**Overview**

The objective of Assignment 1 is evaluating your knowledge on the topics covered in Lecture 1-4. Topics include Basic Security Techniques, Secret Key Encryption Techniques, and Public-Key Techniques for Cloud Computing. Assignment 1 will focus on developing your abilities in application of knowledge, critical analysis and decision making. Assignment 1 contains several problems related to the topics mentioned above. You are required to prepare the solutions and upload them as a single PDF or Word document in CANVAS.

In this assignment, there are 3 (three) questions related to AWS. Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. AWS Key Management Service uses the Advanced Encryption Standard (AES) algorithm with 128-bit secret keys for Server-Side Encryption. The first question Q1 of this assignment is about the **Advanced Encryption Standard (AES)**. This question has two main parts. In the first part, you are expected to generate the first-round key of AES. In the second part, you are expected to perform one round encryption of AES completely. Through this question, you are expected to understand the encryption process of AES in details.

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. Amazon EC2 uses Public Key Cryptography Standards (PKCS #1) to encrypt and decrypt login information. The second question Q2 of this assignment is about using the** PKCS #1** to protect login information. This question has three main parts. In the first part, you are expected to generate PKCS #1 public key and compute PKCS #1 private key. In the second part, you are expected to perform PKCS #1 encryption on a login information. In the third part, you are expected to perform PKCS #1 decryption. Through this question, you are expected to understand PKCS #1 for Amazon EC2.

Each instance that you launch in AWS has an instance identity document that provides information about the instance itself. The instance identity document is generated when the instance is launched and it is exposed (in plaintext) through the Instance Metadata Service. The last question of the assignment is about using the **ECC NIST P-256 signature standard** to sign and verify the instance identity document. The question has three main parts. In the first part, you are expected to generate your public and private key pair for ECC NIST P-256 signature standard. In the second part, you are expected to sign an instance identity document. In the third part, you are expected to verify the signature on the instance identity document. Through this question, you are expected to understand ECC NIST P-256 signature standard for AWS.

Develop this assignment in an iterative fashion (as opposed to completing it in one sitting). You should be able to start preparing your answers immediately after the Lecture-1 (in Week-1). At the end of each week starting from Week-1 to Week-4, you should be able to solve at least one question.

If there are questions, you may ask via the relevant Canvas discussion forums in a general manner.

**Learning outcomes**

This assessment is relevant to the following Learning Outcomes:

- understand the security issues of cloud computing.
- learn how the underlying secret key encryption techniques work for cloud.
- lean how the underlying public-key techniques work for cloud.

**Submission**

You must follow the following special instructions:

- You must use the values provided in the questions.
- Hand-written answers are not allowed and will not be assessed. Compose your answers using any word processing software (e.g. MS Word).
- You are required to show all of the steps and intermediate results for each question.
- Upload your solution as a single PDF or Word document in CANVAS.

This assessment will determine your ability to:

- Follow requirements provided in this document and in the lessons.
- Independently solve a problem by using security concepts taught over the first four weeks of the course.
- Meeting deadlines.

After the due date, you will have 5 business days to submit your assignment as a late submission. Late submissions will incur a penalty of 10% per day. After these five days, Canvas will be closed and you will lose ALL the assignment marks.

**Assessment details**

Please ensure that you have read **Section 1** to **3** of this document before going further. Assessment details (i.e. question Q1 to Q5) are provided in the ** next page**.

**Q1. Advanced Encryption Standard (AES) **

**(Marks: 5=1+1+1+1+1) **

Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. AWS Key Management Service uses the Advanced Encryption Standard (AES) algorithm with 256-bit secret keys for Server-Side Encryption. **Advanced Encryption Standard (AES)** is a symmetric block cipher encryption that receives 128-bit size for each block and the size of key is 128, 192, and 256 bits. AES procedure involves some encryption rounds, which are determined by the cipher key size. The mentioned standard uses 10 rounds in AES-128, 12 rounds in AES-192, and 14 rounds in AES-256. Through encryption, every round is collected as a set of four main transformations. Figure 1 displays the main construction of the encryption in AES method. Each round covers four main transformations: SubByte, Shift Row, Mix Column, and Add Round Key.

