2023-01-31 22:14:39 +01:00
|
|
|
\section{Overview}
|
2023-01-31 20:05:24 +01:00
|
|
|
|
2023-01-31 22:14:39 +01:00
|
|
|
\begin{table}[h]
|
|
|
|
\begin{center}
|
|
|
|
\begin{tabular}{l|l}
|
|
|
|
\textbf{Thesis title} & Password Compromise Monitoring Tool\\
|
|
|
|
\textbf{Thesis title CZ} & Nástroj pro monitoring kompromitace hesel\\
|
|
|
|
\textbf{Supervisor} & Ing. David Malaník, Ph.D.\\
|
|
|
|
\end{tabular}
|
|
|
|
\caption{Overview}
|
|
|
|
\label{tab:overview}
|
|
|
|
\end{center}
|
|
|
|
\end{table}
|
|
|
|
|
|
|
|
\subsection{Thesis guidelines}
|
|
|
|
\begin{enumerate}
|
|
|
|
\item Specifikujte požadavky na systém s ohledem na jeho zabezpečení.
|
|
|
|
\item Vyberte vhodné zdroje dat pro ověření kompromitace hesel.
|
|
|
|
\item Navrhněte systém pro online správu vlastní databáze kompromitovaných loginů.
|
|
|
|
\item Navržený systém implementujte v testovacím prostředí a ověřte jeho funkčnost.
|
|
|
|
\item Ověřte izolaci uživatelských účtů Vašeho systému. Popište bezpečnostní mechanismy, keré ji zajišťují.
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\newpage
|
|
|
|
\section{Thesis outline}
|
|
|
|
|
|
|
|
% set up list numbering with roman numerals.
|
|
|
|
\renewcommand{\labelenumi}{\arabic{enumi}.}
|
|
|
|
\renewcommand{\labelenumii}{\arabic{enumi}.\arabic{enumii}}
|
|
|
|
\renewcommand{\labelenumiii}{\arabic{enumi}.\arabic{enumii}.\arabic{enumiii}}
|
|
|
|
|
|
|
|
\textbf{Introduction}\\
|
|
|
|
\textbf{Theoretical part}
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Purpose
|
|
|
|
|
|
|
|
\item Terms introduction
|
|
|
|
|
|
|
|
\item Cryptography primer
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Hash functions
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Uses and \textit{mis}uses
|
|
|
|
\item Threats to hashes
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Encryption
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item The key exchange problem
|
|
|
|
\item The key protection problem
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Brief passwords history
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Purpose over time
|
|
|
|
\item What is considered a password
|
|
|
|
\item Problems with passwords
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Arbitrary length requirements (min/max)
|
|
|
|
\item Arbitrary complexity requirements
|
|
|
|
\item Restricting special characters
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Password strength validation
|
|
|
|
|
|
|
|
\item Web security
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Browsers
|
|
|
|
\item Cross-site scripting
|
|
|
|
\item Content Security Policy
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Sandboxing
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item User isolation
|
|
|
|
\item Process isolation
|
|
|
|
\item Namespaced isolation
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Data storage
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Integrity
|
|
|
|
\item Authenticity
|
|
|
|
\item Confidentiality
|
|
|
|
\item Encryption-at-rest
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Compromise checking and prevention
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item HIBP and similar tools
|
|
|
|
\item OWASP Top 10 for the implementers
|
|
|
|
\item Password best practices
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\\
|
|
|
|
\textbf{Practical part}
|
|
|
|
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\setcounter{enumi}{9}
|
|
|
|
|
|
|
|
\item Toolchain
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Development
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item A word about \href{https://builtwithnix.org/}{Nix}
|
|
|
|
\end{enumerate}
|
|
|
|
\item Production
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Application architecture
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Data integrity
|
|
|
|
\item Data authenticity
|
|
|
|
\item Data confidentiality
|
|
|
|
\item Connection security
|
|
|
|
\item User isolation
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Implementation
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Compromise checking
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Have I Been Pwned? Integration
|
|
|
|
\item Local Dataset Plugin
|
|
|
|
\end{enumerate}
|
|
|
|
\item Best practices
|
|
|
|
\item Database configuration
|
|
|
|
\item Deployment recommendations
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
\item Validation
|
|
|
|
\begin{enumerate}[\itemsep=0em]
|
|
|
|
\item Unit tests
|
|
|
|
\item Integration tests
|
|
|
|
\item Click-ops
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\textbf{Conclusion}
|
|
|
|
|
|
|
|
\newpage
|
|
|
|
\section{Theoretical part status}
|
|
|
|
Chapters started include: 3.1.1, 4.3.3, 6, 6.1, 7.1, 7.2, 7.3, 8.\\
|
|
|
|
Pages written in total amount to less than 5 (@\today).\\
|
|
|
|
Given how much I've written so far. I have not cited any resources.
