Programming Assignment 2 - Secure Computer Systems | CS 6238, Study Guides, Projects, Research of Computer Science

Material Type: Project; Class: Secure Computer Systems; Subject: Computer Science; University: Georgia Institute of Technology-Main Campus; Term: Spring 2005;

Typology: Study Guides, Projects, Research

Pre 2010

Uploaded on 08/05/2009

koofers-user-805
koofers-user-805 🇺🇸

9 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS6238 Secure Computer Systems
Programming Assignment 2
Due Date: 11:59pm May 4th, 2005
In this programming project, you will build a simple secure distributed file system (SDFS)
where applications can access files from remote locations. The SDFS will allow clients to store
and access information that has confidentiality or integrity requirements. Since client nodes will
communicate with the SDFS over an open network, secure information access will require that
messages exchanged between nodes are encrypted. You can use either the Java Crypto
Extension packages or the OpenSSL toolkit to complete this project. Since the project
requires communication between different machines, you should be familiar with sockets
programming.
You can build your secure distributed file system above the host file systems, which already
implements the interfaces to store & retrieve file contents via open()/read()/write()/close().
Specifically, you can extend the host file system via wrappers in the following manner. At the
time a client creates a file, based on the contents of the file, he/she would decide what kind of
security guarantees are needed for the file data, which will be stored in the file. Three kinds of
security guarantees will be made available to applications: CFS files provide confidentiality,
IFS files will ensure integrity for data stored in them, and nFS files will not provide either of
these guarantees. Accesses to all files will need to be authorized based on ACLs (to simplify
the task, you are not required to manage the group permissions) and hence clients will have to
be authenticated. Authentication should be done using a public-key based protocol that was
discussed in class for creating secure node-to-node channels. Furthermore, CFS files must be
stored in encrypted form to guard against accidental disclosure of information, and secure
channels must be used to communicate data from such files over the network. Since CFS files
are stored in encrypted form, you need to worry about the management of keys that are used
for such encryption. You can generate a random symmetric key, encrypt the file using it, and
encrypt the key with the public keys of those users who have access to the file based on its
ACL. The encrypted keys can themselves be stored with the other meta-data that you maintain
about the file. If a user should be able to access the file, it will also be able to retrieve the key
that will be needed to decrypt the CFS file.
In addition to the file server, which will accept and process the incoming file access requests,
you will also create a certification authority (CA) that signs and provides storage for certificates
that belong to the server and the clients (minimally, the CA could be just a file that store
certificates that you generate). A client will establish a connection with the server by
authenticating itself, access files, and then terminate its session. Clearly, files persist at the
servers unless they are deleted by their owners. You can assume that the file server and CA
are at well known locations.
pf2

Partial preview of the text

Download Programming Assignment 2 - Secure Computer Systems | CS 6238 and more Study Guides, Projects, Research Computer Science in PDF only on Docsity!

CS6238 Secure Computer Systems

Programming Assignment 2

Due Date: 11:59pm May 4th, 2005

In this programming project, you will build a simple secure distributed file system (SDFS) where applications can access files from remote locations. The SDFS will allow clients to store and access information that has confidentiality or integrity requirements. Since client nodes will communicate with the SDFS over an open network, secure information access will require that messages exchanged between nodes are encrypted. You can use either the Java Crypto Extension packages or the OpenSSL toolkit to complete this project. Since the project requires communication between different machines, you should be familiar with sockets programming.

You can build your secure distributed file system above the host file systems, which already implements the interfaces to store & retrieve file contents via open()/read()/write()/close(). Specifically, you can extend the host file system via wrappers in the following manner. At the time a client creates a file, based on the contents of the file, he/she would decide what kind of security guarantees are needed for the file data, which will be stored in the file. Three kinds of security guarantees will be made available to applications: CFS files provide confidentiality, IFS files will ensure integrity for data stored in them, and nFS files will not provide either of these guarantees. Accesses to all files will need to be authorized based on ACLs (to simplify the task, you are not required to manage the group permissions) and hence clients will have to be authenticated. Authentication should be done using a public-key based protocol that was discussed in class for creating secure node-to-node channels. Furthermore, CFS files must be stored in encrypted form to guard against accidental disclosure of information, and secure channels must be used to communicate data from such files over the network. Since CFS files are stored in encrypted form, you need to worry about the management of keys that are used for such encryption. You can generate a random symmetric key, encrypt the file using it, and encrypt the key with the public keys of those users who have access to the file based on its ACL. The encrypted keys can themselves be stored with the other meta-data that you maintain about the file. If a user should be able to access the file, it will also be able to retrieve the key that will be needed to decrypt the CFS file.

In addition to the file server, which will accept and process the incoming file access requests, you will also create a certification authority (CA) that signs and provides storage for certificates that belong to the server and the clients (minimally, the CA could be just a file that store certificates that you generate). A client will establish a connection with the server by authenticating itself, access files, and then terminate its session. Clearly, files persist at the servers unless they are deleted by their owners. You can assume that the file server and CA are at well known locations.

Once the SDFS is implemented, you will demonstrate its functionality by developing suitable test programs. You will also need to experimentally evaluate the performance of the system to characterize security overheads. In particular, you can define a simple trace that accesses a certain set of files of varying sizes. You can measure completion times when you run the trace with files that contain data with different security requirements. In the report that you submit after the project is completed, you should discuss the performance measurements and explain them based on the security guarantees that are provided for various files.

Notes

 You could work on teams of up to three members for this project.  Project 2 is due before the midnight of May 4th, 2005.  Before the due date, you should turn in: (1) a report in PDF format about your design decisions and some design & implementation details; (2) all the relevant source codes; (3) a short MANIFEST describing each file and directory and a README file which includes the instructions to compile and run the codes. All the turn-in materials should be compressed as a tarball. The turn-in tarball should be named like cs6238_prj2.tar.gz.  Close to the due date, the TA will post a number of “demo” slots on either the class homepage or some wiki page. All the demos will be given on either May 5th^ or May 6th. Please select a time that all team members can be present and look for the TA in the Undergrad/Intel lab (CCB103/107). During the demo, each team member will be asked a few questions related to the project material. You should also expect to demonstrate that the augmented access control model is working. The team will be issued a grade based on your overall performance.

Resources

 Java Crypto Extension packages, http://java.sun.com/products/jce/  OpenSSL toolkit, http://www.openssl.org/