COS 496: Information Security

Spring 2000

General information
Schedule
Homework: 0 1 2 3 4 5 6 7

Assignment 2: Teller Login

Logistics

This assignment must be submitted by 1:30 PM on Tuesday 29 February. Submit your solution by emailing it (as an attachment) to submit496-2@felten.com.

Your solution should be a zip-file containing three things: your source code (TellerAuth.java, and any other source code files you create), your compiled code (TellerAuth.class and the compiled versions of any other files you create), and a report that describes what you did and why. The report should be an HTML file named index.html. (It may contain links to other files, if you include those files in your submission.)

You must work in a group on this assignment. You may not collaborate with anyone outside your group.

Introduction

At present, the teller terminals, where bank tellers do their work, are vulnerable. An adversary can walk up to a teller terminal, log in, and proceed to create an account for himself, with a large initial balance. This is true because the login dialog accepts any username, and the password for every username is just equal to that username.

Your goal in this assignment is to improve the authentication of tellers. You will decide what kind of exchange will occur between the system and a teller when the teller logs in, and how the system will decide whether to allow access in each case.

You will implement your solution by modifying the file TellerAuth.java, which has been provided in the bank's software.

The Code

Authentication of tellers is currently performed by the code in the file TellerAuth.java. This file contains the graphical user interface (GUI) code to draw the login window, as well as the code that decides whether to grant access.

At present, the code asks for a username and password, and grants access if the username and password are equal to each other. The decision whether to grant access is implemented by the "check" procedure.

The GUI code uses Sun's Swing toolkit. If you find that you need to modify the GUI code, we can give you hints and point you to the appropriate documentation on the Swing features you want to use. Swing is not too difficult to use once you get the hang of it.

Goal

Your goal is to modify TellerAuth.java, and add any other needed code, so that it is much harder for an adversary to gain access. Of course, your solution must allow legitimate tellers to gain access. In addition, there must be a way to grant newly hired tellers access, and to take away access from tellers who leave the bank's employ.

There are several approaches you might follow. Depending on your approach, you might need to modify the GUI code.

Threat Model

The adversary's goal is to gain access to a logged-in teller terminal. Your goal is to prevent him from doing so. Of course, you must not prevent legitimate tellers from gaining access.

You should make the following assumptions:

The adversary can gain physical access to the keyboard and monitor of a teller terminal in the bank.
The adversary knows the usernames of the legitimate tellers.
Each legitimate teller can know one or more secrets that the adversary is unable to learn.
When a teller leaves the bank's employ, the adversary can bribe that teller to disclose any information in the teller's possession.
The adversary knows what algorithm you are using. He can read your code, but he cannot observe the values of any of your variables.
The adversary cannot observe or modify the contents of any data files you create.

We suspect that the adversary may be able to look over the shoulders of tellers who are logging in, to see what they type. We prefer solutions that meet the objectives even if the adversary can do this. (Your report should say whether or not you protect against this threat.)

Your Report

Your report should describe your solution, explain why it allows legitimate tellers to access their accounts, and justify why it prevents the adversary from gaining illegitimate access under the assumptions listed above. Your report should be concise but should be as convincing as you can make it. The quality of your report will be a very important component of your grade, so pay at least as much attention to your report as to your code.

Helpful Hints

If you want to store data in disk files, Java's serialization facility might be helpful. It provides an automatic way to write virtually any data structure out to a file, and then read it back later.