|
|
|
|
|
|
|
|
\newpage
|
|
|
|
\section{Practical part status}
|
|
|
|
Chapters started include: 12.1, 12.2, 12.3., 12.4.\\
|
|
|
|
|
|
|
|
The application is going to a be monolithic (no microservices planned),
|
|
|
|
statically linked (ideally), self-contained \href{https://go.dev/}{Go} program
|
|
|
|
serving generated HTML using a combination of the SSR-first
|
|
|
|
\href{https://github.com/kyoto-framework/kyoto}{Kyoto} framework and Go's
|
|
|
|
native templating support. The exposed REST API will enable potentially
|
|
|
|
plugging in alternative clients (such as CLI or mobile ones) in the future.
|
|
|
|
The fitness of a GraphQL API is also going to be explored.
|
|
|
|
|
|
|
|
Client-side JS might be added, should building a particular component of the
|
|
|
|
application be hardly feasible without it, although I'd love to get by without
|
|
|
|
it, if at all possible.
|
|
|
|
|
|
|
|
On the backend the application is going to talk to a
|
|
|
|
\href{https://www.postgresql.org/}{PostgreSQL} database for raw data
|
|
|
|
and to \href{https://immudb.io/}{immudb} for verification of data integrity
|
|
|
|
(append only mode immudb-side). Data is going to be stored encrypted at rest
|
|
|
|
and is only going to be ever decrypted momentarily in memory.
|
|
|
|
\\
|
|
|
|
|
|
|
|
It's very likely that I will use the Go \textit{standard library} for the vast
|
|
|
|
majority of my coding needs (apart from my original code, of course), with the
|
|
|
|
exception of database connectors and hash algorithms (such as Argon2 or
|
|
|
|
Blake3), for which third-party libraries will most probably be utilised, and of
|
|
|
|
course the \textit{Kyoto} framework itself.
|
|
|
|
|
|
|
|
Background tasks within the application (such as periodic checks) will be
|
|
|
|
spawned using Go's native lightweight \textit{"threads"} - \textbf{Goroutines}.
|
|
|
|
\\
|
|
|
|
|
|
|
|
Development environment will be brought up with the help of
|
|
|
|
\href{https://builtwithnix.org/}{Nix} (specifically \texit{flakes}), which can
|
|
|
|
then equally be used in CI and production, although alternative, containerised
|
|
|
|
approach will also be evaluated for production (Kubernetes).
|
|
|
|
The two, however, are not at all contradictory, Nix, for example, could be used
|
|
|
|
to generate the container images (OCI) reproducibly (not just repeatably) in
|
|
|
|
the exact same environment every single time.
|
|
|
|
\\
|
|
|
|
|
|
|
|
So far I have only created the project's
|
|
|
|
\href{https://git.dotya.ml/mirre-mt/pcmt}{home}, I have not written any code
|
|
|
|
though (as of \today).
|
|
|
|
|
|
|
|
\newpage
|
|
|
|
\section{Statement of the supervisor}
|