School of Science
COSC2536/2537 Security in Computing and Information
Technology
Assignment 2
Assessment Type: Individual assignment; no group work. Submit online via Canvas→Assignments→Assignment
2.
Marks awarded for meeting requirements as closely as possible. Clarifications/updates may be made via
announcements/relevant discussion forums.
Due date: Week 10, Friday the 14th May 2021 11:59pm
Deadlines will not be advanced, but they may be extended. Please check Canvas→Syllabus or via
Canvas→Assignments→Assignment 2 for the most up to date information.
As this is a major assignment in which you demonstrate your understanding, a university standard late
penalty of 10% per each working day applies for up to 5 working days late, unless special consideration has
been granted.
Weighting: 50 marks (Contributes 50% of the total Grade)
1. Overview
The objective of Assignment 2 is to evaluate your knowledge on the topics covered mainly in Lecture 5 to 10. Topics
include Privacy-preserving computations based on RSA, ElGamal, and Paillier Cryptosystems; Digital Signature,
Blockchain and Cryptocurrency, Digital Authentication & Security Protocols, and Digital Authorization and Intrusion
Detection. However, topics covered in Lecture 1 to 10 are required as a prerequisite. Assignment-2 will focus on
developing your abilities in the application of knowledge, critical analysis, and decision making. Assignment 2 contains
several problems related to the topics mentioned above. You are required to prepare your answers and upload them
as a single PDF or Word document in CANVAS. Only one question requires code submission in the CANVAS if
attempted, and the corresponding code should be uploaded as a ZIP file on the CANVAS. If you answer Q4(b), submit
PDF and ZIP files separately.
In this assignment, there are 5 (five) questions in total. Question 1 is about designing Privacy-Preserving Secure
System. In this question, you are expected to apply your understanding of privacy-preserving computation in the
context of electronic voting (E-Voting) based on the homomorphic property of Paillier Cryptosystems.
Question 2 is about the application of Digital Signature Schemes. In this question, you are expected to demonstrate
your understanding of the RSA and ElGamal digital signature schemes. You are required to show step-by-step
processes for both of the digital signature schemes addressing the sub-questions. Marks will be deducted if you fail
to show the detailed computation correctly, skip the computation steps, or do not provide explanations.
Question 3 is about showing your understanding on RSA-based public key cryptography. In this question, you are
required to analyze the given scenario based on the RSA-based public key cryptography and show detailed steps to
compromise it with numerical example. You are allowed to choose your own value. However, values should be
,
Page 2 of 15
correct. Marks will be deducted if you fail to show the detail computation correctly, skip the computation steps, or
do not provide explanations with numerical values.
Question 4 is on report writing on Blockchain or implementation of a blockchain-based system. Only for this
question, you can submit the solution individually or in a group. In the case of a group submission, the maximum
number of group members can be 3 (three), and you can form the group with students of different classes. In the
solution PDF at the beginning of this question’s answer, you must mention the names of group members with their
class Names (in “DAY- TIME” format, e.g., MON-14:30 – 15:30). In this question, there are 2 (two) options: Q4(a) and
Q4(b). You need to choose any 1 out of the two options. The first option Q4(a) is on report writing, and option Q4(b)
is about the implementation of a blockchain-based system. If you select Q4(a), you are expected to demonstrate your
understanding of the Blockchain and Privacy Preservation and write a well-organized report on a given topic. We are
looking for interesting and innovative system descriptions in the report. You are expected to address the items
mentioned in the problem statement (at least). However, to secure good marks, you have to think out of the box. The
report should be appended in the same document where you write the answers to other questions. Further
instructions are given in the question. If you select Q4(b), you are expected to implement a blockchain system for a
given scenario. You should describe detailed steps of implementation with necessary code segments.
Additionally, you need to submit the code on the CANVAS as a separate ZIP file on the CANVAS. Please DO NOT
include your solution PDF within the ZIP File.
Question 5 is related to analyzing and designing the security of authentication protocols. Your answer should contain
the necessary explanation and diagrams as stated in the problem statement. Marks will be deducted if you fail to
provide the explanation correctly and/or diagrams for all of the protocols.
Develop this assignment in an iterative fashion (as opposed to completing it in one sitting). You should be able to start
preparing your answers immediately after Lecture-5 (in Week-5). At the end of each week, starting from Week-5 to
Week-10, you should be able to solve at least one question.
If there are questions, you must ask via the relevant Canvas discussion forums in a general manner. Also, attend
consultation sessions when announced.
