Redistributing this file (including partially) to
CourseHero or other public websites is strictly prohibited.
COMP3334 - Project
Section 1: Overview
Online storage is a popular application in our daily life. With online storage, a user can
upload its files to a server and access them when the user wants. The security of uploaded
content is important because it may contain the sensitive information of users.
In this project, you and your teammates should design a secure online storage system,
which contains various functionalities, such as user authentication, access control, file
encryption and activity auditing, etc.
Section 2: Deadlines
- Team Registration: 11:59 PM, March 6th, 2025.
- Submission of required materials: 11:59 PM, April 6th, 2025.
a. The materials include your report, codes and demonstration video.
Section 3: Team Requirements
Students should participate in this project in teams. Each team should have a voluntary
coordinator for administrative purposes. The coordinator should fill in a form
(https://forms.office.com/r/c8VaKumiMG, needs PolyU Connect account) to register
his/her team before 11:59 PM March 6th, 2025.
You may use the discussion board in Blackboard to find your teammates.
To avoid high workload and free riders, each team should contain 3 or 4 students (4 is
recommended).
If there are any students who are not in a team after the deadline, they will be organized as
several teams randomly. We will try to keep the size of teams within 3~4 students. However,
in extreme cases, it may not follow the regular guidelines.
Section 4: Threat Models
Your application should contain two sub-programs, Client and Server.
Client program helps a user upload its files and access them when the user wants.
Server program receives the uploaded files and manages the users.
A user operates 代写COMP333 public websites a Client program to use your application.
Client and Server are communicated via network connections.
We assume that machine that runs Server is a passive adversary. It executes your program
honestly but monitors communication and the stored data from a Client and wants to
decrypt this Client’s uploaded files. That means, the machine that runs Server does not
perform active attacks, such as altering the messages, returning fake content, etc. It only
READ the messages from a client program and wants to decrypt files based on the read
messages.
We also assume that there is a passive adversary who is an unauthorized user. This
unauthorized adversary may use a legitimate user’s computer to try to access the online
files of that legitimate user.
The security measures in your application should be able to prevent such adversaries.
Section 5: Functionality
The CORE functionalities of your application are listed below: - User Management:
a. Register a user by username and password.
i. The username must be unique.
ii. The password must be hashed by a proper algorithm.
b. Log in
i. Check whether the password is identical to the password in
registration.
c. A user should be able to reset its password. - Data Encryption:
a. Upload
i. When a user uploads a file, the client should encrypt the file using
an appropriate cryptosystem, with the key securely generated and
stored locally.
ii. Server should not be able to read the file in plaintext.
b. Download
i. When a user downloads a file, the client should decrypt the file and
return the plaintext to the user. - Access Control
a. A user can only add/edit/delete its own files.
b. A user can share its files with designated users. The designated users should
be able to read the shared files via their Clients.
c. An unauthorized user should not be able to access the file content of other
users. - Log Auditing
a. The critical operations, such as logging in, logging out, uploading, deleting,
sharing, should be recorded.
i. A user should not be able to repudiate it.
b. The administrator account of your application should be able to read logs. - General Security Protection
a. File name must be valid. Some file names can be used to attack. For
example, the file name “../file.txt” (without quotes) can be used to access
file.txt in the parent folder.
b. Your application should also consider the security threats on accounts, e.g.,
SQL injections.
The EXTENDED functionalities of your application are listed below: - Multi-Factor Authentication (MFA): FIDO2, One-Time Password (OTP),
email/phone verification code, etc. - Efficient update on files: Suppose you are editing a file that has already been saved
online. If you want to modify a part of this file, find a method that Client does not
need to encrypt the entire file and submit it again. - Other security designs that you think are necessary.
Your application should implement at least ALL of the CORE functionalities.
Your application should implement at least ONE of the EXTENDED functionalities.
The implementations on EXTENDED functionalities will be considered in grading.
(However, please do not add too many functionalities to your applications.)
To reduce your workload, your application does not need a Graphical User Interface (GUI).
Running in command line is enough. However, you should at least provide a menu (in
command line) to assist your user to use your application.
Section 6: Programming Languages and Potential Needed Tools
You may use any programming languages you are familiar with. However, it is
recommended to use Python due to its low difficulty.
In the design of Server, you may need a database to host the user information. It is
recommended to use SQLite, which is a lightweight database system.
Python has already provided some cryptography libraries. You can refer to our Tutorial 1.
If you are using C/C++, it is recommended to use OpenSSL, which is a popular and
comprehensive cryptography library in C/C++.
It is recommended to use the existed cryptography libraries as building blocks, because
your own implementation may not consider all security concerns.
However, you are not allowed to call all-in-one libraries to build your application.
Here is an example, which is simply called an existed library as your application.
import xxx_library
server = xxx_library.storage_server()
server.start()
As long as your implementation involves reasonable details for solving this problem, then
it is fine. Unless it is too obvious, we will be very moderate when deciding if
implementation is solely based on all-in-one libraries, i.e., let us see your efforts.
Section 7: Report File
Your report should be within 10 pages. More pages do not lead to higher grades.
• Include your team’s name, your names and student IDs in the report.
• A contribution table indicating your percentage of contributions, in total 100%.
o Grades will be adjusted accordingly.
• Abstract
• Introduction
o Background
• Threat Models
o Who are adversaries?
o What are the abilities of adversaries?
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。