,

School of Science

COSC2536/2537 Security in Computing and Information

Technology
Assignment 2

Assessment Type: Individual assignment; no group work. Submit online via Canvas→Assignments→Assignment
2.
Marks awarded for meeting requirements as closely as possible. Clarifications/updates may be made via
announcements/relevant discussion forums.
Due date: Week 12, Sunday the 20th October 2019 11:59pm
Deadlines will not be advanced, but they may be extended. Please check Canvas→Syllabus or via
Canvas→Assignments→Assignment 2 for the most up to date information.
As this is a major assignment in which you demonstrate your understanding, a university standard late penalty of 10% per
each working day applies for up to 5 working days late, unless special consideration has been granted.

Weighting: 35 marks (Contributes 35% of the total Grade)

1. Overview

The objective of Assignment 2 is evaluating your knowledge on the topics covered mainly in Lecture 5 to 10. Topics
include Privacy-preserving computations based on RSA, ElGamal and Paillier Cryptosystems; Digital Signature,
Blockchain and Cryptocurrency, Digital Authentication & Security Protocols, and Digital Authorization and Intrusion
Detection. However, topics covered in Lecture 1 to 10 are required as prerequisite. Assignment-2 will focus on
developing your abilities in application of knowledge, critical analysis and decision making. Assignment 2 contains
several problems related to the topics mentioned above. You are required to prepare your answers and upload them
as a single PDF or Word document in CANVAS.

In this assignment, there are 5 (five) questions in total. Question 1 is on Privacy Preserving Online Voting System.
The system uses privacy preserving computation technique for computing votes. The term privacy preserving
computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function
over their inputs while keeping those inputs private. Recently, several controversies have been observed in the voting
around the world. Using privacy preserving online voting system removes controversy in a voting system. In question
Q1, you are expected to apply your understanding of privacy preserving computation in the context of electronic
voting (E-Voting).

Question 2 is about the application of Digital Signature Schemes. Question 2 has 3 (three) parts. In the first part, you
are expected to demonstrate your understanding of the RSA Encryption algorithm based digital signature scheme for
numeric message. In the second part, you are expected to demonstrate your understanding of the ElGamal Encryption
algorithm based digital signature scheme for numeric message. In the third part, you are expected to demonstrate

Page 1 of 13
 ,

your understanding of the RSA Encryption algorithm based digital signature scheme for text message. For part 1 to 3
of Question 2, values of required parameters are provided including the plaintext or message M and you should
demonstrate the key generation, signing and verification processes with detail computations and brief explanations.
Marks will be deducted if you fail to show the detail computation correctly, skip the computation steps, or do not
provide explanations.

Recently, many intruders have stolen highly sensitive files from various organizations and given them to Wikileaks for
online publications. Many government agencies including CIA and FBI are among the victims as they didn’t share files
in a secure manner. The objective of Question 3 is to demonstrate secure file sharing on a distributed file sharing
platform like IPFS using openssl tool. Question 3 is related to OpenSSL and IPFS. In this question, you are expected to
demonstrate required OpenSSL and IPFS commands for a given scenario. Additionally, you must provide screenshots
of the outcomes for commands. Marks will be deducted if you fail to show the commands correctly, skip any
command, or do not provide screenshots.

Question 4 is on report writing on Blockchain or implementation of a secure system. In this question, there are 4
(four) options: Q4.1, Q4.2, Q4.3 and Q4.4. You need to choose any 1 among the three options. The first option Q4.1
is on report writing and the rest three options, Q4.2, Q4.3 and Q4.4, are about implementation. If you select Q4.1,
you are expected to demonstrate your understanding of the Blockchain and cryptocurrency and choose a system
where Blockchain Technology can be applied. Then, you should write a well-organized report on how the Blockchain
Technology can impact your chosen system. We are looking for interesting and innovative system design in the report.
The report should be appended in the same document where you write the answers for other questions. If you select
Q4.2, you are expected to implement a simple blockchain system with a new idea. You are free to choose any system.
If you select Q4.3, you are expected to implement a privacy preserving online voting system stated in Q1. If you select
Q4.4, you are expected to implement a secure IPFS-based file sharing system stated in Q3. If you choose either Q4.2,
Q4.3 or Q4.4, you should demonstrate your implementation to the lecturer or head tutor in Week-11. Additionally,
you should upload the code and short documentation on CANVAS.

