Assignment 7: Design review for lottery security
Due Tuesday, December 8th, at 11:55 PM
The assignment is to do a design
review of another group's solution to Assignment 6. We will email
you the names of the students in the group that you will review, along
with the solution they submitted for Assignment 6.
Your report should discuss the merits of the design in the context of the
real world. As a general format, you should include the following:
- Meta Data: The names and netids for the group you are reviewing.
- Threat Model: An overview of the threat model for each portion
of the design you are reviewing. Who are the adversaries? What
capabilities do they have? What assumptions are we making about their
limitations? This section should be fairly short.
- Protocol / Design Review: In this section you will want to
evaluate the group's design with respect to the threat model you have
defined above. For each potential threat, you should examine how the design you
are reviewing prevents (or fails to prevent) the threat. For example, one
key design requirement is that a store owner can't print an arbitrary
number of tickets without paying for them. You'll want to explore how the
design either prevents of allows this to occur. At a minimum you will want
to discuss the following aspects of the group's design.
- How well their design prevents creation of bogus winning tickets.
- How well their design prevents/deters store owners from underreporting tickets.
- How well their design prevents other potential adversaries (e.g.
couriers, network attackers, etc) from tampering with the lottery.
- How well their design manages infrastructure (i.e. key management,
access control, etc).
- Any problems that a holder of a winning ticket might encounter as a result of
the security features of the design (e.g. if a terminal is destroyed between
purchase and redemption, can a winning ticket still be redeemed?).
- Other practical considerations of their design decisions. For example,
if their design requires customers to type in their names, what impact might
this have on lottery sales, the safety of the purchaser, the redemption process, etc.?
If their design requires a courier to collect a log before a prize can be awarded,
how long might a customer have to wait before they can collect their prize?
- Whether your team agrees with the tradeoffs made regarding the above 5 discussion
- Suggestions for improving the design.
- Cost Analysis: Are the design's costs calculated
correctly? Do they justify their costs? Do you agree with the
justifications? Are they any obvious places money could have been saved?
We are not looking for a deep financial analysis here, just a brief
discussion. You shouldn't feel the need to completely rework the design
to something you feel is optimal.
When discussing potential security flaws (fradulent prizes or underreported tickets), be as
specific as possible. Specify the
knowledge or physical access that an adversary might
need (e.g. root password for tickets database computers, PRF keys, access to a vault, ability to
ensconse the lottery terminal in a faraday cage). Consider the real world
likelihood of such attacks. Consider how such attacks might be prevented.
If a potential attack relies on some underspecified detail in the design,
state any assumptions that might be needed for the attack. For example, if your
attack involves stealing a PIN from a central database, and the designers did
not specify any details of this database, you should state that an unencrypted
PIN could be stolen by a database administrator.
Keep in mind that an adversary might be a courier, a shop owner, the
database administrator for the lottery, etc., or any combination of
If you happen to notice any "strict improvements", make sure to note these. A strict improvement,
is any change that would improve security, practicality, or cost with no negative impact on the
rest of the design.
Similar to our design review last time, you might also consider how removal of the "tamper proof" feature
of the terminals might introduce vulnerabilities. Unlike HW5, this is not required.
Your solution should be submitted in either pdf or HTML format. If you're
using pdf format, please name your report submit7.pdf. If you're using
HTML, please package everything you're submitting into a single zip-file, called
submit7.zip. You can submit using this link.
If you're using HTML, the report should be an HTML file named index.html. This HTML
contain images, links to other files, etc. if you include those files in your
submission. Though your solution will be graded on content AND presentation, you
do not need to design a beautiful document.
For this assignment, you must work in the same group that
you worked in for assignment 6. You may not collaborate with anyone
outside your group.