Overall, you must follow the special instructions below:
• You must fulfil the requirements in the questions.
• Upload your solution as a single PDF or Word document in CANVAS. Also, upload codes as a separate
single ZIP file in the CANVAS.
• Do not put the PDF within the ZIP file.
• For the questions that require implementation, you must implement the functionalities stated in the
questions. Any change in a user interface is acceptable if the functionality is there. In your report,
you must show all of the steps with necessary code segments and screenshots for each question.
2. Assessment Criteria
This assessment will determine your ability to:
• Follow requirements provided in this document and in the lessons.
• Independently solve a problem by using cryptography and cryptanalysis concepts taught over the last six
weeks from fifth to tenth weeks of the course.
• Meeting deadlines.
,
Page 3 of 15
3. Learning Outcomes
This assessment is relevant to the following Learning Outcomes:
1. CLO 1: explain the functioning of security services in computing environments and the security issues in
networked applications.
2. CLO 2: discuss various types of data integrity and confidentiality mechanisms including public key
cryptography.
3. CLO 3: describe basic system security mechanisms and protocols, such as those used in operating systems,
file systems and computer networks.
4. CLO 4: analyse the overarching importance of IT security in areas such as networking, databases, operating
systems, and web systems.
5. CLO 5: apply privacy principles in basic practical settings in IT environments.
6. CLO 6: analyse and evaluate the security of computing and IT systems on a practical level and privacy related
issues in computing.
4. Assessment details
Please ensure that you have read Section 1 to 3 of this document before going further. Assessment details (i.e.
question Q1 to Q5) are provided in the next page.
,
Page 4 of 15
Q1. Privacy Preserving Secure Models (Marks: 6)
Privacy Preserving Online Voting System
Recently, several controversies have been observed in voting around the world. Even electronic voting can be
manipulated1. In an electronic voting system, the voting authority cannot be trusted completely as it can be
biased. Using a privacy-preserving online voting system removes controversy in the voting system. In this
privacy-preserving online voting system, voters encrypt their votes in the voting booth before sending them to
the voting authority. A voting server records each encrypted vote and determines the voting result on behalf
of the voting booth as the voting booth does not have enough computation power. The encrypted result is
sent to the voting authority, which determines the winner based on encrypted votes. The homomorphic
property of the Paillier Cryptosystem allows the addition of encrypted numbers. Therefore, the Paillier
Cryptosystem can be used in developing a privacy-preserving online voting application.
In this task, you need to design a privacy preserving online voting system as shown in Figure-1 using the Paillier
cryptosystem. Suppose that a group of students want to elect their club president.
Your designed privacy-preserving voting application must fulfil the following requirements:
• Votes must be encrypted from Voting Booth using Paillier Cryptosystem before sending them to the
Voting Server.
• A vote is an integer number which should be equivalent to a 12-bit binary string.
• The number of candidates should be three. For example, ALICE, BOB, and EVE.
• The number of voters can be maximum 16.
• Assume that four voters will vote for ALICE, two voters will vote for BOB, and two voters will vote for
EVE. after counting the votes, the Voting Authority (VA) should find four votes for Alice, two votes for
BOB, and two votes for EVE.
• The Voting Authority chooses p=157, q=127 and select g=8821.
• The private numbers chosen by 8 voters and their votes are as follows:
Voter
No.
Voter’s Private Number, r Vote for Voting message, m
1 91 ALICE 000000000001 = 1
2 92 ALICE 000000000001 = 1
3 93 ALICE 000000000001 = 1
4 94 ALICE 000000000001 = 1
5 95 BOB 000000010000 = 16
6 96 BOB 000000010000 = 16
7 97 EVE 000100000000 = 256
8 98 EVE 000100000000 = 256
• The Voting Authority sets up required public and private keys and makes the public-keys to all voting
booth before the vote starts.
,
Page 5 of 15
Figure-1.2: Privacy-preserving voting system
Show detail step-by-step computations of the key generation, encryption, homomorphic computations, and
decryption processes for votes of 8 voters.
[Note: Refer to the Week 5 lecture and Workshop-5.]
[1. https://www.dw.com/en/democracy-in-danger-elections-are-easy-to-manipulate/a-45858161]
[If you are interested to implement a broader version of this system as the Capstone/Honours project, please contact
the Lecturer]
Q2. Application of Digital Signature (Marks: 7)
The working procedure of the digital signature is illustrated in Figure-3. It is recommended that you use the
concept of digital signature to answer both Q2(a) and Q2(b).