Question 5 is related to analyzing the security of authentication protocols. Your answer should contain both diagram
and explanation. Marks will be deducted if you fail to provide diagram and explanation correctly, skip the diagram, or
do not provide explanations.

Develop this assignment in an iterative fashion (as opposed to completing it in one sitting). You should be able to start
preparing your answers immediately after Lecture-5 (in Week-5). At the end of each week starting from Week-5 to
Week-10, you should be able to solve at least one question.

If there are questions, you must ask via the relevant Canvas discussion forums in a general manner.

Overall, you must follow the special instructions below:

• You must use the values provided in the questions.

Page 2 of 13
 ,

• Hand-written answers are not allowed and will not be assessed. Compose your answers using any word
processing software (e.g. MS Word).

• You are required to show all of the steps and intermediate results for each question.

• Please DO NOT provide codes as an answer. Only codes will not be assessed.

• Upload your solution as a single PDF or Word document in CANVAS.

2. Assessment Criteria

This assessment will determine your ability to:

• Follow requirements provided in this document and in the lessons.

• Independently solve a problem by using cryptography and cryptanalysis concepts taught over the last six
weeks from fifth to tenth weeks of the course.

• Meeting deadlines.

3. Learning Outcomes

This assessment is relevant to the following Learning Outcomes:

• understand applications of privacy preserving computation techniques, digital signatures and data hiding
techniques.

• develop privacy preserving applications and libraries using any programming language of your choice.

• understand the life cycle and design principles of Blockchain and Cryptocurrency applications.

• analyze the strength and limitations of security protocols.

• design new security mechanisms and protocols for any small and large-scale applications.

• Implementing a simple secure system

• Critically analyze and evaluate the security of computing and IT systems on a practical level and privacy related
issues in computing.

4. Assessment details

Please ensure that you have read Section 1 to 3 of this document before going further. Assessment details (i.e.
question Q1 to Q6) are provided in the next page.

Page 3 of 13
 ,

Q1. Privacy Preserving Online Voting System (Marks: 6)

Recently, several controversies have been observed in the voting around the world. The voting authority
cannot be trusted completely as it can be biased. Using privacy preserving online voting system removes
controversy in voting system. In this privacy preserving online voting system, voters encrypt their votes in the
voting booth before sending them to the voting authority. A voting server computes an encrypted result on
behalf of the voting booth as the voting booth does not have enough computation power. The encrypted result
is sent to the voting authority who determines the winner based on encrypted votes.

Suppose there are 7 voters to vote for YES or NO to give their opinions. There is a voting authority (VA) who
determines the winner. Design a secure voting prototype as shown in Figure-Q1 using Paillier cryptosystem
where the votes must be encrypted from Voting Booth before sending them to the Voting Server.

Figure-Q1: Secure voting system

Assume, three voters will vote for YES and four voters will vote for NO. The Voting Authority should find
three YESs and four NOs after counting the votes. The Voting Authority chooses p=89, q=53 and select
g=8537. The private numbers chosen by 7 voters and their votes are as follows:

Voter Voter’s Private Number, r Vote Voting message,

No. m
1 71 YES 001000 = 8
2 72 YES 001000 = 8
3 73 YES 001000 = 8
4 74 NO 000001 = 1
5 75 NO 000001 = 1
6 76 NO 000001 = 1
7 77 NO 000001 = 1

Show the encryption, homomorphic computations and decryption processes.

Page 4 of 13
 ,

[Hints: Refer to the lecture-5 Secure e-voting example. You need to represent the total number of votes by
6-bit string. The first 3 (three) bits should represent the votes for YES and the rests for NO. When adding a
vote for YES, the system adds 001000, which is 8 in integer. Similarly, the system adds 000001 when voting
for NO, which is 1 in the integer form.]

