2023-2024 ASSESSMENTS
Undergraduate
Individual Programming
Assessment Weighting [30%]
SCC.363 Security and Risk
Academic Honesty and Integrity
Students at Lancaster University are part of an academic community that values trust,
fairness and respect and actively encourages students to act with honesty and integrity. It is
a University policy that students take responsibility for their work and comply with the
university’s standards and requirements- found in the Manual of Academic Regulations and
Practice. By submitting their answers students will be confirming that the work submitted is
completely their own. By submitting their answers the group of students will be confirming
that the work submitted is that of the group. Academic misconduct regulations are in place
for all forms of assessment and students may familiarise themselves with this via the
university website:
https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-andcommittees/manual-of-academic-regulations-and-procedures/
Plagiarism
Plagiarism involves the unacknowledged use of someone else’s work and passing it off as if it
were one’s own. This covers every form of submitted work, from written essays, video
vignettes, and coding exercises. However, deliberately plagiarism with the intent to deceive
and gain academic benefit is unacceptable. This is a conscious, pre-meditated form of
cheating and is regarded as a serious breach of the core values of the University. More
information may be found via the plagiarism framework website. All coursework is to be
submitted electronically and will be run through our plagiarism detection mechanisms.
Please ensure you are familiar with the University's Plagiarism rules and if you are in any
doubt please contact your module tutor.
https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-andcommittees/principles-policies-and-guidelines/plagiarism-framework/
General Guidance:
This is an individual assessment that will count for 30% of your overall mark for this module.
Learning objectives
• Develop appreciation and understanding of security concepts.
• Formulate troubleshooting methods to identify/solve problems.
• Evaluate information to argue solution choices critically.
• Effectively communicate ideas.
Submission requirements
Prepare and submit your coding solutions on Coderunner. For all coding solutions, you must
use Python3. You can use modules from standard Python3 and cryptography.io. Your code
should include appropriate comments explaining what you do and why. All implementations
must be in Python3, and the cryptography.io library must be used for any cryptographyrelated functions (if needed). If you must consider padding in any task, you should use PKCS7.
Your code should include appropriate comments explaining your solution.
Example of the type of comments you SHOULD AVOID -- the comments don't explain the
solution:
def avalancheCalculator(string1, string2):
# I hash the strings and generate the hexdigest values
hexstring1 = hashlib.sha256(string1.encode()).hexdigest()
hexstring2 = hashlib.sha256(string2.encode()).hexdigest()
# I convert the hexdigest to integers
int1 = int(hexstring1, 16)
int2 = int(hexstring2, 16)
# I XOR the integers
intResult = int1 ^ int2
# I return the 1's in the binary representation.
return ( bin(intResult).count('1') )
Examples of types of comments that provide adequate information – the comments explain
the solution to the problem:
def avalancheCalculator(string1, string2):
# A solution to the problem is to xor the integer representation
# of the two values and count in the resulting int the number of bits
# having the value of 1.
hexstring1 = hashlib.sha256(string1.encode()).hexdigest()
hexstring2 = hashlib.sha256(string2.encode()).hexdigest()
int1 = int(hexstring1, 16)
int2 = int(hexstring2, 16)
intResult = int1 ^ int2
# The "1"s in the binary representation of the XOR operation
# represent which bits from int1 and int2 are different.
# This is due to applying the XOR operation. 0^1 = 1, 1^0 = 1
# Counting the "1"s will provide how many bits differ
return ( bin(intResult).count('1') )
You have to upload the implementation of your functions on CodeRunner.
Marking Guidelines:
• You have to answer all three (3) tasks. Marks will be allocated based on the clarity of your
solution, comments in the code, and correctness. More information is provided within the
individual questions.
• The name of functions, type/number of variables, and return values must follow the tasks’
guidelines. Failing to adhere to this may result in not receiving marks.
Deadline for submissions: Friday 16
th February 16:00
TASK 1
--------
You are provided with the ds_hash hash function. The function receives a
finite message as input and produces a non-negative integer, which we
consider to be the hash value of the given message.
The size of input messages is fixed and always equals 64 bytes. Implement an
appropriate attack to check if the hash function ds_hash is strong collision
resistant. Your alphabet should include all lower-case and upper-case letters
of the English alphabet and all numbers from 0 to 9.
# -- START OF YOUR CODERUNNER SUBMISSION CODE
# INCLUDE ALL YOUR IMPORTS HERE
def ds_hash(message: str) -> int:
hash_value = 0
for ch in message:
hash_value = (hash_value * 71) + ord(ch)
return hash_value & 0x7FFFFFFF
def myAttack() -> bool:
# YOUR IMPLEMENTATION
return # True or False
# -- END OF YOUR CODERUNNER SUBMISSION CODE
#You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION)
as follows:
# MAIN
if __name__ == "__main__":
print( myAttack() )
Marking scheme: This task's weight is 35% for providing a valid attack and
commenting on your code.
