Usable Security and Network Security Assignment

Due: Feb 27th, 2023 @ 9PM Eastern

Team Size: 2 Students Per Team

Assignment Overview

This assignment has three main parts: review questions, encrypted email, and the ARP spoofing Lab. You are allowed to work with 1 other student for this work, but you must still each complete each part of the assignment (ie. you must each send me an email). Be sure to put the name of the student you worked with on your submission in gradescope.

Tasks

Review Questions (20 points)

  1. In your own words, why does RPKI prevents sub-prefix hijacking? Why doesnt RPKI prevent the one-hop attack?

  2. What attacks are possible when a protocol decides to Encrypt and then Sign messages? What attacks are possible when a protocol decides to Sign and then Encrypt messages?

  3. What makes reflection attacks more powerful than a typical denial of service attack, like ping flooding or syn flooding? What about protocols like DNS and NTP facilitate this increased power?

Encrypted Email (40 points)

In this assignment you are going to learn to send encrypted email from your BU email address.

Keeping A Diary

As part of this experience, you are going to keep a diary to track the things you have tried and learned. Be sure to keep track of everything in an orderly fashion, so you can reflect on the process later (and graders can see what you did). You should keep of the following things in your diary:

  1. Any searches that you perform and why you decided to search those terms?

  2. Any websites (including URLS) that you open and a brief description of what you found there

  3. Any tools or software that you installed, and the reason you chose to install it

  4. Anything you tried on the tools or software that you installed. What correct or incorrect commands have you tried? What confusions did you experience when using the tool?

  5. What steps did you take that actually helped to completing the task?

Finally, provide 3-to-4 paragraphs (with multiple sentences per-paragraph!) that is a full narrative, from start to end, in completing this task, as if you were relaying the story to someone in a documentary movie entitled “I sent an encrypted email.”

Sending the Encrypted Email

Send me an encrypted email from your BU email address! Please send me an encrypted and signed email to [email protected] with the subject line cs558 - <your name> and the following information