Q2. Digital Signatures (Marks: 2+2+3 = 7)

Suppose Bob and Alice, two business partners, use their smart phones to communicate with each other
regarding their business decisions. Hence, their messages are very sensitive and require to be authenticated.
Otherwise, an attacker, say one of their business rivals, may perform phone number porting fraud attack. In
this attack, the attacker may use another SIM card to port Alice or Bob’s phone number for pretending as Alice
or Bob, respectively. Therefore, BoB and Alice uses digital signature scheme in their smart phone to sign
messages for ensuring authenticity. The working procedure of the digital signature is illustrated in FigureQ2.

Message Signing with Bob’s Signed Message

private-key
Bob
(Sender)

Verification
Verified Verification with
Message Bob’s public-key
Alice
(Receiver)

Answer Q2.1, Q2.2 and Q2.3 using the scenario mentioned above.

Q2.1 [RSA Signature Scheme] (Marks: 2)

Suppose Bob (the sender) wants to send a message m=123456 to Alice (the receiver). However, before
sending the message he would like to sign the message. When Alice receives the signed message, she would
like to verify that the message is indeed from Bob. To facilitate signing and verification Bob generates public
and private keys using RSA encryption algorithm and sends the public key to Alice. Bob uses parameter p =
5563 and q = 3821, and chooses a suitable public key parameter e=9623. How would Bob sign message
m=123456? How would Alice verify the signed message from Bob?
[Hints: Refer to the lecture-6 and tutorial-6. You do not need to generate hash of the message m.]

Q2.2 [ElGamal Signature Scheme] (Marks: 2)

Suppose Bob (the sender) wants to send a message m=4567 to Alice (the receiver). However, before sending
the message he would like sign the message. When Alice receives the signed message, she would like to verify
that the message is indeed from Bob. To facilitate signing and verification Bob generates public and private
keys using ElGamal encryption algorithm and sends the public key to Alice. Bob chooses p= 7331, g=3411,
x=41. How would Bob sign message m=4567? How would Alice verify the signed message from Bob?
[Hints: Refer to the lecture-6 and tutorial-6. You do not need to generate hash of the message m.]

Page 5 of 13
 ,

Q2.3 [RSA Signature Scheme for Text Message] (Marks: 3)

Suppose Bob (the sender) wants to send a large text message M to Alice (the receiver). You should download
the text message file “Message.txt” from the CANVAS. The text message M is as follows:

Cryptocurrencies continue to grow in price and size. Knowledge about Bitcoin, Litecoin, Ethereum, and
others has spread through the entire world. Cryptocurrencies are providing such features and tools that
simplify our lives. They are changing the way things work. Some people fear the changes. But changes are
not always bad. Cryptocurrencies are modifying our lives, and the way industries develop. There’s no doubt
that cryptocurrencies are disrupting and affecting the global economy in many ways.

Before sending the message, Bob generates a hash h(M) of the text message M using MD5 hash algorithm,
and converts h(M) into integer message m. Then, he signs the m and sends it to Alice. When Alice receives the
signed message, she would like to verify that the message is indeed from Bob. To facilitate signing and
verification Bob generates public and private keys using RSA encryption algorithm and sends the public key
to Alice. Bob uses the following parameters:
p = 278966591577398076867954212605012776073
q = 467207331195239613378791200749462989467

Bob chooses a suitable public key parameter e=41. How would Bob sign message M? How would Alice verify
the signed message from Bob?

