New version page

UMBC CMSC 426 - CMSC 426 Project description

Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

CMSC 426 / 626 – Principles of Computer SecurityProf. Krishna SivalingamFall 2006Due Date: October 22, 11PM. On-Line Submission via submitNO LATE SUBMISSIONS1 Project descriptionThe objective of this project is to implement a system that supports: user authentication via password mech-anism, access control for users’ files, and encryption/decryption of files using secret key and public keycryptography.The cryptographic libraries and the API from the OpenSSL package ( must be usedfor all cryptographic operations.1.1 User AuthenticationThe system will consist of a set of users. Let your project’s data directory be named PROJ1DATA. Underthis directory, each user will be assigned (upon adding the user) a directory with the same name as the user.When the program is run for the first time, there will be no users. However, for subsequent runs, theusernames and directories created in previous invocations of the program will be available.Invoking your program with the -cleanup option will delete all users and their directories.There are two types of commands: system-level commands, that can be invoked without a specific userbeing logged in and user-level commands, that can be invoked ONLY after a user has logged in.System level commands are as follows:. useradd: Users will be added using the command: useradd username. Usernames will contain atmost 8 characters selected from the set [a-z], [A-Z], [0-9].The system will also request a password for the user upon creating the user. The username andpassword list will be stored in PROJ1DATA/passwd file. The format of the passwd is: one line peruser, where each line consists of format: username:password:homedirectory.When a user is created, the HOME directory for the user, i.e. PROJ1DATA/username is created. Inaddition, a public and private RSA key pair will be generated.? Each user’s private key is stored in the user’s home directory in the file:PROJ1DATA/username/key.priv. The PROJ1DATA/username/key.priv file is encrypted usingDES where the DES key is derived from the user’s password.? The user’s public key is stored in PROJ1DATA/PubKeys/ login: Users will login using the command: login username. The system will request the user to enterthe password and verify correctness. Passwords are exactly 8 characters long. The password MUSTcontain at least 1 lower case letter, 1 upper case letter, and 1 number. When users enter a password,the system MUST check against at least one dictionary and reject the password if it matches thedictionary. In your README file, describe the dictionary that was used and where it is stored.1At most three login attempts will be allowed for a given user. Beyond that, the system will not acceptlogin attempts for this user for the current execution of your program.Following login, all commands provided to the program pertain the currently logged in user, until thelogout command is issued.. passwd: The command passwd will allow changing the password of the user who is presently loggedin. If there is no preceding matching login command, the passwd command will report an error andcontinue to accept the next command. The password will be a bit string of 64 0s (000. . . 000) encryptedusing DES-CBC and generated as follows: The key will derived from the user’s password string. A12-bit random number will be generated, expanded to 64 bits by padding the Most Significant Bitswith 0s and fed as IV to the DES function.. listusers: List all users in the password file.. logout: Logs out the current user - print error message, if no user is presently logged in.. exit: Exits the program execution. But, leaves the directories and files intact.1.2 Access ControlEvery user will be allowed to create subdirectories and files under their home directory (i.e. PROJ1DATA/username).This will be done using:1. mkdir dirname2. cd dirname3. delete dirnameAll values of dirname will be absolute (i.e. not relative) filenames, specified as PROJ1DATA/usera/dir1/dirn,etc. Note that these commands can be implemented using suitable calls to the “system” (man 3 system)command.Groups: For each directory, the user can create an Access Control List (ACL) that will allow read, writeoperations for groups of users. The commands to be supported for group operations, for the currently loggedin user, are:. newgroup groupname: Create a new group for the current user. If the group already exists, thenprint suitable error message.. addtogroup groupname N username1 username2 .. usernameN: If invalid usernames are specified,print an error message and add all valid usernames to the group.. deletefromgroup N username1 username2 .. usernameN: delete specified usernames (if they exist)from the group.. deletegroup groupname: delete this group.Permissions: The user can associate a read or write permission for a particular directory to 0 or more groupsusing the following commands:2. setacl dirname groupname read. setacl dirname groupname write. deleteacl dirname groupnameNote that permissions are on a directory basis and applies to ALL files under that directory, but NOT tosub-directories. For a given directory, either read or write access is only allowed and not both. When adirectory has been set up with read (or write) permission first, all subsequent setacl commands must also beread (or write); otherwise, an error is reported.The deleteacl command deletes the ACL permission for the directory specified currently assigned to thespecified group. If the group currently does not have any permission for this directory, print an error mes-sage.Read and write permissions also allow directory lookup (i.e. ls command), by default.Read operation: All files with ’read’ permission for a given group will be encrypted with the owner’sprivate key and thus readable by users of that group who will use that user’s public key, globally stored inPROJ1DATA/PubKeys directory as,, etc.Write operation: A user belonging to a group with write acl for a given directory is allowed to createfile(s) under that directory. Such files will be encrypted with the directory owner’s public key, and thusonly readable by that owner. Write permission does NOT allow creation of sub-directories under a givendirectory for users other than the owner of a directory. The owner of a directory can create a file under itsdirectory that has been given write access to others - such files are encrypted with the directory owner’spublic

View Full Document
Download CMSC 426 Project description
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...

Join to view CMSC 426 Project description and access 3M+ class-specific study document.

We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view CMSC 426 Project description 2 2 and access 3M+ class-specific study document.


By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?