CS395 Computer Privacy and Security

Some assignments developed for the course are given below. More assignments may be developed based on the individual instructor's needs.

Assignment No. 1: Data Encryption

Develop a secure XOR encryption program. The program should read in a block (say couple of paragraphs) of text and convert it to ciphertext.

Do the following:

1. Study the attached sample program (XOR.java) and understand what it does. This program of course has some security problems. Find and fix those.
2. Develop a secure program that produces a streamcipher (XOR encryption) given a block of text.
3. Make sure the ciphertext can be decrypted at the receiver's end.
4. Should decryptions be performed in the same order? Experiment. (Answer Yes or No with your reasoning.)
5. Take measures to reduce data lifetime.
6. The security of encryption depends on keylength. Write a paragraph explaining this concept to a novice user.
7. Design a usable interface for novice users to obatin different levels of secuirty based on their scurity needs.
8. Make the program as usable as possible. Ask your friend or family member (without CS background) to try the program and give you feedback. (Write a paragraph on what you did and how this exercise improved your program design.)

(Note: We provided a sample program (XOR.java) with methods to covert String to BigInteger and vice-versa. The program may be easily modified to implement RSA or Java Cryptographic Extension (JCE) based on the focus of your course. )

References

1. Secure Random API
2. Scanner API
3. BigInteger API

Assignment No. 2: Pretty Good Privacy

Pretty Good Privacy (PGP) is a tool for performing Encryption and Decryption. PGP may also be used to sign and verify documents. Check PGP Intro Page to know more. Use the PGP software (installed in Stipes 309) to generate keys. Encrypt and decrypt a text file. Try sign/verify. Study the PGP User Interface. How easy it is to use for someone to send and receive encrypted emails using PGP?

• Ask an "everyday" user to find out his/her understanding on terms such as public key, certificate, cryptography. Write a paragraph on what you learned.
• Perform congnitive walkthrough and heuristic evaluation on PGP interface

Please read the paper Why Johnny Can't Encrypt to know about Usability problems of PGP.

Design a better interface as per the suggestions in the paper. Submit your design as a powerpoint or image file.

• Have another student perform cognitive walkthrough and heurtic evaluation of your interface. Submit results.

Deliverables

1. Your encrypted/signed file using PGP
2. Your new interface design (for PGP)
3. Documentation of Cognitive walkthrough and heuristic evaluation

(Note: if your focus is not cryptography, you may use some other security interface such as login screens or browser "Internet Options".)

Assignment No. 3: Threat Modeling

Perform threat analysis on an application you like (such as facebook, webCT, or Zimbra). You should do this assignment with your project partner. Identify potential vulnerabilities from both technical and human perspectives and suggest safeguards based on as much information you can gather about the system through, of course, legal means; draw threat trees and mitigated threat trees. Since you are not designing the system and building, your DFD will be based on one plausible design of the system you choose.

(We found it often helpful to provide a worksheet for threat modeling problems.)

Other Possible Assignments

A)This assignment explores users' mental models of security on the Internet and introduces the method of the "talk-aloud" interview. Choose a few websites, and ask another person (who is not an expert user) to visit these sites and to talk out loud about how they trust the websites they visit. Are they concerned about security, and if so, how do they know they are secure? How do they know they are at the correct site and that any information they submit is protected? E.g., notice if there are there any procedures they follow, or indicators they look for. Next, find some examples of fraudulent phishing or malware distribution websites to understand the techniques attackers use to fool users (examples of fraudulent sites can be found at www.phishtank.com). Write a few paragraphs that describe your findings and address the following:

• What mental models of Web security do users have, and how does this compare to the reality of how the Web works?
• How do attackers exploit users motivations and understanding?
• How do users mental models protect them from, or make them vulnerable to, phishing attacks?
• As a security designer, what techniques can you suggest that would help to protect users from these type of attacks?

B)The Facebook Privacy Settings are an example of the difficulties in designing access control policies that users can understand, control and configure. Facebook has been widely criticized for the complexity of its privacy settings interface (e.g., see https://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html). Visit the Facebook Privacy Settings page and perform a heuristic evaluation. Can you suggest design changes to the underlying access control mechanism and the user interface that would help users better understand and manage the personal information they share with others?

Note: this could be included in Assignment #3 or can be a stand alone assignment.

C)Given a particular application, students can be asked to come up with an Access Control Matrix following the principle of least privilege. Students can then analyze whether that privilege assignment makes sense considering usable security (from Use perspective). For example, if an automatic system update needs administrator's manual authorization, it can be counter productive, rendering the system less secure.

Top