  1. What email client did you use to send this email?

  2. What other clients did you try to use?

  3. How was your experience? Was it difficult or easy? How long did it take you?

  4. A PGP public key for your BU email.

My PGP key is below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF/+aAABEADKwKd7U+jk8Knoh7CtWU9pf36v/ldFbzCpT7FKr59nqfwXizaeYE5rOidoE25G
sbHy6f86YPVWYZtbfoFYmrezgiQVhIsNI6wyAFdawTyJBSMkH/t2wES+vRhj5heWYjOk52Zwiyd0
L2w798axjOKXBWP+6hGjYHU/3DM6LlWavpjdLETj1zP0Nhld99+fDzoH4Q3BIRwEbrGSxSd2yC2T
oNLleQI+dk2fMhi9p5SRGeRUtL9gAuw8/xlNQFjP3JpehrEQgWa1aeqgqzficyZKB9E5BjhlLx3X
TMHDGo5thN8n7XErYmB4uvtC86WKnXa4xyC4vl7VwpeMLZ0z5BJH6T1pKVMWBJ+fsjsA5cYZ0MOR
vCvI/UQSvnbzVL4eJL5FNKsjHUG5M3CsXWypkck8Pp8QKxbTbSx+Ilxx/bDh+TtmnSQRv/b4+dVc
J0J3VcYtYbLfScLT5/jVS+XSFdZ2NPzt7j3KLm9FfGanicA5YI5oUYneVoZXVMlbQEIPVo38wKDi
C39AM0MCaIwa9HKIT3i88jAlEe6a6o1ERyQMivzn8YLJ/Hk1wx8NcnK/eJA3R5BK98EiAvXynqKF
qOM1AlqNU8RAkkurLKWmewyNstfQxYfW7MFBeDz+7Ai0WjUi/9e+91CFK38P1tKoArNz8oqonygs
HkfCf5TMIHvQyQARAQABzSJHYWJyaWVsIEthcHRjaHVrIDxrYXB0Y2h1a0BidS5lZHU+wsGPBBMB
CAA5FiEEwhRkClge7LPEBw9v+LtEbjTNWRAFAl/+aAIFCQWjmoACGwMFCwkIBwIGFQgJCgsCBRYC
AwEAAAoJEPi7RG40zVkQLWEQAL80Ulwu9F+DkjHOArdCD33TbDvidpqjbMhogc9l7+Azl7iH6R1Z
8eWLEzjCe6KR9L/21AREYscc0svPaEZ5qyQm23tcUnMt3G3uyaxLqfoLnv8v66bo5ssf6Gfiep6P
I1cmbc2xt41DQF+D6UstpM5f5tRuONiiTIZpxdN1fpp1Z4U5BCRTnLxWyiGMjwkpUAyhvOaucjU8
kTV4P2Xrt8sX6equW+tF8QhVn1hRVtfMKk6cePrz8DGZhI5dTrkYr7MvzOinK70WboC4H7gU61nm
db9zsUFIWiAekh+OA6STm9KLZcZu/vJoUSayIRm+v4glxyTqLu5n8DPgToxbLuu7IZKhxVQ03frn
uLvs2zXjWg5Px1691XcdhQHoAlAboAIfrXnnM1gmOepA/ba9MeG1b91n7EPk9OFtqG59WiSUzy0K
USQ57j96S5eIX6rOwgjVozxqLzv0NSieOzq4t5iv+c/+jCxiFDn+hZ/vZVHy9xiuYSfQio9wjTbk
vB2z9VSE93bA8nXn8RldY3PGk2w3WQHr2TslGXGzt3j78ZHW37vjSqEM7Gaz+/+TJTBtc11XQk0l
IH4pnYwuifg/zREeeV23oiu1AweBzZtz1QPaDKcyvvTXybOKg4nSRwhVuTD/qfvirVJciHYgctdL
ZghFn7et53ldXjd8J7yocaBizsFNBF/+aAIBEADXFX5e2WHVuP/D96EsRLEvk4ZYXjKjLdXFiLz1
5HpbhKrMVmfAJMcjLSV5JtdVCLW8gYaU64ZgRyCDeBiECDlhSEe6ss7/7guh1Q4GAac58kz01WhT
JJ9qRMFFypZ2yBHzpgvq4fe3u3p71mr90agv+6DubBgBL3mB9jpQ3VBkfx3pSWtz7LSuI2OO6gn2
ostvUwklXuNaxK3+RJrGGOTiSDCHrJ3zDhTayd9Jl/VHI1zvz+5WOU0EiBoT5GLVis82FUgc0xZe
5j3OzPv79vnxlzh+SKiqQrLOPq0iFI+7wbAAj7jyq/Mha/rnG7Bj1XeORgWZAqNHdt32JWBv/fy5
MkuKVoBIgmZj/UWTHiZN+d9CnAtusrB2/FTWkkc74gKkk74SYqr0wrJVy/nwMsgJGId7bThWSi5a
h+srKiobWOYUWx7waeLX3J1XbKmBgfTgA+ZG+zD2P8ohXagR5UJblKm1URXBrve+qHGwgS7XOl2p
lBNA5DLs1uiFt1Kc/4eJrwqdyBATTEk59c7NsRerh/h32AZIkYaIMTi44423B3ApVeTgN42VHG4E
BhrGKHgPK5deUy6OvsSoJwB/0QUOYYBSMdO9IF+RYNSS88lNFi6WDI1tvkWcEOAnbh6Ri1D5I9WW
eCAqI9D4jKSszI2kzUtrUNHe3xxcE2faVSIhlwARAQABwsF8BBgBCAAmFiEEwhRkClge7LPEBw9v
+LtEbjTNWRAFAl/+aAMFCQWjmoACGwwACgkQ+LtEbjTNWRAZJw/9HyTKQGR8ZECdJI1ZqaDG5A7L
xjO6r6miZ+ZwmU2QTmAH9RxBwc9i89VTotdQjoUD+V5f/1U+9hwLTEhE7BUcv1Lm1K+/+ALbtLW1
QtMVIywf1EGcbapCPHCVzjp6D4aIEn3292wV2kWBwCaNn1sa9cQOd/0Ifo3/JYctbEFdNMmjFTVD
CbUG9i/JUr0Zb8ZLcQt7xCzZVTW1k2ARZEHi0Rld/5/nt53Lh7D5KhVVSs2oALJv1cuA/h6pE9rG
Z5JVHhCNYT0IlQJkdQe9pjz4w2lQ6vQ/XVVKjtmjrBW6dHSJPhfFIpI0jaTXVaHd2vGmOLej+9ef
HETzgagmVOyljuibDA3HlaSptcd/wjb+pVz6Tc+u7OKlL3RkL/a2qKriSYU78I9vw9Tel14Wq+d/
zUj+RrswMVJnnNZ9znfp0O7rlLvvWabpq7eWiK+Xvv+TRpvSnge+nP2HgUNFgLu+WU0Os1d5T9cR
BwTTkjnjJf5sH83MbdSanhCh2x/0eEVztO9jjBgNbc/SpvN4i2l0nhg9XGL8GIcVJOMK+S+RtUJB
0DAbCc1q2qtZa7Gx77XdocNwsqfWx+5xzesaDDorZ1iO8m9jKsm+yUJVQnXJbA9Cf2mdS+rmCDzo
T+c6ZeulIVQglJEK+SrjiW4Jk+QRiTWG69cHUQVn+X280R+O33I=
=kOyg
-----END PGP PUBLIC KEY BLOCK-----