TASK 2
--------
Implement an HMAC based on the RFC-2104 definition (Section 2). The RFC is
available at the following link: https://www.rfc-editor.org/rfc/rfc2104
Below is the extract from the RFC that describes how the HMAC can be
implemented, and this is what you need to implement. The text is amended to
provide specific information about the selected H cryptographic hash
function, i.e., SHA256.
The definition of HMAC requires a cryptographic hash function, which
we denote by H, and a secret key K. In your implementation, assume H
to be the SHA256 cryptographic hash function.
We denote by B the byte-length of such blocks (B=64 for SHA256),
and by L the byte-length of hash outputs (L=32 for SHA256).
The authentication key K can be of any length up to B, the
block length of the hash function. Applications that use keys longer
than B bytes will first hash the key using H and then use the
resultant L byte string as the actual key to HMAC. In any case the
minimal recommended length for K is L bytes (as the hash output
length).
We define two fixed and different strings ipad and opad as follows
(the 'i' and 'o' are mnemonics for inner and outer):
ipad = the byte 0x36 repeated B times
opad = the byte 0x5C repeated B times.
To compute HMAC over the data `text' we perform
H(K XOR opad, H(K XOR ipad, text))
Namely,
(1) append zeros to the end of K to create a B byte string
(e.g., if K is of length 20 bytes and B=64, then K will be
appended with 44 zero bytes 0x00)
(2) XOR (bitwise exclusive-OR) the B byte string computed in step
(1) with ipad
(3) append the stream of data 'text' to the B byte string resulting
from step (2)
(4) apply H to the stream generated in step (3)
(5) XOR (bitwise exclusive-OR) the B byte string computed in
step (1) with opad
(6) append the H result from step (4) to the B byte string
resulting from step (5)
(7) apply H to the stream generated in step (6) and output
the result
The function's name has to be CustomHMAC and defined as follows.
# -- START OF YOUR CODERUNNER SUBMISSION CODE
# INCLUDE ALL YOUR IMPORTS HERE
def CustomHMAC(key: bytes, text: str) -> str:
# YOUR IMPLEMENTATION
return # YOUR RESULT
# -- END OF YOUR CODERUNNER SUBMISSION CODE
#You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION)
as follows:
# MAIN
if __name__ == "__main__":
k = os.urandom(16) # k is <class 'bytes'>
txt = "hello world!!!!" # txt is <class 'str'>
print( CustomHMAC(k, txt) )
# The output will be a string of hexadecimal values, e.g.: a51b … 35fa
You can debug your code against the result from the following function:
from cryptography.hazmat.primitives import hashes, hmac
def HMAC_from_Cryptography(key: bytes, text: str) -> str:
h = hmac.HMAC(key, hashes.SHA256())
h.update(text.encode())
signature = h.finalize().hex()
return signature
Marking scheme: This task's weight is 40%, which will be allocated equally
for correctly implementing the steps and commenting on your code.
TASK 3
--------
Using the AES-ECB encryptor from the cryptography.io module, implement the
AES mode in Figure 1. You can instantiate an AES-ECB encryptor as follows:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms,
modes
key = # SELECT AN APPROPRIATE KEY FOR AES
cipher = Cipher(algorithms.AES(key), modes.ECB())
encryptor = cipher.encryptor()
Figure 1 - The figure describes a mode of AES for encrypting plaintext to ciphertext
The function's name has to be CustomAESmode and defined as follows:
# -- START OF YOUR CODERUNNER SUBMISSION CODE
# INCLUDE ALL YOUR IMPORTS HERE
def CustomAESMode(key: bytes, iv: bytes, plaintext: str) -> str:
# YOUR IMPLEMENTATION
return # THE CIPHERTEXT
# -- END OF YOUR CODERUNNER SUBMISSION CODE
#You can test your code in your system (NOT IN YOUR CODERUNNER SUBMISSION)
as follows:
# MAIN
if __name__ == "__main__":
key = bytes.fromhex("06a9214036b8a15b512e03d534120006")
iv = bytes.fromhex("3dafba429d9eb430b422da802c9fac41")
txt = "This is a text"
print( CustomAESMode(key, iv, txt) )
# The result using the above input should be:
1827bfc04f1a455eb101b943c44afc1d
Marking scheme: This task's weight is 25%, which will be allocated equally
for correctly implementing the steps and commenting on your code.
如有需要,请加QQ:99515681 或WX:codehelp
