F21CN: Computer Network Security CW2 2021/22
Assessed Paired Coursework 2 — Digital Notary
Copyright © 2021 Manuel Maarek, Heriot-Watt University, Edinburgh.
Copyright © 2018 Hamish Taylor, Heriot-Watt University, Edinburgh.
Learning Outcomes
� Practical experience of analysing, designing, implementing and validating solutions to computer network security
challenges using common network security tools and formal methods.
� Ability to deal with complex issues and make informed judgements about network security in the absence of com-
plete or consistent data.
� Exercise substantial autonomy and initiative in addressing computer network security challenges.
� Showing initiative and team working skills in shared computer network security application development.
� Demonstrate critical reflection on network security issues.
1 Overview
This assessed coursework is for MSc students taking F21CN. It is worth 25% of the overall course
mark for Computer Network Security. It is one of two pieces of assessed coursework for this course.
This coursework is an exercise in creating, using X.509 and PGP certificates. It involves developing an
application that can be securely used to digitally record and verify signatories to a document. The
application is capable of recording a set of signatures to a given document. Each signatory would
have provided a signature of a given document using their own PGP certificate; the set of signato-
ries is then signed using a X.509 certificate which would have been specifically set for the document.
The application is capable of verifying the set of signatures to a given document. The application is
certified by a local Certification Authority (CA) which is also certifying the document’s certificate.
Context of use: the application is to be used by a Notary to witness signatures on documents. The
application should be implemented as a commandline client/server application with the notary server
distributing document, public certificate, signatory certification on request and accepting individual
signature. The application can also be implemented with no network interface and therefor working
on the commandline locally only, see Section 6 for the implication of not including a network interface
to the application. You are expected to add and document your own extra features such as managing
update to the documents, or GUI.
The choice of programming language to implement this application is left to the pair. You can choose
between Java and Python. If you want to use another programming language, please get agreement
from the lecturer first. The learning objective of this coursework is for you to become familiar with
the concepts of certificates and signatures. The work should be done in pairs. However, pairs of stu-
dents also have to join together with other pairs to form a wider group of people who are prepared to
sign each other’s certificates. It is recommended that the pairs do their collaborative work using the
University and MACS systems: Teams, Word Online, GitLab Student1.
2 Tasks
Each member of a pair should perform the following tasks:
1
http://gitlab-student.macs.hw.ac.uk/
Deadline: 3:30pm on Tuesday 30th of November, 2021
http://gitlab-student.macs.hw.ac.uk/
F21CN: Computer Network Security CW2 2021/22
(i) Create one self-signed PGP certificate and private key.
(ii) With the wider group of students, hold virtual key party(ies) for members to sign each other’s
OpenPGP certificates.
(iii) Create a plain text document2; create a new X.509 certificate and private key; get it signed by
your pair’s CA that you created for task (1); sign the document using the new certificate; with
the wider group of students, share the document, the X.509 certificate, and the signature.
(iv) Using your PGP private key, sign documents shared by other students; share the signatures to
the wider group of students.
Each pair should perform the following tasks:
(1) Create a local CA run by the pair (the local CA should be given a suitable X.500 name and
have a self-signed X.509 certificate created for it; it may be appropriate to take steps to ensure
that this certificate has the basic constraint extension set on it to identify it as a CA certifi-
cate).
(2) Form a group with at least one other pair of students and do group activities:
(a) Exercise due diligence in using key to sign other pairs’ certificates using your local CA.
(b) Get your pair’s certificate signed by at least one other pairs’ local CA.
(3) Write an application to record and verify signatures to a given document such as the documents
and signatures shared in tasks (iii) and (iv). The application should have two modes of use:
record to certify a list of signatories to a document, and verify to verify such list of signa-
tories with the corresponding X.509 and PGP certificates.
(4) Sign the application with the private key corresponding either to the pair’s X.509 certificate or
one of the member’s PGP certificate.
(5) Demonstrate your application works correctly using a recorded video. Submit pair report, source
code and demonstration, and individual reports (see Section 3).
X.509 certificates should have a sensible X.500 name. PGP certificates should have sensible identi-
fiers of your owner and include at least an e-mail address and a small photograph of them. Students
should exercise due diligence in key parties when signing each other’s PGP certificates.
3 Reports and Demonstration Recording
A pair report (up to 8 pages) should be jointly3 written and submitted, it should:
1. succinctly describe the project — what your pair did and what you produced, include an intro-
duction section, discussing what you expect to learn from the assignment in general (and for
each task), and describe the environment that you used to complete the tasks (e.g., what ma-
chines, software and versions)
2Use respectful plaintext document, if you do not have a document at hand, you can pick your favourite quote from
NCSC’s email security guidance: https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing
3Marks will be given based on each pair’s demonstration and written submissions. Pair members may also elect to
be individually assessed, but need to inform the lecturer at least two weeks before the deadline.
Deadline: 3:30pm on Tuesday 30th of November, 2021
https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing
F21CN: Computer Network Security CW2 2021/22
2. list certificates, source files and code along with a brief account of how it works (prior and after
revocations), use either screenshots or just cut-and-paste the command line with the responses,
documenting the steps taken on each of the tasks above
3. explain any observations that are interesting or surprising, document any difficulties that you
met while doing any of the tasks.
