Warning

a4m36bis -- Bezpečnost informací a systémů

Requirements

• 3 absences are allowed
• grade based on results from semester

Points

Assignment Required points Extra points
DefCon 5 points 3 points
Timing attack 5 points 5 points
Steganography/steganalysis 10 points 0 points
AVAST - part 1 2 points 3 points
AVAST - part 2 2 points 3 points
Total 24 points 14 points
A 21 - 24
B 18 - 20
C 15 - 17
D 13 - 14
F 0 - 13

Security

• 2 assignments announced during the semester, completed before the end of the semester that can provide extra points for the exam
• Every student should use his own laptop with Kali linux http://www.kali.org/ (or any other linux distro with particular tools) - mostly can be in VM but for some labs it will be required to use it without virtualization (mainly for Wi-Fi cracking)

Steganography/steganalysis

* Gentle introduction to steganography and steganalysis is here. The proof of Square root law for independent covers can be found here Square root law requires linear key, Andrew D. Ker, 2009.

Implementation of Least Significant Bit Matching. Embedding function has signature function embed(iFileName,message,key,oFileName), extraction function has signature function message=extract(image,key). Script to verify correctness of the solution can be found here.

Steganalysis

* Explanation of Fisher Linear Discriminant classifier, Receiver operator characteristics, threshold selection.

Implement Fisher Linear Discriminant as a function v=fld(P,N), where P is the matrix with positive samples (each row corresponds to one sample), N is the matrix with negative samples. Implement function drawing Receiver Operating Characteristics as function roc(P,N,w) (use plot to plot the graph do not forget to label axes).

* Introduction to modern steganalytic features. Paper about SPAM features and their later extensions rich models and PSRM features.

Implement (1st order) SPAM features as a function f=spam(image_name).

* Implement your own detector of LSB matching and use it on images downloaded from [Will be provided soon]. Images for training can be downloaded here covers. Decision of your classifier should be submitted in a column vector, where 1 mean image is stego, 0 mean image is cover. The order should reflect the names (ids) of images.

* Provide the output of your detector on ranking images. The output should be a text file with one column, where every line is the output of the detector on one image, ordered according to image numbers. Zero means image is cover (without a message), whereas one means image is stego (with a message). Accuracy over 70% gives 2 points, below 60% zero.

Labs

Labs 1 - 8.10.2015 - Intro, first assignment

• Basic info about the course
• Network Forensics Puzzle Contest
• goal of this assignment is to crack as many levels as possible
• 1 point for each level, i.e. 8 in total
• Data available at http://uloz.to/soubory/Sfinx13/data/ - TrueCrypt image
• First password is SYN-SYNACK-ACK=STart!@#\$&@ that unlocks the first round
• Second round was cracked during the labs - password for the next is MTA567=@
• Every round contains a question that has to be answered. Send the answer to email jan.stiborek@agents.felk.cvut.cz. If the answer will be correct, password for the next round will be provided.
• Groups are allowed (2-3 people), but specify the group in the email with answer.

Lab 5 - 5.11.2014 - Cryptography in java + Homework : timing attack

1. OpenSSL connection
2. Symmetric crypto
3. Messenger project here, preparekeys.txt - rename to preparekeys.sh, securityutils.java
Homework:

Demonstrate an attack on timing vulnerability in Google Keyczar library HMAC computation. Your goal is to find the signature of a message without knowing the correct key.

• Java sources with vulnerable version of the Keyczar library. The vulnerability has been amplified by issuing a Thread.sleep(1) in the byte-by-byte array comparison. This should be enough to make the timing attack feasible without advanced statistics.
• Dependencies in “libs”.
• A key in “keys”.

The project should be easy to import to any IDE from Maven model.

• The verification class (cz.cvut.keyczar.Verifier#verify(byte[] data, byte[] signature)) - the code that verifies HMAC of a string and should be attacked by forging a valid HMAC without the knowledge of the secret key.
• Signature generator - to create a signed file yourself or study the anatomy of the HMAC byte format.
• You can select the difficulty of the homework by specifying the “difficulty” java property (-Ddifficulty=<selected difficulty>, eg.: -Ddifficulty=HARDEST, https://docs.oracle.com/javase/7/docs/technotes/tools/windows/java.html). Options are:
• NORMAL - 5 points
• HARD - 7 points
• HARDEST - 10 points

Example how to run the HMAC verifier:

Verifier keyCzarVerifier = new Verifier("keys"); //Directory containing a key set - for more info see JavaDoc
byte[] message = "Hello world".getBytes(); //original message in plain-text
byte[] hMAC = new byte[]{}; //HMAC signature of the message
boolean result = keyCzarVerifier.verify(message, hMAC);

Extra points (3 extra points) for performing the attack by interprocess communication (via stdin/out - class cz.cvut.keyczar.homework.VerificationServer) instead of directly calling and timing the verifier.

Allowed relaxations:

1. You can compare the guessed bytes against a valid signature, but you may not use the signature to guess the bytes. The program is allowed to make wrong guesses, but not too many!
2. You can help the timing by issuing a longer sleep, but justification is required.
3. You can use keyczar bindings for another language, eg. python or C++. Make sure you’ve got the correct (vulnerable) version: revision 412. You can modify the array comparison to include a sleep or similar call.