[Hints: Refer to the “Running Example of RSA Signature for Text Message” of lecture-6. The document can be
found here:
https://rmit.instructure.com/courses/46189/files/3608593/download?wrap=1
Use the following links:
For generating MD5 hash: http://www.miraclesalad.com/webtools/md5.php
For converting hexadecimal to decimal:
https://www.mobilefish.com/services/big_number/big_number.php ]

Q3. OpenSSL and IPFS (Marks: 4)

Assume that an owner of a particular file, say Alice, wants to share the file to her colleague, say Bob. In other
words, Alice is the sender and Bob is the receiver. They use an IPFS based file repository and OpenSSL for
providing security. Alice and Bob perform several operations using OpenSSL and IPFS to ensure secure file
sharing. Throughout the processes, AES symmetric-key and RSA public-key encryption algorithms of OpenSSL
are used. You should choose your own file (e.g. a text file with your student number and name) and AES
encryption key (e.g. 123456789).
The scenario is illustrated in the Figure-Q3 below. You are expected to show the required OpenSSL and IPFS
commands sequentially for each step stated below. Please provide screenshot of the outcome for each
command.
The steps are stated as follows:
I. Bob generates RSA public and private key pair for himself using OpenSSL. Bob sends his public key to
Alice via email.

Page 6 of 13
 ,

II. Alice selects a shared AES secret key (KAB = 123456789). Next, Alice encrypts the file with Alice and
Bob’s shared AES secret key (KAB) using OpenSSL and generates a ciphertext file (say, the file name is
“ciphertext.txt”).
III. Alice uploads the encrypted file in the IPFS-based repository and receives a Unique Identifier (UI).
IV. Alice encrypts KAB with Bob’s RSA public key using OpenSSL and gets a ciphertext file (say, the file
name is “encrypte-key.txt”).
V. Alice sends UI and “encrypted-key.txt” to Bob through email.
VI. Upon receiving them, Bob decrypts “encrypte-key.txt” using OpenSSL with his RSA private-key and
retrieves the shared AES secret key (KAB).
VII. Bob uses Unique Identifier (UI) to download the file from IPFS-based repository with IPFS commands.
VIII. Upon receiving the file from IPFS network, Bob decrypts the downloaded file from IPFS network using
the shared AES secret key (KAB).
[Hints: Use the commands of OpenSSL that are discussed in Lecture-2,4 and IPFS commands that are
discussed in Lecture-7].

Figure Q3: IPFS based encrypted file sharing

Page 7 of 13
 ,

Q4. Report Writing or Implementation (Marks: 15)

Answer Any 1 from Q4.1, Q4.2, Q4.3 and Q4.4

Q4.1 [Writing Report on Blockchain] (Marks: 15)
Choose a system where Blockchain Technology can be applied. Write a well-organized report on how the
Blockchain Technology can impact your chosen system. You may consider the followings scenarios to prepare
your report:
• Blockchain based Financial System
• Blockchain based Real Estate Management Systems
• Blockchain based Healthcare
• Blockchain based smart city
• Blockchain based smart manufacturing
• Blockchain based supply-chain
• Blockchain based E-Commerce
• Blockchain based IoT applications
In this report, you expected to provide necessary background of the system you choose and the blockchain
technology. Presenting an innovative scenario is highly appreciated. Most importantly, a detail system design
should be presented.
Q4.2 [Implementing a Blockchain System] (Marks: 15)
In this question, you are expected to implement a blockchain system a scenario stated in Q4.1. You are
allowed to use any programming language or scripting language such as Java, PHP, Python, JavaScript, etc.
Your implementation must have a good graphical user interface (GUI). Upon completion of the
implementation, you are expected to:
I. Demonstrate your work to the lecturer or head tutor in Week-11 & 12 tutorials
II. Create a short report containing the implementation details and user instructions
III. Upload your code and report
Q4.3 [Implementing a Privacy-preserving Online Voting System] (Marks: 15)
In this question, you are expected to implement an online voting system using the concept of Paillier
encryption scheme based privacy-preserving computation (refer to the scenario stated in Q1 of this
assignment). You are allowed to use any programming language or scripting language such as Java, PHP,
Python, JavaScript, etc. Your implementation must have a good graphical user interface (GUI). Upon
completion of the implementation, you are expected to:
I. Demonstrate your work to the lecturer or head tutor in Week-11 & 12 tutorials
II. Create a report containing the implementation details and user instructions
III. Upload your code and report