Figure-3: Overview of the Digital Signature
ALICE BOB EVE
Candidates
,
Page 6 of 15
(a) Digital signature for large text message (Marks: 3)
Suppose Bob (the sender) wants to send a large text message M to Alice (the receiver). The text message M
is as follows (in bold and italic face):
Blockchain gained notoriety and quickly became part of popular parlance during 2017’s unprecedented
cryptocurrency boom. The technology builds on longstanding concepts and techniques in distributed
transaction processing and encryption. Software developers initially brought these ideas together in a
remarkably innovative manner to support Bitcoin’s 2009 launch, giving rise to the first “blockchain”
network. Cryptocurrencies, many of which use the concepts Bitcoin introduced, continue to proliferate
Before sending the message, Bob generates a hash h(M) of the text message M using the MD5 hash algorithm
and converts h(M) into integer message m. Then, he signs the m and sends it to Alice. When Alice receives the
signed message, she would like to verify that the message is indeed from Bob. To facilitate signing and
verification, Bob generates public and private keys using RSA encryption algorithm and sends the public key
to Alice. Bob uses the following parameters:
1st Prime number: p = 430620674058481288123238045697123658933
2nd Prime number: q = 124566090654136987961913344431645866767
Public key parameter: e=23
In this task, you need to show how Alice generates digital signature for a large text message and Bob verifies
the signature using RSA based digital signature scheme. To do this:
i. Show how Alice would generate Public and Private keys.
ii. Show how Alice would generate the digital signature for M.
iii. Show how Bob would verify the digital signature using Alice’s public-key.
iv. Do you think that RSA based digital signature can be forged? Justify why or why not.
[Note: Refer to the Week 6 Lecture and Workshop-6 and the “Running Example of RSA Signature for Text
Message” of Week-6 lecture notes.
Use the following links:
For generating MD5 hash: http://www.miraclesalad.com/webtools/md5.php
For converting hexadecimal to decimal and vice versa:
https://www.mobilefish.com/services/big_number/big_number.php
For performing large integer operations (power mod, inverse mod, LCM, GCD, Multiplication):
https://www.mobilefish.com/services/big_number_equation/big_number_equation.php ]
(b) ElGamal based digital signature scheme (Marks: 4)
Recently, Charlie has developed a software for Alice’s Restaurant. Alice emails the payable amount (M) to her
manager Bob. To ensure the integrity and authenticity, Alice generates a digital signature for the above
amount with ElGamal based digital signature scheme and sends the signed message to Bob via email.
Alice chooses ElGamal public key (i.e., modulus p and generator g) and private-key (i.e., secret number x).
Bob chooses a random number r. The equivalent decimal numbers as follows:
In this task, you need to show how Alice generates digital signature and Bob verifiesthe payable amount using
ElGamal based digital signature scheme. To do this:
i. Show how Alice would generate Public and Private keys.
ii. Show how Alice would generate the digital signature for M.
M = 2300, p = 191447, g = 425, x = 1998, r = 2813
,
Page 7 of 15
iii. Show how Bob would verify the digital signature using Alice’s public-key.
iv. Does ElGamal Signature approach prevent cheating on digital signature? Justify why or why not.
[Note: Refer to the Week 6 Lecture and Workshop-6.]
Use the following links:
For performing large integer operations (power mod, inverse mod, LCM, GCD, Multiplication):
https://www.mobilefish.com/services/big_number_equation/big_number_equation.php ]
Q3. Compromising Public Key Cryptography (Marks: 7)
Assume that Jenny and Kelly are secretly communicating using an RSA-based public-key cryptosystem. Alex is
an intelligent guy who is intercepting the communications between Jenny and Kelly. Say, Alex has intercepted
a ciphertext C that Kelly created by encrypting a message M using Jenny’s public key and was being sent to
Jenny. As Alex does not know Jenny’s private key, he plans to do a trick to find out M. Alex challenges Jenny
that he can decrypt the message M if Jenny agrees to encrypt another message (any message except C) using
her private key.
You are expected to explain if it is possible for Alex to find M using the trick? Explain with a numerical example
for each step.
Q4. Secure systems - Report Writing or Implementation (Marks: 20)
You need to answer any 1 of the following question in a group of maximum 3 (three) people. However, it is
absolutely fine if you want to do it individually.
