Question 1 –Cryptographic Operations with GPG
Objective: gain experience with using software to perform common cryptographic operations.
There are many different software (and hardware) implementations of cryptographic operations. GNU Privacy Guard (GPG) is one such piece of software, which focusses on a simple, open source implementation of common public key operations (but also includes symmetric key encryption). In this task you must use GPG to perform some common operations to communicate securely with the course coordinator.
GPG is available for most operating systems. You will need to install it on your computer to complete this task. Chapter 1 of the GNU Privacy Handbook provides examples of using most of the commands needed for this task. Others may be found in the ‘man’ or help page for the command once installed.
Scenario: you want to send a message to the course coordinator. You will do that by submitting a file on Moodle. But you want the communications to be secure (you don’t even trust other staff that can also access Moodle submissions). You will use symmetric key cryptography to encrypt the message. But the problem with symmetric key cryptography is that a shared secret key must be exchanged somehow. A common solution is to encrypt the shared secret key using public key cryptography. So in fact you will send two pieces of information to the course coordinator (although in one file): a message and the shared secret key. The course coordinator wants to be sure the message they receive came from you, therefore you will also sign the message. This assumes you know the course coordinators public key, which is available on Moodle.
In the following instructions when you see id in a filename, replace it with your student ID. For example, if your student ID is s123456, then the message file will be called s123456-message.txt. Similarly, replace the example names, IDs, emails with yours.
a)Create the message by putting the following inside a text file named id-message.txt:
Name: <include your name here>
ID: <include your ID here>
Email: <include your email here>
<Write one or more paragraphs that explain which software used in the assignments is the hardest to use, and why. This is not assessed but is useful feedback.>
b)Create a shared secret key by generating a 12 byte random value encoded as base64. Put the 16 character base64 value in a file called id-sharedsecret.txt. Hint: use gpg to generate the random bytes, and include the --armor option to encode as base64.
c)Generate your own RSA 2048-bit key pair. Include your name and CQU email address when prompted. For simplicity in this assignment, do not use a passphrase on your key (if you do, make sure you remember it).
d)Export your public key and save it to a text file called id-publickey.txt. Use the --armor option to generate a text based public key.
e)Create a detached signature of the message, saving that signature as id-message.sig.
f)Combine the message (id-message.txt) and signature (id-message.sig) into a single file called id-signedmessage.zip) using ZIP. Do not include any directories or other files in the ZIP file – it should contain just two files.
g)Use AES128 to encrypt the zip file. When prompted for a passphrase, use the 16 character shared secret generated earlier. The output file is called id-signedmessage.enc.
h)Use RSA to encrypt the shared secret. The output file is called id-sharedsecret.gpg.
i)“Send” the two encrypted files to the course coordinator by submitting on Moodle. Also “publish” your public key by submitting on Moodle.
In your assignment for this question include the list of GPG commands you used in each step above, and with each command, a short explanation of what it does (including what the options do). If a step did not use a GPG command, then just explain what you did in that step.
Once files are submitted, they will be decrypted/verified using the reverse operations of what you were expected to do. If your files successfully decrypt/verify, and the obtained plaintext files are in the correct format, you will receive 7 marks. If the commands are listed and explained correctly in your assignment submission then you will receive an additional 3 marks. If the explanations are incorrect or do not explain options, then you will be deducted 1 to 3 marks (e.g. receive 7, 8 or 9 out of 10 in total).
If your files do NOT successfully decrypt/verify, then your list and explanation of the commands will be reviewed to determine what mistakes you made. For each mistake you will be deducted 3 marks. For example, if you make one mistake but all your other commands and explanations are correct, then you will receive 7 out of 10. Two mistakes will receive 4 out of 10, and so on. Additional marks may be deducted (up to 3) if your explanations are incorrect or do not explain options.
Question 4 – Intrusion Detection with Snort [9 marks]
Objective: gain experience with using Snort and with identifying/analysing packet traces
You are the administrator for a network that has users exchanging files using various approved server applications (HTTP and SSH). You have discovered that image editing software used in the organisation has a bug such that JPEG image files may trigger malicious behaviour when opened. As one method to minimise the impact of the bug, you have configured the servers to monitor any JPEG files transferred. However you believe some users are exchanging images using other, unapproved, applications. Therefore your task is to identify in real-time which and when users are exchanging JPEG files using unapproved applications. You will use Snort to alert you of such exchanges.
Your task: write Snort rules that alert you of the start of an exchange of a JPEG file that does not involve HTTP or SSH. The rules should be clearly commented.The file a02-assignment-2-question-4-capture.pcap is a trace of the packets exchanged in the network. Use it as an input to Snort to complete this task.
Requirements and Hints:
The computers and ports of the approved HTTP and SSH servers may vary. Therefore, as they may change over time, you CANNOT use IP addresses or port numbers to alert you to an unapproved exchange.
Other file formats exchanged using unapproved applications (non-HTTP, non-SSH) are not of interest to you. You only want to be alerted about JPEG files.
The file a02-assignment-2-question-4-capture.pcap was obtained on a non-standard system that resulted in some erroneous packet checksums. Therefore you MUST use the “-k none” option with Snort to disable all checksum checks.
Print the following message when an unapproved JPEG exchange is initiated:
Exchange of JPEG file using unapproved application
As a hint, there are 5 unapproved JPEG exchanges.
Answer the following sub-questions:
a Submit your Snort rules as a single file called id-snort.conf (replace id with your student ID). Make sure the rules are clearly explained via the comments in the file. Your file will be tested with the following Snort command:
snort –k none –c id-snort.conf –ra02-assignment-2-question-4-capture.pcap
The alert file produced should contain 5 messages, and the log file produced should contained 5 packets.
b) Explain one method that a malicious user could use to avoid detection by your rules.
c)For the 5 alerts, find the actual JPEG images that were exchanged. Hint: you don’t have to use Snort to get this answer. You may use Wireshark or other software, however the answer must come only from the capture file provided. For your answer, include the 5 images in your assignment report (do NOT submit the JPEG files on Moodle; just embed them in your report) and explain how you obtained them.
a)To obtain 5 marks your Snort rules most return the correct 5 packets using correct conditions (e.g. not using IP addresses, but using conditions that would work for other traces) and have comments that explain the rules. No or poor comments, but correct rules, will result in a score of 2 to 4 marks. Incorrect rules (using the wrong conditions, not matching the correct packets) will result in a score of 0 to 3.
b)The method must be realistic within the context of the scenario and well explained to obtain 2 marks.
c)If all 5 images are included in the report and the method is appropriate you will obtain 2 marks. Including the images with no or poor explanation will result in 0 or 1 mark (depending on part a)