Learning Outcomes tested in this assessment:
The following learning outcomes will be assessed by this assignment:
Apply appropriate theory, practices and tools to the design/development of network security solutions.
Critically evaluate the legal, ethical and social implications of security
Introduction
In this task you will create a Certification Authority (CA) which will act as a subordinate Enterprise Certification Authority to issue certificates to users and computers for an organisation called Hexad0m. An offline root Certification Authority is expected to be installed and configured to establish the fundamentals in the PKI architecture to serve as an issuer to your subordinate CA. You will also demonstrate a comprehensive threat model against two categories, namely identity spoofing and CA threats as part of your analysis. The group is advised to use a Windows 2012 server and any machine to perform the attacks against the system. Groups are free to completely virtualise the testing environment.
Assignment Tasks:
Your work must be presented in the form of a Project Report and be no longer than 4500 words (excl. references, figures, tables and appendices) plus a facing page that includes the executive summary. This should be typed on A4 paper and use a font size Arial 10 single spacing. For completeness, you may if you wish include additional material in an appendix but this will not contribute to the marks.
Section 1: SSL PKI Design & Implementation
The technical requirements are listed as follows:
Install and configure an offline Root Certification Authority
Install and issue a Certification Authority
Configure the appropriate certificate templates of the issuing CA
Check the revocation status of certificates by installing and configuring an online responder
Create a fully operational TLS-enabled Web page and observe encrypted traffic
Demonstrate at least two (2) attacks against your PKI infrastructure in alignment with the two (2) threat categories outlined in Section 2.
Section 2: SSL PKI Threat Modelling & Ethical Considerations
The non-technical Requirements are listed as follows:
SSL PKI threat model: Identify the threats, attacks arising from the proposed description of the SSL PKI security issues raised in your design/proposal. Create and discuss a taxonomy of those threats relevant to your design and propose suitable mitigation plans with clear references to the literature. You are required to threat model only against identity spoofing and certificate authority threats using a standardised methodology to identify and rank the threats identified.
Threat Ranking: Define, adopt and validate the appropriate method to rank threats in SSL PKI architecture.
Threat mitigation Plan: A detailed threat mitigation plan is also required as part of your deliverables. Clear evidence of a systematic approach taken to validate threats identified must be clearly articulated as part of your analysis.
PKI Risks: Critically discuss at least two (2) significant risks of PKI and link these to privacy. What kind of ethical and legal concerns are raised by the adaptation of PKI in Industry 4.0 for the authentication of IoT devices?
Project Deliverables: Written Group Report (max 3 students per group)
Project Report: The project report should provide your design and recommendations for the planned exercise. Please pay attention to the following points in designing your PKI security solution and preparation of report; at its basic form, the report should be structured as follows:
Executive Summary: Provide an executive summary [~150 words]
Introduction: An introduction using appropriate information and problem statement from the team. [~200 words]
SSL PKI Design & Implementation: In this section you address all technical requirements in Section 1 of the brief with a clear articulation of the process followed to achieve the outcomes requested. [~1500 words, excl. figures, diagrams and tables]
SSL PKI threat modelling & Ethical Considerations: This section must include a systematic approach on the identification of threats, methodologies used to rank them and a detailed mitigation plan against the threat vectors given in the brief. You should also discuss ethical and legal implications by the adaptation of PKI in the authentication of “things” in IoT. [~2500 words excl. figures and tables]
Conclusion: Design recommendations, summary of key points/findings from your investigation [~150 words]
IMPORTANT NOTE: The project report must be based on academic references. Please use IEEE explore, ACM, ELSEVIER databases for references related to threat models, security technologies, cloud computing etc. CAUTION: Merely selecting an existing UC technology from the market without addressing the project deliverables will result in a very low mark. A single file submission must be made ONLY by a delegated group member including any appendices, tables, diagrams, etc (No word limitation for appendices). Feedback will be distributed to all group members as appropriate.
Assessment criteria
Assessment Criteria Section | Possible marks | Actual Marks |
Executive Summary | 5 |
|
Introduction
| 5 |
|
SSL PKI Design & Implementation
| 45 |
|
SSL PKI Threat Modeling & Ethical Considerations
| 35 |
|
Conclusion | 5 |
|
References | 5 |
|
Marks deducted in case of poorly structured reports, layout, word count (15 marks) |
|
|
Total | 100 |
|
Academic Integrity Statement
You must adhere to the university regulations on academic conduct. Formal inquiry proceedings will be instigated if there is any suspicion of plagiarism or any other form of misconduct in your work. Refer to the University’s Assessment Regulations for Northumbria Awards if you are unclear as to the meaning of these terms. The latest copy is available on the University website.
Formative Feedback
There will be an opportunity for formative feedback during the semester. You are advised to start working on this assignment as early as possible so that you can seek clarification from the module tutor regarding any questions you might have during the semester. Note that tutors will not predict your grade, and you should not take the lack of comment on any aspect of your work as indicating that it is correct. You should make every effort to take advantage of formative feedback as tutors will not comment on draft work at other times. Remember that you will get more useful feedback from us by asking specific questions.
Penalties for Exceeding Word Limits:
The actual word count is to be declared on the front of the assessment submission. If a given task has a word limit, the following penalties will be applied after any reductions in mark due to late submission have been made, Penalties will be applied as defined in the University Policy on Word Limits Policy.
Late Submission Policy:
For coursework submitted up to 1 working day (24 hours) after the published hand-in deadline without approval, 10% of the total marks available for the assessment (i.e.100%) shall be deducted from the assessment mark. Penalties will be applied as defined in the University Policy on the Late submission work.
For clarity: a late piece of work that would have scored 65%, 55% or 45% had it been handed in on time will be awarded 55%, 45% or 35% respectively as 10% of the total available marks will have been deducted.
Failure to submit: The University requires all students to submit assessed coursework by the deadline stated in the assessment brief. Where coursework is submitted without approval after the published hand-in deadline, penalties will be applied as defined in the University Policy on the Late Submission of Work.
https://www.northumbria.ac.uk/about-us/university-services/academic-registry/quality-and-teaching-excellence/assessment/guidance-for-students/
0 comments:
Post a Comment