Summary: For this assignment, you will modify a http server program to provide authentication and access control for its various services.

Problem statement: An emerging start-up, Mako, has had some recent success and so have started developing an online portal for their expanding number of employees. Having seen the failings of many other businesses in recent times, the founder of the company has decided that security is of utmost importance for their online portal. This has led them to employ you, an emerging cyber security expert, to  add  authentication  and  access  control  services  to  their   online   portal  in  its  early  phases  of development.

Requirements: You will  use the  either the Java  or  Python  skeleton  application1   provided  with  this assessment and add the following features:

.    Admin console. This console can only be accessed by clients that are authenticated as a user in the  admin  group.  It  includes  a  collection  of  functions  that  involve  modifying  other  clients, namely add user, modify user, and delete user. Add user allows the admin to add a user to the system. The admin specifies a username and email, and the server generates a random password for that user and sends it to them along with the username in an email. Modify user allows the admin to change the group that a user belongs to. Delete user allows the admin to remove the specified user.                           (20 Marks)

。 The program should start up with one default user, root, who is a part of the admin group,

and starts with a randomly generated password which is printed by the server program.

.    Password storage. The stored passwords of users in the system should follow good practices. (10 Marks)

.    Multi-factor  authentication.  Before  requesting  any service, the client sends the server their username and password, the server then sends a code to the client’s email, which the client must reply with. To handle the sending of the email, we recommend using:

1. You may use a language other than Java or Python, just note that you will likely have to translate the skeleton programs.

https://www.mailgun.com/.                                                                                                     (20 Marks)  .    Token authentication. After  multi-factor authentication, the client should be given a “token”,  which is valid for 15 minutes from being issued. As long as the client provides a correct and valid  token to the server, the server will  not  require  multi-factor  authentication. The token  itself should be a unique and hard to guess/predict value (that is a string or number).            (20 Marks)

.    Access control. There are several services implemented in the server skeleton program, you will add the Biba access control model to them, where object labels of each service are given in Table 1.  All clients are assigned “ rw” permissions for all resources at the access control matrix level, so their access is purely determined according to the rules of the Biba model. Additionally, we provide the read and write endpoints in Table 1, these correspond to the read/write function in the server code for that row’s resource.             (16 Marks)

。 This  access  control  model  does  not  apply  to  the  admin  console,  it  instead  can  only  be accessed (read and write) by users in the admin group.

。 The admin group also has the security level of Top Secret.

。 In total, we have three security levels: Top Secret, Secret, and Unclassified. Their hierarchy is in that same order Top Secret > Secret > Unclassified.

Table 1: Object Labels for the Online Portal Resources

.    You will also write a small client program to demonstrate these features, it is sufficient to test and demonstrate each one simply procedurally.                                                                      (4 Marks)

.    Further details specific to the Java or Python programs are given in the README.md file that is in their respective folders in the starter programs available on Canvas.

Reflections            (10 Marks)

As a capstone this assessment, you will write a brief reflection on the program you have helped to develop in the first part of the assignment. This reflection should be about 600-1000 words of length and will firstly discuss what you have learnt from extra resources, such as websites, textbooks, or large language models, to complete the tasks. The reflection will then relate what you have learnt to subjects covered in our labs and lectures. To strengthen your reflection, you will also discuss the limitations of your developed program, such as scalability or the limited environments where it may be securely used, for each of those limitations introduce a technology that would likely address it (e.g. SSL, IPSec, etc.).