Redistributing this file (including partially) to
CourseHero or other public websites is strictly prohibited.
COMP3334 - Project
Section 1: Overview
Online storage is a popular application in our daily life. With online storage, a user can
upload its files to a server and access them when the user wants. The security of uploaded
content is important because it may contain the sensitive information of users.
In this project, you and your teammates should design a secure online storage system,
which contains various functionalities, such as user authentication, access control, file
encryption and activity auditing, etc.
Section 2: Deadlines
1. Team Registration: 11:59 PM, March 6th, 2025.
2. Submission of required materials: 11:59 PM, April 6th, 2025.
a. The materials include your report, codes and demonstration video.
Section 3: Team Requirements
Students should participate in this project in teams. Each team should have a voluntary
coordinator for administrative purposes. The coordinator should fill in a form
(https://forms.office.com/r/c8VaKumiMG, needs PolyU Connect account) to register
his/her team before 11:59 PM March 6th, 2025.
You may use the discussion board in Blackboard to find your teammates.
To avoid high workload and free riders, each team should contain 3 or 4 students (4 is
recommended).
If there are any students who are not in a team after the deadline, they will be organized as
several teams randomly. We will try to keep the size of teams within 3~4 students. However,
in extreme cases, it may not follow the regular guidelines.
Section 4: Threat Models
Your application should contain two sub-programs, Client and Server.
Client program helps a user upload its files and access them when the user wants.
Server program receives the uploaded files and manages the users.
A user operates a Client program to use your application.
Client and Server are communicated via network connections.
We assume that machine that runs Server is a passive adversary. It executes your program
honestly but monitors communication and the stored data from a Client and wants to
decrypt this Client’s uploaded files. That means, the machine that runs Server does not
perform active attacks, such as altering the messages, returning fake content, etc. It only
READ the messages from a client program and wants to decrypt files based on the read
messages.
We also assume that there is a passive adversary who is an unauthorized user. This
unauthorized adversary may use a legitimate user’s computer to try to access the online
files of that legitimate user.
The security measures in your application should be able to prevent such adversaries.
Section 5: Functionality
The CORE functionalities of your application are listed below:
1. User Management:
a. Register a user by username and password.
i. The username must be unique.
ii. The password must be hashed by a proper algorithm.
b. Log in
i. Check whether the password is identical to the password in
registration.
c. A user should be able to reset its password.
2. Data Encryption:
a. Upload
i. When a user uploads a file, the client should encrypt the file using
an appropriate cryptosystem, with the key securely generated and
stored locally.
ii. Server should not be able to read the file in plaintext.
b. Download
i. When a user downloads a file, the client should decrypt the file and
return the plaintext to the user.
3. Access Control
a. A user can only add/edit/delete its own files.
b. A user can share its files with designated users. The designated users should
be able to read the shared files via their Clients.
c. An unauthorized user should not be able to access the file content of other
users.
4. Log Auditing
a. The critical operations, such as logging in, logging out, uploading, deleting,
sharing, should be recorded.
i. A user should not be able to repudiate it.
b. The administrator account of your application should be able to read logs.
5. General Security Protection
a. File name must be valid. Some file names can be used to attack. For
example, the file name “../file.txt” (without quotes) can be used to access
file.txt in the parent folder.
b. Your application should also consider the security threats on accounts, e.g.,
SQL injections.
The EXTENDED functionalities of your application are listed below:
1. Multi-Factor Authentication (MFA): FIDO2, One-Time Password (OTP),
email/phone verification code, etc.
2. Efficient update on files: Suppose you are editing a file that has already been saved
online. If you want to modify a part of this file, find a method that Client does not
need to encrypt the entire file and submit it again.
3. Other security designs that you think are necessary.
Your application should implement at least ALL of the CORE functionalities.
Your application should implement at least ONE of the EXTENDED functionalities.
The implementations on EXTENDED functionalities will be considered in grading.
(However, please do not add too many functionalities to your applications.)
To reduce your workload, your application does not need a Graphical User Interface (GUI).
Running in command line is enough. However, you should at least provide a menu (in
command line) to assist your user to use your application.
Section 6: Programming Languages and Potential Needed Tools
You may use any programming languages you are familiar with. However, it is
recommended to use Python due to its low difficulty.
In the design of Server, you may need a database to host the user information. It is
recommended to use SQLite, which is a lightweight database system.
Python has already provided some cryptography libraries. You can refer to our Tutorial 1.
If you are using C/C++, it is recommended to use OpenSSL, which is a popular and
comprehensive cryptography library in C/C++.
It is recommended to use the existed cryptography libraries as building blocks, because
your own implementation may not consider all security concerns.
However, you are not allowed to call all-in-one libraries to build your application.
Here is an example, which is simply called an existed library as your application.
import xxx_library
server = xxx_library.storage_server()
server.start()
As long as your implementation involves reasonable details for solving this problem, then
it is fine. Unless it is too obvious, we will be very moderate when deciding if
implementation is solely based on all-in-one libraries, i.e., let us see your efforts.
Section 7: Report File
Your report should be within 10 pages. More pages do not lead to higher grades.
• Include your team’s name, your names and student IDs in the report.
• A contribution table indicating your percentage of contributions, in total 100%.
o Grades will be adjusted accordingly.
• Abstract
• Introduction
o Background
• Threat Models
o Who are adversaries?
o What are the abilities of adversaries?
o etc.
• Algorithms you designed to implement functionalities
o For each functionality requirement, what your theoretical design is.
▪ Which building blocks (algorithms, tools, etc.) you used.
▪ How you used them to design a workflow that meets the
requirement.
o To implement your theoretical design, what the technical details are.
▪ Which libraries you used.
▪ Are there any technical challenges? If yes, how you encountered
them.
• At least 2 Test Cases
o To verify whether your design can resist attacks.
o Examples: Whether the files uploaded by users can be read by
unauthorized users or not, SQL Injection Attacks, and whether
unauthorized users can get the secret keys or not, …
• Future Works
• Reference
Section 8: Demonstration Video
A team should record a 10-min demonstration video to demonstrate the designed
functionalities with necessary description.
Section 9: Code
Your code must contain all the source codes, a file that can be imported to SQL database
and a step-by-step document about how to deploy and use your application.
This document must be able to guide a person to deploy and run your application from a
clear Windows 11.0 OS (i.e., no assumptions on pre-installed software/libraries), i.e., your
document should guide a person to install the needed software/libraries and use your
application.
If you are using Python solely, it is recommended to export all your dependencies to a
requirements.txt file when you are done.
Your code should be well documented that is comprehensive comments and is readable.
Section 10: Submission Guidelines
• Create a folder with the name TeamName
o Put all your code in a folder with the name code
o Rename your report with the name report (with the extension name, such as
pdf)
o Rename your video with the name video (with the extension name, such as
mp4)
o Put code, report and video in the folder TeamName
o You should replace TeamName with your actual team’s name, which will be
released after registration period.
• Compress this folder as one zip file.
• Follow the example below to name your zip file by replacing TeamName with your
actual team’s name:
o TeamName.zip
• Your submission should be submitted by your TEAM COORDINATOR before
the deadline.
請加QQ:99515681 郵箱:
[email protected] WX:codinghelp
