159 lines
6.5 KiB
TeX
Executable file
159 lines
6.5 KiB
TeX
Executable file
\documentclass[10pt,a4paper,american]{article}
|
|
\newcommand{\aublogopath}{../../website/res/img/aub_black.png}
|
|
\usepackage{../../misc/macros/joc}
|
|
\usepackage{../../misc/fonts/fonts}
|
|
\usepackage{../../misc/macros/classhandout}
|
|
|
|
\begin{document}
|
|
|
|
\classhandoutheader
|
|
|
|
\section*{Lab Assignment: Building a Secure Password Manager}
|
|
|
|
\subsection*{Overview}
|
|
In this lab, you will design and implement a secure password manager application from scratch. This represents your first opportunity to apply cryptographic primitives to build a complete security protocol—albeit one that operates locally without network communication. Password managers are essential security tools that help users generate, store, and manage their credentials for various services. By building one, you'll gain practical experience with fundamental cryptographic primitives, secure storage techniques, and security-focused software design principles. Future lab assignments will build upon these skills by incorporating network components as you develop secure messengers, encrypted synchronization protocols, and other networked security applications.
|
|
|
|
\subsection*{Learning Objectives}
|
|
After completing this lab, you should be able to:
|
|
\begin{itemize}
|
|
\item Apply cryptographic primitives like key derivation functions and authenticated encryption.
|
|
\item Implement secure data storage techniques.
|
|
\item Design and build a security-critical application with proper threat modeling.
|
|
\item Evaluate the security properties of a password management system.
|
|
\end{itemize}
|
|
|
|
\subsection*{Background}
|
|
Password managers solve the problem of creating and remembering strong, unique passwords for multiple services. A password manager typically:
|
|
\begin{itemize}
|
|
\item Generates cryptographically strong random passwords.
|
|
\item Encrypts and securely stores passwords using a master password.
|
|
\item Provides convenient access to stored credentials.
|
|
\item Protects against various attacks including phishing and data breaches.
|
|
\end{itemize}
|
|
|
|
\subsection*{Requirements}
|
|
Your password manager must implement the following core functionality:
|
|
|
|
\begin{enumerate}
|
|
\item \textbf{Master Password Handling:}
|
|
\begin{itemize}
|
|
\item Derive an encryption key from a master password using a suitable KDF (e.g., Argon2, Scrypt).
|
|
\item Implement appropriate security parameters (salt, iterations).
|
|
\item Correctly handle key rotation in the event of a master password change.
|
|
\end{itemize}
|
|
|
|
\item \textbf{Password Storage:}
|
|
\begin{itemize}
|
|
\item Store encrypted passwords with appropriate metadata (website, username).
|
|
\item Use authenticated encryption (e.g., AES-GCM) to protect confidentiality and integrity.
|
|
\item Implement secure serialization and deserialization.
|
|
\end{itemize}
|
|
|
|
\item \textbf{Password Generation:}
|
|
\begin{itemize}
|
|
\item Generate cryptographically secure random passwords.
|
|
\item Allow configuration of password characteristics (length, character sets).
|
|
\end{itemize}
|
|
|
|
\item \textbf{User Interface:}
|
|
\begin{itemize}
|
|
\item Create a simple CLI or GUI interface for interaction.
|
|
\item Implement basic operations: add, retrieve, update, and delete passwords.
|
|
\item Include master password verification.
|
|
\item Implement clipboard clearing after use.
|
|
\item Add timeout for automatic locking.
|
|
\item Include proper error handling without leaking sensitive information.
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
|
|
\subsection*{Implementation Guidelines}
|
|
|
|
\subsubsection*{Step 1: Design}
|
|
Begin by creating a threat model for your password manager. Consider:
|
|
\begin{itemize}
|
|
\item Who are the attackers? (Malware, physical access, remote attackers)
|
|
\item What assets are you protecting? (Master password, stored credentials)
|
|
\item What are the attack vectors? (Memory dumps, disk access, etc.)
|
|
\item What cryptographic protections will you employ?
|
|
\end{itemize}
|
|
|
|
Document your design decisions and security assumptions.
|
|
|
|
\subsubsection*{Step 2: Cryptographic Building Blocks}
|
|
Implement or properly use existing libraries for:
|
|
\begin{itemize}
|
|
\item Key derivation from the master password.
|
|
\item Authenticated encryption of the password database.
|
|
\item Secure random password generation.
|
|
\end{itemize}
|
|
|
|
\subsubsection*{Step 3: Core Functionality}
|
|
Implement the core functionality:
|
|
\begin{itemize}
|
|
\item Database creation and loading.
|
|
\item Password entry management.
|
|
\item Password generation with customizable par ameters.
|
|
\end{itemize}
|
|
|
|
\subsubsection*{Step 4: User Interface}
|
|
Create an interface that balances security and usability:
|
|
\begin{itemize}
|
|
\item Master password input (with appropriate masking).
|
|
\item Commands for managing entries.
|
|
\item Secure display and clipboard operations.
|
|
\end{itemize}
|
|
|
|
\subsubsection*{Step 5: Security Hardening}
|
|
Add security features like:
|
|
\begin{itemize}
|
|
\item Memory protection techniques.
|
|
\item Auto-locking functionality.
|
|
\item Input validation and error handling.
|
|
\end{itemize}
|
|
|
|
\subsection*{Deliverables}
|
|
Submit the following:
|
|
|
|
\begin{enumerate}
|
|
\item Source code for your password manager.
|
|
\item Design document including:
|
|
\begin{itemize}
|
|
\item Threat model and security assumptions.
|
|
\item Description of cryptographic mechanisms used.
|
|
\item Design decisions and their rationale.
|
|
\end{itemize}
|
|
\item User manual explaining how to use your password manager
|
|
\item Security analysis discussing:
|
|
\begin{itemize}
|
|
\item Strengths of your implementation.
|
|
\item Limitations and potential vulnerabilities.
|
|
\item Suggested improvements for a production version.
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
|
|
\subsection*{Evaluation Criteria}
|
|
Your project will be evaluated based on:
|
|
|
|
\begin{itemize}
|
|
\item Correctness of cryptographic implementations.
|
|
\item Security of the overall design.
|
|
\item Completeness of required functionality.
|
|
\item Quality of code and documentation.
|
|
\item Thoughtfulness of security analysis.
|
|
\end{itemize}
|
|
|
|
\subsection*{Resources}
|
|
\begin{itemize}
|
|
\item The course textbook and materials on symmetric encryption.
|
|
\item Libraries: libsodium, OpenSSL, or equivalent based on your language choice.
|
|
\item Research papers on password manager security (see course website).
|
|
\end{itemize}
|
|
|
|
\subsection*{Submission Guidelines}
|
|
\begin{itemize}
|
|
\item Submit your code as a ZIP archive or through a Git repository.
|
|
\item Include all documentation in PDF or Markdown format.
|
|
\item Presentations: Prepare a 10-minute presentation demonstrating your password manager.
|
|
\end{itemize}
|
|
|
|
\end{document}
|