(a) Report Writing on Designing a Secure System
Buying real estate involves many complex tasks from both buyer and seller points of view. The main tasks of
the buyer involve searching for a suitable property, arranging finance, and verifying the property information.
A seller has to ensure proper permits (e.g., land titling, building permit, approve building design, etc.) from the
designated authority to sell real estate. The financial organization (e.g., bank) plays an important role by
ensuring the buyer's financial solvency. A bank collects several personal documents of a buyer and verifies them
before providing finance to a buyer. Overall, digital real estate purchasing and selling management involves the
collection of sensitive (i.e., personal) data of both buyer and seller. Also, purchasing and selling requires
approval at different levels which creates avenues for the breach of privacy of collecting sensitive data and
fraudulence (by providing fake documents or tampering information) from both buyer and seller point of view.
Write a report on how the blockchain technology can be used to prevent document or information tampering
and the privacy of sensitive data of both buyers and sellers can be preserved in digital real estate purchasing
and selling management systems.
The report should be well structured having a proper introduction, main body, and concluding remarks. You
must provide necessary diagrams based on your own thoughts as well as collected from different sources.
The report must contain the followings (but not limited to):
i. An overview of the traditional digital real estate purchasing and selling management systems
with one or more scenarios of possible privacy breach and data tampering.
ii. Necessary diagrams for illustration whenever required.
,
Page 8 of 15
iii. Briefly explain your understanding of privacy-preserving digital real estate purchasing and selling
management systems with necessary diagrams with a brief summary of different privacypreserving
techniques that can be used in this scenario.
iv. Briefly explain your understanding on the Blockchain technology and its usefulness in different
applications.
v. Explain with necessary diagrams how a privacy-preserving digital real estate purchasing and
selling management systems can be integrated with blockchain technology.
vi. Explain how the integrity and traceability of data can be achieved using blockchain in your
specified system.
vii. Explain the challenges of using privacy-preserving techniques and blockchain technology in
digital real estate purchasing and selling management systems.
You must provide necessary references (at least 15) using APA referencing style including both research and
online articles. Articles can be searched in:
• Google,
• Google Scholar (https://scholar.google.com/),
• IEEEXplore (https://ieeexplore.ieee.org/Xplore/home.jsp), etc.
Texts should be presented in IEEE Double-Column format with maximum 6 pages. For your convenience, a MS
Word template for the report is provided in the Assignment-2 Home Page on CANVAS.
[Note: Refer to the Week 7 lecture and Workshop-7.]
(b) Implementation of a Blockchain-based digital real estate
purchasing and selling management system
[Note: You should attempt this task if you have prior programming skills. Otherwise, answer Q5(a).]
Implement a blockchain-based digital real estate purchasing and selling management systems that will ensure
integrity and traceability of data. The implemented blockchain-based digital real estate purchasing and selling
management systems should fulfil the following requirements:
• The system should have four types of users: seller, authority, buyer, and bank.
• A seller can a create a permit application with the following information: property address,
owner/vendor details, building design (in this case just upload a PDF file with name “design.pdf”), and
seller licence number (e.g., L1001). Upon the submission of the permit application, information
mentioned above should be stored in the blockchain and the seller will receive a permit application ID.
• An authority can either approves or disapproves a permit application. The decision should be stored in
the blockchain along with the property address which can be verified later.
• A buyer can send a loan application to a bank with his/her personal details (e.g., full name, date of birth
(DOB), current address, contact number, employer name, annual income, address of the property
intended to purchase, and loan amount). Upon the submission of the loan application, information
mentioned above should be stored in the blockchain and the buyer will receive a loan application ID.
• A bank either approves or disapproves a loan application by verifying the status of the permit of the
property. The decision should be stored in the blockchain along with the buyer’s full name, current
address, contact number, and date of birth which can be verified later by a seller.
,
Page 9 of 15
• The seller can verify the loan application status of a buyer before the deal. If the status of the loan
application of a buyer is “approved”, the seller makes the deal. Otherwise, the deal is cancelled. The
buyer can see the deal status.
You are allowed to use any programming language or scripting language such as Java, PHP, Python, JavaScript,
etc. A good graphical user interface (GUI) is expected. However, you can also provide user friendly commandline
user interface. Upon completion of the implementation, you are expected to:
I. Create a report containing the implementation details and user instructions.
II. Upload your code and report in the CANVAS.
[Note: Refer to the Week 8 Lecture and Workshop 8.]