__Figure 1. AES Encryption Structure__

Let us start with the following input:

**K **(secret key): the first 128 bits of ASCII codes of your full name and student ID (without ‘s’)

**P** (plaintext): the first 128 bits of ASCII codes of your RMIT student email address

Now perform a round of encryption on the plaintext using AES-128, writing out the following steps:

- Derive Round 0 key (16 bytes)
- Calculate the
**Initial**Transformation output - Calculate the first
**SubByte**Transformation output - Calculate the first
**Shift Row**Transformation output - Calculate the first
**Mix Column**Transformation output

Please show your calculation steps for each sub-question.

**Q2. Use PKCS #1 to Protect Cloud Login Information **

**(Marks: 5=1+1+1+1+1)**

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. Amazon EC2 uses Public Key Cryptography Standards (PKCS #1) to encrypt and decrypt login information.

PKCS#1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories.

Assume that you manage Amazon EC2. To protect user login information from eavesdroppers, you need to choose a PKCS #1 public and private key pair for the cloud and make the cloud public key known to all users. When a user sends his login information to the cloud, he will use the cloud public key to encrypt his login information as shown in Figure 2.

__Figure 2. Cloud Login Information Protection__

- Randomly generate PKCS #1 public key for the cloud. The size of the public modulo is required to have 2048 bits. The encryption key is the largest prime factor of your student ID.
- Compute the cloud private key corresponding to the cloud public key.
- Assume that the login information of the cloud user is “your email address, your password, current date and time” (note: the password can be chosen randomly). To protect your login information, what should you do before sending to the server?
- What should the Server do to read (verify) the received login information?
- Analyse the security of the cloud login information protection.

Please refer to

https://www.mobilefish.com/services/rsa_key_generation/rsa_key_generation.php for key generation.

https://www.boxentriq.com/code-breaking/modular-exponentiation for big number modular exponentiation

https://www.boxentriq.com/code-breaking/big-number-calculator for big number computation

https://www.alpertron.com.ar/ECM.HTM for integer factorisation

https://www.rapidtables.com/convert/number/ascii-to-hex.html for ascii to hex

**Q3. Verify Instance Identity Document with ECC Signature Standard **

**(Marks: 5=1+1+1+1+1)**

Each instance that you launch in AWS has an instance identity document that provides information about the instance itself. The instance identity document is generated when the instance is launched and it is exposed (in plaintext) through the Instance Metadata Service. AWS use the **ECC NIST P-256 Signature Standard** to sign and verify the instance identity document as shown in Figure 3.

__Figure 3. Cloud Instance Identity Document Verification__

Assume that you are a manager of AWS. To sign and verify the instance identity document with ECC NIST P-256 Signature Standard, you choose a private key for AWS, compute the corresponding public key and make it known to all cloud users. When a cloud user creates an instance, AWS signs the instance identity document. Everyone can verify the signature of AWS on the instance identity document.

Suppose that AWS uses ECC NIST P-256 Signature Standard over an elliptic curve y^{2}=x^{3}+7 (mod p) and a generator P=(x,y), where

x = 55066263022277343669578718895168534326250603453777594175500187360389116729240

y = 32670510020758816978083085130507043184471273380659243275938904335757337482424

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

q = 115792089237316195423570985008687907852837564279074904382605163141518161494337

- Verify if (x,y) belongs to the elliptic curve.
- Assume that the private key of ECC NIST P-256 Signature Standard for AWS is your student ID (without ‘s’), compute the corresponding public key.
- Generate an ECC NIST P-256 Signature on the following instance identity document:

"devpayProductCodes" : null,

"marketplaceProductCodes" : [ "1abc2defghijklm3nopqrs4tu" ],

"availabilityZone" : "us-west-2b",

"privateIp" : "10.158.112.84",

"version" : "2017-09-30",

"instanceId" : "i-1234567890abcdef0",

"billingProducts" : null,

"instanceType" : "t2.micro",

"accountId" : "123456789012",

"imageId" : "ami-5fb8c835",

"pendingTime" : "2020-07-20M16:32:11Z",

"architecture" : "x86_64",

"kernelId" : null,

"ramdiskId" : null,

"region" : "us-west-2"

- Verify the signature ( generated in (3) ) with the public key of AWS.
- Analyse the authentication of the instance identity document.

Note: Please use SHA-1 to hash the instance identity document and Compute aP and bP with online EEC calculator http://www.christelbach.com/ECCalculator.aspx.