Assignment 7

Assignment 7: Design review for lottery security

Due Tuesday, December 8th, at 11:55 PM

The assignment is to do a design review of another group's solution to Assignment 6. We will email you the names of the students in the group that you will review, along with the solution they submitted for Assignment 6. Your report should discuss the merits of the design in the context of the real world. As a general format, you should include the following:

Meta Data: The names and netids for the group you are reviewing.
Threat Model: An overview of the threat model for each portion of the design you are reviewing. Who are the adversaries? What capabilities do they have? What assumptions are we making about their limitations? This section should be fairly short.
Protocol / Design Review: In this section you will want to evaluate the group's design with respect to the threat model you have defined above. For each potential threat, you should examine how the design you are reviewing prevents (or fails to prevent) the threat. For example, one key design requirement is that a store owner can't print an arbitrary number of tickets without paying for them. You'll want to explore how the design either prevents of allows this to occur. At a minimum you will want to discuss the following aspects of the group's design.
- How well their design prevents creation of bogus winning tickets.
- How well their design prevents/deters store owners from underreporting tickets.
- How well their design prevents other potential adversaries (e.g. couriers, network attackers, etc) from tampering with the lottery.
- How well their design manages infrastructure (i.e. key management, access control, etc).
- Any problems that a holder of a winning ticket might encounter as a result of the security features of the design (e.g. if a terminal is destroyed between purchase and redemption, can a winning ticket still be redeemed?).
- Other practical considerations of their design decisions. For example, if their design requires customers to type in their names, what impact might this have on lottery sales, the safety of the purchaser, the redemption process, etc.? If their design requires a courier to collect a log before a prize can be awarded, how long might a customer have to wait before they can collect their prize?
- Whether your team agrees with the tradeoffs made regarding the above 5 discussion points.
- Suggestions for improving the design.
Cost Analysis: Are the design's costs calculated correctly? Do they justify their costs? Do you agree with the justifications? Are they any obvious places money could have been saved? We are not looking for a deep financial analysis here, just a brief discussion. You shouldn't feel the need to completely rework the design to something you feel is optimal.

When discussing potential security flaws (fradulent prizes or underreported tickets), be as specific as possible. Specify the knowledge or physical access that an adversary might need (e.g. root password for tickets database computers, PRF keys, access to a vault, ability to ensconse the lottery terminal in a faraday cage). Consider the real world likelihood of such attacks. Consider how such attacks might be prevented.

If a potential attack relies on some underspecified detail in the design, state any assumptions that might be needed for the attack. For example, if your attack involves stealing a PIN from a central database, and the designers did not specify any details of this database, you should state that an unencrypted PIN could be stolen by a database administrator.

Keep in mind that an adversary might be a courier, a shop owner, the database administrator for the lottery, etc., or any combination of such people.

If you happen to notice any "strict improvements", make sure to note these. A strict improvement, is any change that would improve security, practicality, or cost with no negative impact on the rest of the design.

Similar to our design review last time, you might also consider how removal of the "tamper proof" feature of the terminals might introduce vulnerabilities. Unlike HW5, this is not required.

Logistics

Your solution should be submitted in either pdf or HTML format. If you're using pdf format, please name your report submit7.pdf. If you're using HTML, please package everything you're submitting into a single zip-file, called submit7.zip. You can submit using this link.

If you're using HTML, the report should be an HTML file named index.html. This HTML report may contain images, links to other files, etc. if you include those files in your submission. Though your solution will be graded on content AND presentation, you do not need to design a beautiful document.

For this assignment, you must work in the same group that you worked in for assignment 6. You may not collaborate with anyone outside your group.