[If you are interested to implement a broader version of this system as the Capstone/Honours project, please contact the
Lecturer]
Q5. Designing a Secure Authentication Protocol for a One-to-One
Secure Messaging Platform (Marks: 10)
(a) Analysing the security strength of authentication protocols
(Marks: 7.5)
Assume that you have been hired to design a secure mutual authentication and key establishment protocol for
a new messaging software. In the software, two users (ex: Alice and Bob) needs to exchange messages using a
public-key cryptography based authentication protocol to achieve mutual authentication and establish a
secure session key (K) before the start of the conversation as shown in Figure-6. According to the given scenario,
Alice and Bob should exchange three messages to achieve mutual authentication and establish the secure
session key (K). Assume that Alice is the initiator of the communication. Alice sends “Message 1” to Bob and
Bob replies with “Message 2”.
Figure-6: Overview of the secure mutual authentication and key establishment protocol
You have options to choose from several protocols and analyzing their security strength. The prospective
security protocols are as follows:
,
Page 10 of 15
i. In protocol-1, Message 1: {“Alice”, K, RA}Bob, Message 2: RA,RB
ii. In protocol-2, Message 1: “Alice”, {K, RA}Bob, Message 2: RA, {RB}Alice
iii. In protocol-3, Message 1: “Alice”, {K}Bob, [RA]Alice, Message 2: RA, [RB]Bob
iv. In protocol-4, Message 1: RA, {“Alice”, K}Bob, [RA]Alice, Message 2: [RA]Bob, {RB}Alice
v. In protocol-5, Message 1: {“Alice”, K, RA, RB}Bob, Message 2: RA, {RB}Alice
In this task, you need to critically analyze the above protocols and clearly explain which protocol or protocols
would be secured and why. Notations are summarized below:
K : Session key
RA : Nonce generated by Alice
RB : Nonce generated by Bob
{“Message”}Alice : Encryption Function that encrypts “Message” using Alice’s public Key
[“Message”]Alice : Encryption Function that encrypts “Message” using Alice’s private Key which is also
known as signed “Message” by Alice
[Note: Refer to the Week 9 lecture and Workshop 9.]
(b) Designing a secure authentication protocol (Marks:
2.5)
Assume that Alice and Bob want you to design a secure two-message authentication protocol (requires only
two messages to achieve mutual authentication as shown in Figure-7) for their chat application that will provide
mutual authentication and establish a session key (K) for each communication. While designing the
authentication protocol, you should remember that public-keys of both sender (e.g., Alice) and receiver (e.g.,
Bob) are known to everyone in the network. Therefore, it important to ensure anonymity of the communicating
users in the authentication protocol. For your information, if an authentication protocol provides anonymity
then an attacker cannot identify the person who is communicating. In other words, a message in the
authentication protocol providing anonymity does not reveal user’s identity.
Figure-7: Overview of the two-message secure mutual authentication and key establishment protocol
In this task, you need to explain the followings with diagrams:
i. Show a two-message authentication protocol that will achieve mutual authentication for two
communicating users (say, Alice and Bob).
ii. Assume Trudy is a passive attacker who can only watch messages between Alice and Bob. Trudy cannot
perform any replay or Man-in-the-Middle (MiM) attack. Now, analyse critically if your protocol ensure
,
Page 11 of 15
anonymity or not from Trudy. If your protocol does not provide anonymity, what changes are required
to your protocol to ensure anonymity?
[Note: Refer to the Week 9 lecture and Workshop 9.]
,
Page 12 of 15
5. Academic integrity and plagiarism (standard warning)
Academic integrity is about honest presentation of your academic work. It means acknowledging the work of others
while developing your own insights, knowledge and ideas. You should take extreme care that you have:
• Acknowledged words, data, diagrams, models, frameworks and/or ideas of others you have quoted (i.e. directly
copied), summarized, paraphrased, discussed or mentioned in your assessment through the appropriate
referencing methods,
• Provided a reference list of the publication details so your reader can locate the source if necessary. This includes
material taken from Internet sites.
If you do not acknowledge the sources of your material, you may be accused of plagiarism because you have passed
off the work and ideas of another person without appropriate referencing, as if they were your own.
RMIT University treats plagiarism as a very serious offence constituting misconduct. Plagiarism covers a variety of
inappropriate behaviors, including:
• Failure to properly document a source
• Copyright material from the internet or databases
• Collusion between students
For further information on our policies and procedures, please refer to the University website.
6. Assessment declaration
When you submit work electronically, you agree to the assessment declaration.