

Methodology

After two introductory lectures, the students will form teams of 1 to 3 students. Each team will choose a project of scope appropriate to its size (See list of projects below.) Project selection should be done as early as possible, but no later than the third meeting, namely March 22.

The first part of the work on the project is devoted to collecting, reading and understanding the background material. This includes understanding the goal, the relevant theoretical background, the tools to be employed, the programming environment. Very importantly, it also includes a literature search on potential similar software that's already available. At the end of this part, each group has to present its plan to the instructors. You will have to explain in detail the implementation design and show understanding of the internals of the project. Emphasis on implementation and specific project goals will be given by the instructors. You are strongly encouraged to have this presentation as soon as possible.

The main part of the work is devoted to implementing the plans made in the first part. You are expected to test the code you wrote, analyze its performance and draw conclusions as to how it can be improved, what features can be added. Throughout the semester we will have three course meetings in which each group will describe its progress to class and will raise for discussion issues encountered while working on the project.

Submission will be done in three steps:

1. Pre-submission. Each group will have a personal meeting with Ran and Rani, presenting their project in action. Although this presentation is part of the grade, it is intended mostly for feedback.

2. Class presentation. On the last two weeks of the semester, each group will present its project to the class.

3. Final submission. Each group will have another personal meeting with Ran and Rani, presenting their project in action. Changes based on feedback from pre-submission and class presentation will be expected.

Requirements:

• Present project plan and get an approval,
• Participate in class discussions about your project and other projects,
• Present the project and answer questions, following the guidelines in methodology section.

Grade

The grade will be the sum of two components: The project component and the understanding/participation component. The project grade will be based solely on the quality of the implementation and the demonstration, against the stated goals. This component will be the same for all the participants in the project. The understanding/participation grade is individual and will be based on the Ran and Rani's impression of your understanding of the material in individual meetings and in the project discussion in class meetings. Note that this component can be either positive or negative.

Code sharing policy

Some projects will be encouraged to share information and code; in other cases such sharing will be prohibited. Needless to say, any unauthorized copying or sharing of information will result in a grade penalty or possible disciplinary action. This includes unauthorized use of publicly available code (such as code provided on the Internet) for some of the tasks you are required to implement. When in doubt, ask.

Technical Details

• In some of the projects you may choose between Windows(2000/XP/Vista), Mac OS or Linux as your OS of choice, but some should be OS-independent.
• You may write the project in Java or C/C++. If you want to use another programming language, please contact Ran or Rani for approval.
• Code clarity and documentation
  • You are required to write a high level description of your code, its structure and main algorithms. Aside from developer documentation, you are required to write documentation for users.
  • Submission of source code and documentation is on the project page on this site.
  • Comment your code as clearly as possible.
  • If possible, generate automatic documentation for your code (e.g., using Javadoc or Doxygen).

Projects

Below is an initial list of suggested projects. The description below is very terse. More details will be given in class. Projects may be added in the coming weeks. In addition, teams are welcome to propose their own security-related projects. These proposals will of course be subject to approval of the course staff.

• Securing Webmail

  Current webmail applications (such as Gmail, Hotmail, etc) require the user to put complete trust in the mail server. In particular, the server is given full access to the mail contents, and is trusted to verify the authenticity of incoming mail in the name of the user. This set of projects is aimed to develop methods for mitigating the trust in webmail servers, while maintaining the functionality and ease of use.

  • [2-3 students] Adding encryption and authentication to webmail client, thus allowing clients to preserve "end to end" secrecy and authenticity without trusting the server.
  • [2 students] Adding a layer of protection that uses secret sharing among multiple servers instead of encryption.
  • [1 student] Adding a steganographic layer to the previous solutions, to hide the fact that encryption is being used.

• Implementing Internet Security Standards          Yaron Sheffer's presentation

  The Internet Engineering Task Force (IETF) is the main body for standardizing Internet protocols. This set of projects will implement some current proposed standards for secure communication. (These projects will be supervised jointly with Yaron Sheffer from Checkpoint Technologies.)

  • [2 students] Implementing the standard proposed in draft-nir-tls-eap for incorporating a variety of authentication mechanisms in the TLS/SSL protocol.
  • [2 students] Implementing the standard proposed in draft-sheffer-emu-eap-eke for password-based authentication.
  • [1 student] Implementing the standard proposed in kivinen-ipsecme-esp-null-heuristics for sniffing packets to verify whether they are encrypted.

• Implementing a general secure multi-party computation protocol
  • [3 students] Secure multi-party computation is a cryptographic paradigm that allows a set of mutually distrustful parties to perform some joint computation in a way that guarantees correctness of the outputs along with secrecy of local data (to the maximum possible extent). The project is to implement a specific multi-party computation protocol. The protocol is currently written in an abstract format, with many details missing. The implementation will need to fill out the details. In particular, an appropriate communication protocol and API will need to be developed.

• Human-memorizable password enhancer
  • [1-2 students] Passwords that are chosen and memorizable by humans are notoriously weak secrets. However, in many cases human-memorizable secrets are the only ones available. The goal here is to implement one proposed way for enhancing the security when the only secrets available are human-memorizable. The context is encryption of local storage using a password. However, instead of using the password directly, the user is prompted via a CAPTCHA-like puzzle to generate randomness that's unpredictable to a computer. The project will involve coming up with ideas for effective puzzles and in addition implementing the underlying mechanism for using the human answers for encryption.

• Your suggested project