Once you send me an email, I’ll send you a response, encrypted under the key you provide and sent to the email you provided. It will contain a personalized secret message that you will need to submit through gradescope as part of your assignment. Please give me at least 12 hours to respond to your email before the deadline (Professors are people too).

Reflect

Now that you have had the wonderful experience of sending and receiving an encrypted email, take some time to reflect on the experience. Using you diary, write approx. 500 words summarizing what you did. Be sure to include both things that you tried that didn’t work and the way in which you were eventually successful. Feel free to answer some of the questions below: What were the most helpful things that you read? What were the most confusing things that you experienced. How did your background in crypto, security, and computer science make things harder or easier? How do you think you would explain encrypted email to someone non-technical in your family?

ARP Spoofing lab (40 pts.)

(Reminder: DO NOT ATTACK SYSTEMS THAT YOU DO NOT MANAGE!)

In this task, you are going to be using a lab created by Professor Wenliang Du at Syracuse University. They have developed a bunch of hands-on labs that allow us to do bad network things without getting in trouble. In other words, I know many of you may not be in the position to manage your own networks, so asking you to ARP spoof on a network can be a problem. The SEED Labs environment produced by Syracuse University makes building a virtual environment within which we can launch attacks easy.

We are going to be doing the ARP spoofing lab that they have created. It is available for download here. You should complete Tasks 1,2, and 3 for full points.

Quick-start Instructions

SEED labs has very good, in-depth documentation for setting everything up. For troubleshooting, please refer to their documentation. Below is a quick-start way of setting things up, with some notes of traps that I fell into when setting things up.

  1. Download VirtualBox. There are problems with using older versions of VirtualBox, so if you have version 5.x lying around on your computer, I suggest updating to 6.x. I have tested on 6.1.16.

  2. Download the SEED labs virtual machine image. I got it from here. Be sure to check the MD5 hash of the file (if you don’t practice good computer hygine, who will?) The hash should be f3d2227c92219265679400064a0a1287.

  3. Follow the instructions here to create a run a new copy of the VM.

  4. Boot into the VM. The password for the user account is dees.

  5. Open Firefox within the VM, navigate to this website and download the Labsetup files.

  6. Open a terminal window, navigate to the file with the Lab Setup files and run dcup which is an alias they have created for docker-compose up. This will prepare the network and bring up the docker instances you will need for the lab. Note that when you run dcup it will block, so you can leave that running in the background as you work on the rest of the lab.

This should take you up to Task 1 in the task list.

What to Submit

Submit a PDF write-up with your answers to Gradescope. Be sure to mark all of your answers clearly so graders can find your solutions. Be sure your PDF includes (1) answers to the review questions, (2) the narrative of sending an encrypted email and your reflections on the process, and (3) your ARP spoofing lab writeup.