Cybersecurity project

Creating a zero trust voting system using the concepts learnt during IAM.

1) Creating the user pool on Cognito

2) Registering an app client

3) Adding a given list of employees in the user pool.

4) Creating groups and assigning respective groups to employees
5) Integrating the Voting server and Voting client with Amazon Cognito using OIDC
a) Updating Client_secrets.json for Server
b) Updating config.py for the server

c) Updating client_secrets.json for Client

d) Updating config.py for Client

e) Running the app

f)

g)
 h)

6) Explain the relevance of JWT tokens w.r.t the project.

JSON Web Tokens (JWT) are tokens generated by the server upon user
authentication on a web application, and then sent to the client (usually a browser)
This token uses the same user-owned access token signature that the server
validates using the secret key. The access token is also verified because it is used to
login into the server. The information in the JWT is decoded and inserted into the
database. Consider the database as a black box, as you are more focused on the
cybersecurity aspect of the project.

7. Explain the use of AWS user pool with respect to the project. [50]
This service makes it easy to add the functionalities of authentication, authorisation
and user management on this app. So, let’s head over to AWS Cognito.
First, let's get started with the 'user management’ part. You want your user to log in
into the voting application. So, head to the ‘User Pools’ option in Cognito and create
a new user pool.
Now that you have created a ‘User Pool’, you will want the app client, which, in this
case, is our voting application, to access this newly created user pool. So, head to
the ‘User Pools’ option in Cognito again and create a new app client.
Next, you should integrate the Voting server and the Voting client with Amazon
Cognito using OIDC. Here, Flask-OIDC is being used to add OpenID Connect-based
authentication to our application. Now, head over to the ‘server’ folder in the ztev
directory. Create a new file and name it ‘client_sercrets.json’. Fill this file with the
details obtained from the AWS Cognito. Refer to the ‘client_secrets.json.example’ file
provided to you to understand how the configuration file should look like. Repeat the
same for the client.

Explain the use of hmac in the project. [50]

HMAC (Hash-based Message Authentication Code) is a type of a message
authentication code (MAC) that is acquired by executing a cryptographic hash
function on the data (that is) to be authenticated and a secret shared key. Like any of
the MAC, it is used for both data integrity and authentication. Checking data integrity
is necessary for the parties involved in communication. HTTPS, SFTP, FTPS, and
 other transfer protocols use HMAC. The cryptographic hash function may be MD-5,
SHA-1, or SHA-256. Digital signatures are nearly similar to HMACs i.e they both
employ a hash function and a shared key. The difference lies in the keys i.e HMACs
use symmetric key(same copy) while Signatures use asymmetric (two different keys).
Applications
• Verification of e-mail address during activation or creation of an account.
• Authentication of form data that is sent to the client browser and then submitted
back.
• HMACs can be used for Internet of things (IoT) due to less cost.
• Whenever there is a need to reset the password, a link that can be used once is
sent without adding a server state.
• It can take a message of any length and convert it into a fixed-length message
digest. That is even if you got a long message, the message digest will be small and
thus permits maximising bandwidth.
Advantages
• HMACs are ideal for high-performance systems like routers due to the use of hash
functions which are calculated and verified quickly unlike the public key systems.
• Digital signatures are larger than HMACs, yet the HMACs provide comparably
higher security.
• HMACs are used in administrations where public key systems are prohibited.
Disadvantages
• HMACs uses shared key which may lead to non-repudiation. If either sender or
receiver’s key is compromised then it will be easy for attackers to create
unauthorized messages.
Suggest ideas to improve the overall security of the project. [50]
User should not be able to vote multiple times.
Steps should be taken to prevent multiple votes like MFA.