Information Security

Homework: 0 1 23 4 5 67

Assignment 1: User Authentication

Logistics

Your solution should be a zip-file containing two things: your source code (your modified version of the AuthInfo.java file, plus any new files you created), and a report that describes what you did and why. The report should be an HTML file named index.html. (It may contain links to other files, if you include those files in your submission.)

You must work by yourself on this assignment. You may not collaborate with anybody else.

Introduction

At present, the chat service does not authenticate its users -- any user can claim to be anybody. Your goal in this assignment is to improve the service so that it does authenticate its users. You will decide how to do this.

You implement your solution by modifying the source code for the AuthInfo.java file. You may also create new source code files if you like.

Threat Model

The adversary's goal is to connect successfully to the service, impersonating another user, and to send messages that appear to come from the impersonated user. Your goal is to prevent him from doing so. Of course, you must not prevent legitimate users from using the service.

You should make the following assumptions about the adversary:

We have provided you with two cryptographic primitives that you are free to use: HashFunction.java and BlockCipher.java. The source code in these files contains comments that explain how to use them.

Note that you may NOT use any other cryptographic primitives, other than these two (and any higher-level primitives you might build on top of them). For example, you may NOT use any of the java.security or javax.crypto classes. This holds true for all of the assignments -- all crypto code, except for the two classes we have provided you, must be built by you, entirely from scratch.

Your Report

Your report should describe your solution, explain why it allows legitimate users to access their accounts, and justify why it prevents the adversary from gaining illegitimate access under the assumptions listed above. Your report should be concise but should be as convincing as you can make it. The quality of your report will be a very important component of your grade, so pay at least as much attention to your report as to your code.

Copyright 2001-2003, Edward W. Felten.