An individual report (up to 2 pages) should be individually written and submitted, it should:
1. include an account of who did what on your pair work, give a percentage estimate
2. critically discuss the proposed security solution in terms of its security policy, threat model and
a risk assessment of how well the deployed security measures mitigate threats4
3. in particular, discuss the impact of performing these activities partially or fully virtually.
A pair demonstration recording (up to 5 minutes), it should:
� involve both members of the pair
� be a screencast
� demonstrate the use of the application
� explain the main elements of the source code of the application
For the pair demonstration, we recommend you use Teams to record a meeting where you would share
your screen(s). Such recording is then available on Microsoft Stream where you can do simple trim-
ming if necessary. You can then download locally the recording to upload it on Canvas.
4 Note on plagiarism and collusion
This is a group coursework and you are expected to work in pairs to complete the coursework tasks.
Your coursework submissions will be automatically checked for plagiarism. Here are some further
points to take into consideration (here, your refers to the pair of students in the group):
� Coursework reports must be written in your own words and any code in your coursework must
be your own code. If some text or code in the coursework has been taken from other sources,
these sources must be properly referenced.
� Failure to reference work that has been obtained from other sources or to copy the words and/or
code of others is plagiarism and if detected, this will be reported to the School’s Discipline
Committee. If a student is found guilty of plagiarism, the penalty could involve voiding the
course.
� Students must never give hard or soft copies of their coursework reports or code to others. Stu-
dents must always refuse any request from others for a copy of their report and/or code.
� Sharing a coursework report and/or code with other students is collusion, and if detected, this
will be reported to the School’s Discipline Committee. If found guilty of collusion, the penalty
could involve voiding the course.
4Note that this last item differs in the assessment of F20CN and F21CN. Pairs may be composed of F20CN and
F21CN students.
Deadline: 3:30pm on Tuesday 30th of November, 2021
F21CN: Computer Network Security CW2 2021/22
� And remember: the consequences of taking unacceptable short cuts in coursework are much
worse than getting a bad mark (or even no marks) on a piece of coursework. There has been
one case this year where a student was awarded on Ordinary degree (rather than an Honours
degree) because of the sanction imposed by the University’s Discipline Committee. The offence
was plagiarism of coursework.
� Further information on academic misconduct can be found in: https://www.hw.ac.uk/students/
doc/discguidelines.pdf
5 Submission
The written reports, demonstration recording, URL to the pair’s GitLab Student project must be sub-
mitted on Canvas. Each report must be submitted as a single file. Include a summary/conclusion sec-
tion, where you discuss whether your expectations were met, highlighting issues of particular impor-
tance, what you learned, and suggesting further work.
Your coursework is due to be submitted by 3:30pm on Tuesday 30th of November, 2021.
The course applies the University’s coursework policy.
� No individual extension for coursework submissions.
� Deduction of 30% from the mark awarded for up to 5 working days late submission.
� Submission more than 5 working days late will not get a mark.
� If you have mitigating circumstances for an extension, talk to your Personal Tutor and submit a
Mitigating Circumstances (MC) form online5.
You should expect feedback on your submitted coursework by Tuesday 21th of December, 2021.
6 Marking Scheme
Total marks for F21CN Coursework 2: 100
1. Certificate, notary recording, notary record verification
These should conform to the specification and be detailed and evidenced in the
report. (25 marks)
2. Application code
The code should be commented, (snippets) presented in the report and demonstrated. The
application functions and security implementation must be evidenced in the report and in the
demonstration recording. (25 marks)
3. (individual part) Security analysis, threat model, risk assessment
The security norms at stake should be critically discussed, it should discuss the threat model
considered and give a detailed risk assessment. (25 marks)
5
http://www.hw.ac.uk/students/studies/examinations/mitigating-circumstances.htm
Deadline: 3:30pm on Tuesday 30th of November, 2021
https://www.hw.ac.uk/students/doc/discguidelines.pdf
https://www.hw.ac.uk/students/doc/discguidelines.pdf
http://www.hw.ac.uk/students/studies/examinations/mitigating-circumstances.htm
F21CN: Computer Network Security CW2 2021/22
4. Report and demonstration
The report should be well structured and provide the necessary codes, commands and screen-
shot to document the work done. (25 marks)
Grade guidance
� A 70% and over Full implementation of the specification including network interface and extra
features. Excellent quality of reports, demonstration and code.
� B 60-69% Full implementation of the specifications including network interface but without nec-
essary extra features. Very good quality of report, demonstration and code.
� C 50-59% Implementation of the most of the specifications with partial network interface, with-
out extra features. Good quality of report, demonstration and code.
� D 40-49% Partial implementation of the specifications without network interface, without extra
features. Acceptable quality of report, demonstration and code.
� E 30-39% Partial implementation of the specifications without network interface, without extra
features. Weak report, demonstration and code.
� F 0-29% Limited implementation of the specifications without network interface, without extra
features. Incomplete report, demonstration and code.
Deadline: 3:30pm on Tuesday 30th of November, 2021
Overview
Tasks
Reports and Demonstration Recording
Note on plagiarism and collusion
Submission
Marking Scheme