Week 8 Deliverables Overview: This Week You Have Studied Web

Week 8 Deliverables Overview This Week You Have Studied Web Applicat

This week, you have studied Web application vulnerabilities, password complexity, logs and analysis of logs, cryptographic algorithms, and installed a geolocation module allowing IP addresses to be aligned with a specific latitude and longitude. The Lab for this week demonstrates your knowledge of this additional knowledge applied using Python functionality. Be sure to develop and test your Python code in the AWS Cloud9 IDE provided for the class. You should continue to use the PEP Python Style guide mentioned in the book and found here: Some examples of Python Coding Style best practices include: ï‚· Limit all lines to a maximum of 79 characters. ï‚· Imports are always put at the top of the file, just after any module comments and before module globals and constants. ï‚· Use 4 spaces for indentation.

Submission requirements for this project include 2 files. (Zipping them into one file is acceptable and encouraged): ï‚· Python Application Tools Code ï‚· PDF or Word file showing your Cryptographic puzzle solving skills along with the tests and log analysis documentation resulting from using your Python application tools

Paper For Above instruction

This project encompasses the development of a Python-based web application with integrated security features, log analysis, and cryptographic puzzle solving, implemented within the AWS Cloud9 environment. It is designed to assess and demonstrate proficiency in handling user authentication processes, password complexity enforcement, logging failed login attempts, analyzing logs for suspicious activity, as well as decrypting messages utilizing various cryptographic techniques. The comprehensive system entails creating multiple Python modules and web forms, ensuring adherence to security standards and best practices, and providing detailed testing and documentation to validate the implemented functionalities.

Development of Authentication and User Management Functions

The foundational component of this project is the implementation of a user login system with password management capabilities. Users should be able to log into the web application through a password form that verifies credentials against a stored user data file. Upon successful login, the system displays a greeting and provides a form to update the user's password. Password validation must comply with the NIST SP 800-63B guidelines, ensuring a minimum length of 8 characters and a maximum of 64 characters. It also involves verifying the password is not among a list of commonly used or compromised passwords stored in the file CommonPasswords.txt.

Furthermore, the password update functionality allows users to change their passwords post-login, with the same strength and security criteria enforced during the update process. To prevent brute-force attacks and repeated unauthorized login attempts, a rate-limiting mechanism should be integrated, which activates after 15 failed attempts. All failed login attempts must be logged with timestamps and IP addresses, facilitating later analysis for potential security threats.

Logging and Log Analysis

The logging system captures each failed login attempt, recording the date, time, and IP address, stored within a log file. The log analyzer reads this log file to identify IP addresses with more than ten failed attempts within a five-minute window. For such IPs, the application utilizes the ip2geotools library to perform geographic lookups, returning latitude and longitude coordinates. The analysis results are compiled into reports indicating suspicious activity, such as repeated login failures, and their geolocations to assist security monitoring.

Cryptographic Puzzle Solving

In addition to the web application functionalities, the project involves decrypting three messages encrypted with different cipher algorithms. This task requires experimenting with cipher techniques, such as substitution, Caesar, or other classical methods, utilizing online tools like Rumkin Cipher Tools. The decrypted messages and details about the cipher methods and parameters used should be documented thoroughly, demonstrating understanding of cryptographic principles and decryption workflows.

Testing and Documentation

All functionalities, including login, password update, logging, analysis, and cryptographic decryption, should be rigorously tested within the AWS Cloud9 IDE. The testing results, including input samples, expected vs. actual outputs, and any issues encountered, must be compiled into a comprehensive report. This report provides evidence of the correctness and robustness of the implemented system, adherence to security standards, and understanding of cryptographic techniques.

Submission Instructions

The student's submission must include two files: a Python script or package containing all application tools and web forms, and a PDF or Word document detailing the cryptographic decryption process, tests, log analysis, and system evaluation. Packaging the files together in a zip archive is recommended for convenience.

Overall Objectives

This project aims to integrate web security practices, logging and analysis, cryptography, and cloud-based development within a single cohesive Python application. The goal is to create a secure, well-documented, and thoroughly tested system that demonstrates mastery of these critical cybersecurity and cryptography concepts, aligned with academic and industry standards.

Important Reminders

Begin your development early, leverage prior class experience with Python and web development, modularize your code for reusability, and adhere to best practices for coding style. Use the IP address request environment variable to capture client IPs, and install necessary modules like ip2geotools to enable geolocation features. Ensure your documentation includes detailed descriptions of your methodology, challenges, solutions, and test results to support grading and academic integrity.

References

• National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines: Authentication and Lifecycle Management (SP 800-63B).
• Python Software Foundation. (2023). Python Style Guide (PEP 8).
• Rumkin Cipher Tools. (n.d.). [Online cipher tool]. Retrieved from https://www.rumkin.com/tools/cipher/
• ip2geotools Python Module. (n.d.). [Installation guide]. Retrieved from https://github.com/rurtu/ip2geotools
• Flask Documentation. (2023). Flask Web Framework. Retrieved from https://flask.palletsprojects.com/
• Log Management Best Practices. (2022). Cybersecurity & Infrastructure Security Agency (CISA).
• Decrypted message examples and cryptographic techniques. (2023). Cryptography and Network Security, 7th Edition, William Stallings.
• Guidelines for Secure Password Storage. (2021). OWASP Foundation.
• Secure Web Application Development. (2020). OWASP Top Ten.
• AWS Cloud9 Official Documentation. (2023). Amazon Web Services. Retrieved from https://docs.aws.amazon.com/cloud9/