Q4.4 [Implementing a Secure File Sharing System] (Marks: 15)

Page 8 of 13
 ,

In this question, you are expected to implement a secure file sharing system using the concept of the scenario
stated in Q3 of this assignment. You are allowed to use any programming language or scripting language such
as Java, PHP, Python, JavaScript, etc. Your implementation must have a good graphical user interface (GUI).
Upon completion of the implementation, you are expected to:
I. Demonstrate your work to the lecturer or head tutor in Week-11 & 12 tutorials
II. Create a report containing the implementation details and user instructions
III. Upload your code and report

Q5. Analyzing Security of Authentication Protocol (Marks: 3)

The following mutual authentication protocol is proposed based on a symmetric-key cryptography algorithm.
We assume that the cryptography algorithm that is used here is secure. Given that the following protocol does
not provide mutual authentication. Give two different attack scenarios where Trudy can convince Bob that
she is Alice. Briefly explain each attack scenario performed by Trudy with proper diagram which on the
protocol.

“Alice”, RA
RB,E(RA, KAB)
E(RB, KAB)

Alice Bob
[Hints: You need to show two attack scenarios performed by Trudy with proper diagram on the protocol.
Additionally, provide brief explanation of attacks to justify your answer. Refer to attack scenarios on mutual
authentication protocols that were discussed during the Lecture-9 and Tutorial-9.]

5. Academic integrity and plagiarism (standard warning)

Academic integrity is about honest presentation of your academic work. It means acknowledging the work of others
while developing your own insights, knowledge and ideas. You should take extreme care that you have:

• Acknowledged words, data, diagrams, models, frameworks and/or ideas of others you have quoted (i.e. directly
copied), summarized, paraphrased, discussed or mentioned in your assessment through the appropriate
referencing methods,
• Provided a reference list of the publication details so your reader can locate the source if necessary. This includes
material taken from Internet sites.

Page 9 of 13
 ,

If you do not acknowledge the sources of your material, you may be accused of plagiarism because you have passed
off the work and ideas of another person without appropriate referencing, as if they were your own.

RMIT University treats plagiarism as a very serious offence constituting misconduct. Plagiarism covers a variety of
inappropriate behaviors, including:

• Failure to properly document a source

• Copyright material from the internet or databases
• Collusion between students

For further information on our policies and procedures, please refer to the University website.

6. Assessment declaration

When you submit work electronically, you agree to the assessment declaration.

Page 10 of 13
 ,

7. Rubric/assessment criteria for marking

All of the computations must be correct and only provided values must be used. Instructions must be followed.

Criteria
The characteristic
or outcome that is
being judged. Total

Question 1 Step-by-step Step-by-step processes are Step-by-step processes are shown Step-by-step processes are shown Steps are not shown with detail 6 Marks
Privacy- processes are shown shown with detail with detail computations. with detail computations. computations.
Preserving with detail computations.
computations. Most of the computations are But all of the calculations are wrong. Or,
Computation Most of the computations are incorrect with few correct
All of the correct with few errors. computations. Not answered.
computations shown
are correct.

6 Marks 4 Marks 2 Marks 1 Marks 0 Marks

Question 2.1 Step-by-step Step-by-step processes of Step-by-step processes of signing Step-by-step processes of signing are None of the steps are shown 2 Marks
Digital Signature processes of both both signing and verification are shown correctly. shown that are partially correct/ correctly.
using RSA signing and are shown. completely wrong. Or,
verification are However, verification steps are not Or, only Verification steps are correct. Calculations are not shown in
Encryption shown. Not all of the computations are shown or incorrectly shown. detail.
Algorithm shown correctly in detail. Or,
All of the Not answered.
computations are
shown correctly in
detail.

