School of Computing Technologies

INTE2401/2402 Cloud Security

Assignment 2

1. Overview

The objective of Assignment 2 is evaluating your knowledge on the topics covered mainly in Lecture 2 to 8. Topics include AES, Hashing Techniques, Key Management and Distribution and Security Protocols for Cloud Computing. However, topics covered in Lecture 1 are required as prerequisite. Assignment 2 will focus on developing your abilities in application of knowledge, critical analysis and decision making.Assignment 2 contains several problems related to the topics mentioned above. You are required to prepare your answers and upload them as a single PDF or Word document in CANVAS.

In this assignment, there are 5 (five) questions related to AWS. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. You have two options for protecting data at rest in Amazon S3. Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. The first question of this assignment is to implement a client-side encryption tool built on Advanced Encryption Standard (AES).

Question 2 is on Signing AWS Requests with Signature Version 4. When you send HTTP requests to AWS, you need to sign the requests so that AWS can identify who sent them. You sign requests with your AWS access key, which consists of an access key ID and secret access key. The signing process helps secure requests in the following ways: verify the identity of the requester, protect data in transit, and protect against potential replay attacks. In this question, you are required to use AWS Signature Version 4 to generate a signature on a given string. Through this question, you are expected to understand the detail signature generation and verification process of AWS Signature Version 4.  

Question 3 is about AWS Key Management Service (AWS KMS), a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program.AWS Key Management Service supports symmetric and asymmetric Customer Master Keys (CMKs). A symmetric CMK represents a 256-bit key that is used for encryption and decryption. CMKs are created in AWS KMS. Symmetric CMKs never leave AWS KMS unencrypted. In this question, you are required to create a data key to encrypt a data and then store it in AWS. Through the question, you are expected to understand how data is encrypted and store in AWS.  

Question 4 is about AWS Site-to-Site VPN based on Diffie-Hellman key establishment. An AWS Site-to-Site VPN connection connects your Virtual Private Cloud (VPC) to your data centre. Amazon supports Internet Protocol Security (IPSec) VPN connections. Data transferred between your VPC and data centre routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. Internet Key Exchange (IKEv2) is the protocol used to set up a security association (SA) in the IPSec protocol suite. IKEv2 uses X.509 certificates for authentication ‒ either pre-shared or distributed and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. The question has three parts. In the first part, you are expected to implement the Diffie-Hellman key exchange protocol for AWS Site-to-Site VPN. In the second part, you are expected to perform a man-in-the-middle attack to the Diffie-Hellman key exchange protocol. In the last part, you are expected to propose an improved key exchange protocol which is able to overcome the man-in-the-middle attack.  

The last question is on Secure Socket Layer (SSL) Handshake Protocol.Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client - typically a web server (website) and a web browser. AWS Certificate Manager from Amazon Web Services (AWS) takes care of deploying certificates to help you enable SSL/TLS for your website. Assume that AWS Certificate Manager issues you a SSL certificate and you have installed the certificate in your website hosted on AWS. When a client browses your website, suppose the client will run a SSL handshake protocol with ephemeral public key with your website to establish an encrypted link between the client and your website. In this question, we are expected to demonstrate your understanding how SSL handshake protocol with ephemeral public keywork and analyse client authentication, server authentication, and forward security of the SSL handshake protocol.

Develop this assignment in an iterative fashion (as opposed to completing it in one sitting). You should be able to start preparing your answers immediately after Lecture-5 (in Week-5). At the end of each week starting from Week-5 to Week-8, you should be able to solve at least one question.

If there are questions, you may ask via the relevant Canvas discussion forums in a general manner.

2. Learning Outcomes

This assessment is relevant to the following Learning Outcomes:

• understand how AWS applies hashing techniques, digital signature, key management, and security protocols to achieve cloud security.

• discuss various types of confidentiality, authentication and data integritymechanisms in cloud computing.

• analyze the strength and limitations of security protocols for cloud computing.

• design and implement security mechanisms and protocols.

3. Submission

You must follow the following special instructions:

• You must use the values provided in the questions.

• Hand-written answers are not allowed and will not be assessed. Compose your answers using any word processing software (e.g. MS Word).

• You are required to show all of the steps and intermediate results for each question.

• Upload your solutions as a single PDF or Word document together with programming codes in CANVAS.

This assessment will determine your ability to:

• Follow requirements provided in this document and in the lessons.

• Independently solve a problem by using security concepts taught over the first four weeks of the course.

• Meeting deadlines.

After the due date, you will have 5 business days to submit your assignment as a late submission. Late submissions will incur a penalty of 10% per day. After these five days, Canvas will be closed and you will lose ALL the assignment marks.

4. Assessment details

Please ensure that you have read Section 1 to 3 of this document before going further. Assessment details (i.e. question Q1 to Q5) are provided in the next page.

?

Q1. Cloud Client-Side Encryption Tool                                                                                     (Marks: 2+2+2+2+2=10)

Q2. Signing AWS Requests with Signature Version 4                                                             (Marks: 1+1+1+1+1=5)