====== a4m36bis -- Bezpečnost informací a systémů ======

==== Contacts ====

  * Martin Rehák [[rehakmar@fel.cvut.cz]]
  * Tomáš Pevný [[pevnytom@fel.cvut.cz]]
  * Jan Stiborek [[jan.stiborek@agents.felk.cvut.cz]]



==== Requirements ====
  * 3 absences are allowed
  * grade based on results from semester

=== Points ===
^ Assignment ^ Required points ^ Extra points ^
| DefCon                         | 5 points        | 3 points     |
| Timing attack                  | 5 points        | 5 points     |
| Steganography/steganalysis     | 10  points       | 0 points     |
| AVAST - part 1                 | 2 points        | 3 points     |
| AVAST - part 2                 | 2 points        | 3 points     |
^ Total                          ^ 24 points       ^ 14 points    ^

^ Grade ^ Points ^
|   A   | 21 - 24 |
|   B   | 18 - 20 |
|   C   | 15 - 17 |
|   D   | 13 - 14 |
|   F   | 0 - 13  |
=== Security ===
  * 2 assignments announced during the semester, completed before the end of the semester that can provide extra points for the exam
  * Every student should use his own laptop with Kali linux [[http://www.kali.org/]] (or any other linux distro with particular tools) - mostly can be in VM but for some labs it will be required to use it without virtualization (mainly for Wi-Fi cracking)

=== Steganography/steganalysis ===

 * Gentle introduction to steganography and steganalysis is {{:courses:a4m36bis:lecture_1.pdf| here.}} The proof of Square root law for independent covers can be found here [[http://www.cs.ox.ac.uk/andrew.ker/docs/ADK40B.pdf| Square root law requires linear key]], Andrew D. Ker, 2009.


Implementation of Least Significant Bit Matching. Embedding function has signature ''function embed(iFileName,message,key,oFileName)'', extraction function has signature ''function message=extract(image,key)''. Script to verify correctness of the solution can be found {{:courses:a4m36bis:testhomework.zip|here.}}
=== Steganalysis ===

 * Explanation of Fisher Linear Discriminant classifier, Receiver operator characteristics, threshold selection. 

Implement Fisher Linear Discriminant as a ''function v=fld(P,N)'', where P is the matrix with positive samples (each row corresponds to one sample), N is the matrix with negative samples. Implement function drawing Receiver Operating Characteristics as ''function roc(P,N,w)'' (use plot to plot the graph do not forget to label axes). 

 * Introduction to modern steganalytic features. Paper about [[http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=5437325| SPAM]] features and their later extensions [[http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6197267| rich models]] and [[http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6642106 | PSRM features.]]

Implement (1st order) SPAM features as a ''function f=spam(image_name)''.

 * Implement your own detector of LSB matching and use it on images downloaded from [Will be provided soon]. Images for training can be downloaded here [[https://www.dropbox.com/s/3ftph61lst5q0cz/cover.tar.bz2?dl=0|covers]]. Decision of your classifier should be submitted in a column vector, where 1 mean image is stego, 0 mean image is cover. The order should reflect the names (ids) of images.

 * Provide the output of your detector on [[https://www.dropbox.com/s/gd25p01f66672pt/ranking.tar.bz2?dl=0|ranking]] images. The output should be a text file with one column, where every line is the output of the detector on one image, ordered according to image numbers. Zero means image is cover (without a message), whereas one means image is stego (with a message). Accuracy over 70% gives 2 points, below 60% zero.
===== Labs =====

=== Labs 1 - 8.10.2015 - Intro, first assignment ===
  * Basic info about the course
  * Network Forensics Puzzle Contest
    * goal of this assignment is to crack as many levels as possible
    * 1 point for each level, i.e. 8 in total
    * Data available at [[http://uloz.to/soubory/Sfinx13/data/]] - TrueCrypt image
    * First password is SYN-SYNACK-ACK=STart!@#$&@ that unlocks the first round
    * Second round was cracked during the labs - password for the next is MTA567=@
    * Every round contains a question that has to be answered. Send the answer to email [[jan.stiborek@agents.felk.cvut.cz]]. If the answer will be correct, password for the next round will be provided.
    * Groups are allowed (2-3 people), but specify the group in the email with answer.

=== Lab 5 - 5.11.2014 - Cryptography in java + Homework : timing attack ===

  - OpenSSL connection
  - Symmetric crypto
  - Messenger project {{:courses:a4m36bis:messenger.zip|here}}, {{:courses:a4m36bis:preparekeys.txt|preparekeys.txt}} - rename to preparekeys.sh, {{:courses:a4m36bis:securityutils.java|securityutils.java}}

== Homework: ==
Demonstrate an attack on timing vulnerability in Google Keyczar library HMAC computation. Your goal is to find the signature of a message without knowing the correct key. 

Download the bundle - {{:courses:a4m36bis:timingattack.tar.gz|Keyczar bundle}}. The bundle contains:

  * Java sources with vulnerable version of the Keyczar library. The vulnerability has been amplified by issuing a Thread.sleep(1) in the byte-by-byte array comparison. This should be enough to make the timing attack feasible without advanced statistics.
  * Dependencies in “libs”.
  * A key in “keys”.
  * **DEADLINE: 10.12.2015 23:59**

The project should be easy to import to any IDE from Maven model.
  * The verification class (cz.cvut.keyczar.Verifier#verify(byte[] data, byte[] signature)) - the code that verifies HMAC of a string and should be attacked by forging a valid HMAC without the knowledge of the secret key.
  * Signature generator - to create a signed file yourself or study the anatomy of the HMAC byte format.
  * You can select the difficulty of the homework by specifying the "difficulty" java property (-Ddifficulty=<selected difficulty>, eg.: -Ddifficulty=HARDEST, [[https://docs.oracle.com/javase/7/docs/technotes/tools/windows/java.html]]). Options are:
    * NORMAL - 5 points
    * HARD - 7 points
    * HARDEST - 10 points

Example how to run the HMAC verifier:
<code java>
Verifier keyCzarVerifier = new Verifier("keys"); //Directory containing a key set - for more info see JavaDoc
byte[] message = "Hello world".getBytes(); //original message in plain-text 
byte[] hMAC = new byte[]{}; //HMAC signature of the message 
boolean result = keyCzarVerifier.verify(message, hMAC);
</code>

Extra points (3 extra points) for performing the attack by interprocess communication (via stdin/out - class cz.cvut.keyczar.homework.VerificationServer) instead of directly calling and timing the verifier.

** Allowed relaxations:**

  - You can compare the guessed bytes against a valid signature, but you may not use the signature to guess the bytes. The program is allowed to make wrong guesses, but not too many!
  - You can help the timing by issuing a longer sleep, but justification is required.
  - You can use keyczar bindings for another language, eg. python or C++. Make sure you’ve got the correct (vulnerable) version: revision 412. You can modify the array comparison to include a sleep or similar call.

=== Lab 6 - 12.11.2015 - Penetration testing - Intro, information gathering ===
  * Info about the basic concepts of the penetration testing
  * NMap tool - [[http://nmap.org/book/man.html]]