2 Marks 1.5 Marks 1 Marks 0.5 Marks 0 Marks

Question 2.2 Step-by-step Step-by-step processes of Step-by-step processes of signing Step-by-step processes of signing are None of the steps are shown 2 Marks
Digital Signature processes of both both signing and verification are shown correctly shown that are partially correct/ correctly
signing and are shown. completely wrong Or
using ElGamal verification are However, verification steps are not Or Calculations are not shown in
Encryption shown. Not all of the computations are shown or incorrectly shown Only Verification steps are correct detail
Algorithm shown correctly in detail. Or
All of the Not answered
computations are
shown correctly in
detail.

2 Marks 1.5 Marks 1 Marks 0.5 Marks 0 Marks

Page 11 of 13
 ,

Question 2.3 Step-by-step Step-by-step processes of Step-by-step processes of signing Step-by-step processes of signing are None of the steps are shown 3 Marks
Digital Signature processes of both both signing and verification are shown correctly shown that are partially correct/ correctly
signing and are shown completely wrong Or
using RSA verification are However, verification steps are not Or Calculations are not shown in
Encryption shown Not all of the computations are shown or incorrectly shown Only Verification steps are correct detail
Algorithm for large shown correctly in detail Or
message All of the Not answered
computations are
shown correctly in
detail

3 Marks 2 Marks 1 Marks 0.5 Marks 0 Marks

Question 3 Answer is correct Answer is correct but not Answer is partially correct Only few commands are correct Answer is not correct 4 Marks
Secured file structured
sharing using All of the commands Some of the commands are correct. Sequence of the commands are Or
are correctly and All of the commands are not followed
OpenSSL and
sequentially correct. But, commands are Commands are not sequentially Not answered
IPFS presented with not sequentially presented. presented. Or some of the commands are
appropriate missing
screenshots. Appropriate screenshots are However, appropriate screenshots are
provided. provided for the correct commands. Or screenshots are insufficient/
missing

4 Marks 3 Marks 2 Marks 1 Marks 0 Marks

Question 4 The report/ The report/ The report/ The report/ The report/ The report/ Not answered 15 Marks
Report writing or implementation is implementation is implementation is implementation is implementation is implementation is
implementation extra ordinary good but not up to average. below average. poor. very poor.
the mark.
Report Report Report Report Report
The report is Report The report is The report is NOT The report None of the
prepared fulfilling The report is prepared fulfilling all prepared fulfilling all addresses only few requirements are
all of the prepared fulfilling of the requirements. of the requirements. of the requirements. addressed
requirements all of the However, the The key topics are The key topics are correctly. The key
requirements. content is not not well connected. missing or not concept is
Implementation However, could enough to express Presentation is poor connected. missing.
The have been better. the main theme of Presentation is poor.
implementation the given topic. Implementation Implementation
fulfills all of the Implementation The implementation Implementation
requirements. The Implementation does not contain some The
The implementation
implementation is The implementation of the key implementation
contains only few of
good. However, is good. However, functionalities and does not contain
the key
functionalities or functionalities or user interface is not key functionalities
functionalities and
user interface user interface could that good. and user
user interface is not
could have been have been better. interface is not
that good.
better. good.

15 Marks 12 Marks 10 Marks 8 Marks 6 Marks 4 Marks 0 Marks

Page 12 of 13
 ,

Question 5 Answers are Answers are partially Answers are partially correct Answers are partially correct. Answer is not correct 3 Marks
Analyzing correct correct
authentication Only one attack scenario on the authentication Only one attack scenario on the Or
Two attack Only one attack scenario protocol is presented with either appropriate authentication protocol is
protocol for
scenarios on the on the authentication diagram or explanation, and diagram and presented with either appropriate Not answered
enhancing security given protocol is presented with explanation of other attack scenario is diagram or explanation, and
authentication either appropriate diagram completely wrong. diagram and explanation of other
protocol are or explanation, and the Or attack scenario is completely
presented with diagram or explanation is Either diagrams/ explanations are correct for wrong/ missing.
appropriate missing / incorrect for the both attack scenarios
diagram and other attack scenario. Or
explanation. Any one from diagram and explanation is
correct for both attack scenarios

3 Marks 2.25 Marks 1.5 Marks 0.75 Marks 0 Marks

Page 13 of 13