WEEK 5: Security Mechanism Laboratory Activity - M199205zn/IAS-CS4 GitHub Wiki

General Instruction: Do not just copy and paste, it might ruin your mind.

Hands-on Activity: Implementing Digital Signatures and Access Control

Objective:
Students will learn how digital signatures ensure data integrity and authentication, and how access control mechanisms restrict unauthorized access to data.

Activity 1: Implementing Digital Signatures

Tools Needed:

  • Python (with cryptography library)
  • Any text editor (VS Code, PyCharm, Notepad++)

Steps:

  1. Generate Public and Private Keys:

    • Use Python’s cryptography library to create an RSA key pair.

  2. Sign a Message:

    • Write a function to digitally sign a message using the private key.

  3. Verify the Signature:

    • Write a function to verify the signature using the public key.

Code:

from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import serialization, hashes

# Generate RSA Key Pair
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048
)
public_key = private_key.public_key()

# Serialize Keys
private_pem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)
public_pem = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)

# Signing a Message
message = b"Confidential Data"
signature = private_key.sign(
    message,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

# Verifying the Signature
try:
    public_key.verify(
        signature,
        message,
        padding.PSS(
            mgf=padding.MGF1(hashes.SHA256()),
            salt_length=padding.PSS.MAX_LENGTH
        ),
        hashes.SHA256()
    )
    print("Signature is valid.")
except:
    print("Signature verification failed.")

Activity 2: Implementing Access Control Using User Roles

Tools Needed:

  • PHP and MySQL (or any database system)
  • Apache Server (XAMPP)

Steps:

  1. Create a MySQL database and a users table with fields for id, username, password, and role.
  2. Insert users with different roles (Admin, User, Guest) in the database.
  3. Write a PHP script to authenticate users and restrict access based on roles.

Database Table Structure:

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) NOT NULL,
    password VARCHAR(255) NOT NULL,
    role ENUM('admin', 'user', 'guest') NOT NULL
);

Sample PHP Authentication Code:

<?php
session_start();
$conn = new mysqli("localhost", "root", "", "security_db");

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = $_POST["username"];
    $password = $_POST["password"];

    $query = "SELECT * FROM users WHERE username='$username'";
    $result = $conn->query($query);
    $user = $result->fetch_assoc();

    if ($user && password_verify($password, $user["password"])) {
        $_SESSION["role"] = $user["role"];
        echo "Login successful. Role: " . $_SESSION["role"];
    } else {
        echo "Invalid credentials.";
    }
}
?>

Access Control Implementation (Restricting Pages by Role):

<?php
session_start();
if ($_SESSION["role"] !== "admin") {
    die("Access denied: Admins only.");
}
echo "Welcome, Admin!";
?>

Expected Outcome:

  • Students will successfully sign and verify digital signatures using Python.
  • Students will implement a basic authentication and role-based access control system using PHP and MySQL.