TDDD17 Information Security, Second Course
Project assignment is closed!
|Project id||Project name||Supervisor||Assigned students|
|001||Passphrase security in practice||Jan-Åke Larsson||Group A: Oliver Poignant, Pontus Thulin
Group B: Georgios Rizothanasis, Rahul Kumar Dutta
|002||Quantum key distribution in practice||Jan-Åke Larsson||Pierre Mousa, Carl Beckman|
|003||Covert channels in the cloud||Jan-Åke Larsson||Tim Hedlund, Patrik Bjurling|
|004||Literature study on cloud computing||Nahid Shahmehri||Group A: Paul Borek, Avraam Mavridis
Group B: Kaveh Rezania, Eunyoung Kim
|005||Analysis of Raspberry Pi||Nahid Shahmehri||Group A: Olle Westrin, Mattias Rönn
Group B: Tobias Alm Alström, Christian Tennsted
|006||Evaluation of physical security in a movie||Nahid Shahmehri||Group A: Sara Fekade, Johannes Jarbratt
Group B: Rentas Dimitris, Marinos Makedos
|007||Automated categorization of identity federations||Anna Vapen||Viktor Dahl, David Odelberg|
|008||Mandatory access control with SELinux||David Byers||Erik Sundqvist, Bahar Abbaspour Fasai|
|009||Practical WLAN security||David Byers||Group A: Tim Ziegenbein, Robert Udd
Group B: Claire Vacherot, Gustav Ahlberg
|*011||Plug computer||David Byers||Rasmus Holm, Erik Sparre|
|*012||User identification using input devices||Nahid Shahmehri||Jacob Pogulis|
Some systems use pass phrases rather than passwords for user authentication, e.g., PGP or GPG keyrings, WiFi routers, or disk encryption software. There exists specialized advice on how to choose passphrases in particular, and some systems also have limitations on what phrases are possible. But how do real users follow this advice? Have they even heard it? Do they find it cumbersome to adhere to it? Do they have problems with enforced restrictions on passphrase choice? Study restrictions from your own experience and searches of sites! Also create categories of passphrases and make a survey of to which extent user passphrases belong to each category according to their owners! (Categories can be names/words close to user, passphrases found in dictionaries, passphrases shared for several or all sites, passphrases following pattern for different sites etc.) Another possibility is to evaluate passphrase generation tools that can be found in the wild. Do these generate secure/useful/trustworthy passphrases? Finally make a summary of your view of passphrase security in practice. This summary should be based on passphrase guessing capabilities of possible attackers.
New technology has made quantum key distribution hardware relatively cheap, but there are still some drawbacks. Among these are the need of a dedicated fibre (for fibre-based systems), a limited range, and the problem of seed authentication key distribution. Make an overview of the technology, describing these and other possible reasons that hinder wide deployment of the technology. What recent advances have been made that improve the performance of the systems, for each of the problems? Are new developments expected in the short time frame/long time frame? Are there more fundamental problems that are not likely to be solved soon? What is the possible user base, who uses the system now, and who may use them in the short term? What is the main showstopper?
There are now several cloud storage solutions to choose from for private and enterprise users. These are typically used for backup purposes, as cooperation platforms, for more simplistic data sharing, or just as a flexible data storage. Some providers use a technique called "deduplication", which ensures that identical files only are uploaded once. If a file already exists at the provider and a user attempts to upload it (again), the system notices this and gives the user a link to the already existing file, rather than uploading it a second time. This saves bandwidth and storage at the provider, but it incurs some new security issues. For example, this can be used to create a covert channel: attempt to upload a file and use the occurrence of deduplication as one communicated bit. Your task is to test that this does indeed work as a covert channel, and to extend this to more complicated messages. There are a number of initial questions that need to be answered in this setting. What services perform deduplication? How do you detect if deduplication has occurred? Is there an efficient way to set up your covert channel? You can also ask what other threats to privacy or more general security are enabled by deduplication.
Prerequisites: To be able to do this you need to know how to extract this type of information from your browser. More advanced communication may need programming in shell or Python, using wget or some other access means that are more directly controllable than your browser.
Today, information can conveniently be stored in the cloud and thus become accessible to the user from any location. Cloud computing also makes it possible to hire processing power and storage in order to store and process information without the need for local data centers. However, this way of distributing storage and computation may lead to new security and privacy problems. In this project you will study existing cloud services and compare them from a security perspective. The project will result in an in-depth theoretical analysis of cloud security.
Computers are getting smaller and more portable, an example of such a small computing device is the Raspberry Pi. In this project you will set up a Raspberry Pi with default settings and apply port scanning and penetration testing on it. You will also do a risk analysis with RMF in order to find ways of exploiting the system. Thereafter you will suggest suitable mitigations (depending on the results of your analysis and tests) and patch the system.
Prerequisites: Good knowledge of Linux and programming experience.
Evaluate physical security as well as information security as depicted in a movie or TV series, such as "Person of interest". Describe and evaluate scenarios and compare to the theory and reality.
Today, many websites offer their users the ability to access the website by using an account from another website (e.g. a user can access Yahoo by using their Google or Facebook account instead of creating a separate Yahoo account). Sites which accept authentication from other websites are called relying parties and sites which offer authentication for the relying parties are called identity providers. Together these two types of websites form an identity federation. In this project you will investigate the following: which type of websites collaborate in identity federations? Compare websites from different countries, with different contents etc. Which protocols and frameworks are used in the federations? You will create a program which parses websites and maps currently existing identity federations and their features. The focus will be on finding websites which is part of a federation and deciding which type of website it is (e.g. an e-commerce site or a social network).
Prerequisites: This project requires programming skills. We recommend that you have done the authentication lab in this course.
SELinux is an implementation of mandatory access control for Linux that has become widespread and is now enabled by default in many distributions.
In this project you will study and explain the theoretical model and architecture behind SELinux (type enforcement, FLASK, Linux Security Modules). You will also look at the practical aspects of SELinux (default policy, tools to develop policy, how it is used in e.g. RedHat, CentOS and Ubuntu), and try it out for yourself.
Prerequisites: This project will require a working understanding of Linux for to try it out. We can provide a virtualized environment on which to experiment with SELinux, but strongly recommend that you provide your own computer, since this will make things a lot easier.
Wireless networks present some particularly difficult security problems since physical access to the networks are not limited. In this project you will study the known security issues with 802.11 networks and the various mechanisms (WEP, WPA, RSN) that have been proposed to improve security. You will also study denial of service attacks and mitigation methods, as these are not part of WEP, WPA or RSN and the physical aspects of wireless security and intrusion detection in wireless networks.
You will also launch at least two serious attacks on a wireless network using a Linux laptop as your platform. Specific attacks and targets will be chosen in cooperation with course staff. At least one of these attacks will be demonstrated live in class.
Prerequisites: This project requires a good understanding of computer networking, particularly of protocols such as Ethernet, IP, TCP and DNS. Completing the practical part of this project will require previous experience with Linux networking. You will probably have to learn new tools, install and configure network services, and you may have to write or modify low-level network code.
Note: We have very little equipment to lend you, so plan on providing your own equipment (usually a laptop with Linux and WiFi and an access point are the minimum requirements).
Page responsible: Nahid Shahmehri
Last updated: 2013-04-16