From 7cb1456ef4e95b233dbb2a7c03cc068634fe3d1e Mon Sep 17 00:00:00 2001 From: leo Date: Tue, 31 Jan 2023 22:14:39 +0100 Subject: [PATCH] tex: add solution.tex --- solution.tex | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) diff --git a/solution.tex b/solution.tex index 8b13789..2758121 100644 --- a/solution.tex +++ b/solution.tex @@ -1 +1,196 @@ +\section{Overview} +\begin{table}[h] + \begin{center} + \begin{tabular}{l|l} + \textbf{Thesis title} & Password Compromise Monitoring Tool\\ + \textbf{Thesis title CZ} & Nástroj pro monitoring kompromitace hesel\\ + \textbf{Supervisor} & Ing. David Malaník, Ph.D.\\ + \end{tabular} + \caption{Overview} + \label{tab:overview} + \end{center} +\end{table} + +\subsection{Thesis guidelines} +\begin{enumerate} + \item Specifikujte požadavky na systém s ohledem na jeho zabezpečení. + \item Vyberte vhodné zdroje dat pro ověření kompromitace hesel. + \item Navrhněte systém pro online správu vlastní databáze kompromitovaných loginů. + \item Navržený systém implementujte v testovacím prostředí a ověřte jeho funkčnost. + \item Ověřte izolaci uživatelských účtů Vašeho systému. Popište bezpečnostní mechanismy, keré ji zajišťují. +\end{enumerate} + +\newpage +\section{Thesis outline} + +% set up list numbering with roman numerals. +\renewcommand{\labelenumi}{\arabic{enumi}.} +\renewcommand{\labelenumii}{\arabic{enumi}.\arabic{enumii}} +\renewcommand{\labelenumiii}{\arabic{enumi}.\arabic{enumii}.\arabic{enumiii}} + +\textbf{Introduction}\\ +\textbf{Theoretical part} +\begin{enumerate}[\itemsep=0em] + \item Purpose + + \item Terms introduction + + \item Cryptography primer + \begin{enumerate}[\itemsep=0em] + \item Hash functions + \begin{enumerate}[\itemsep=0em] + \item Uses and \textit{mis}uses + \item Threats to hashes + \end{enumerate} + \end{enumerate} + \begin{enumerate}[\itemsep=0em] + \item Encryption + \begin{enumerate}[\itemsep=0em] + \item The key exchange problem + \item The key protection problem + \end{enumerate} + \end{enumerate} + + \item Brief passwords history + \begin{enumerate}[\itemsep=0em] + \item Purpose over time + \item What is considered a password + \item Problems with passwords + \begin{enumerate}[\itemsep=0em] + \item Arbitrary length requirements (min/max) + \item Arbitrary complexity requirements + \item Restricting special characters + \end{enumerate} + \end{enumerate} + + \item Password strength validation + + \item Web security + \begin{enumerate}[\itemsep=0em] + \item Browsers + \item Cross-site scripting + \item Content Security Policy + \end{enumerate} + + \item Sandboxing + \begin{enumerate}[\itemsep=0em] + \item User isolation + \item Process isolation + \item Namespaced isolation + \end{enumerate} + + \item Data storage + \begin{enumerate}[\itemsep=0em] + \item Integrity + \item Authenticity + \item Confidentiality + \item Encryption-at-rest + \end{enumerate} + + \item Compromise checking and prevention + \begin{enumerate}[\itemsep=0em] + \item HIBP and similar tools + \item OWASP Top 10 for the implementers + \item Password best practices + \end{enumerate} +\end{enumerate} +\\ +\textbf{Practical part} + +\begin{enumerate}[\itemsep=0em] + \setcounter{enumi}{9} + + \item Toolchain + \begin{enumerate}[\itemsep=0em] + \item Development + \begin{enumerate}[\itemsep=0em] + \item A word about \href{https://builtwithnix.org/}{Nix} + \end{enumerate} + \item Production + \end{enumerate} + + \item Application architecture + \begin{enumerate}[\itemsep=0em] + \item Data integrity + \item Data authenticity + \item Data confidentiality + \item Connection security + \item User isolation + \end{enumerate} + + \item Implementation + \begin{enumerate}[\itemsep=0em] + \item Compromise checking + \begin{enumerate}[\itemsep=0em] + \item Have I Been Pwned? Integration + \item Local Dataset Plugin + \end{enumerate} + \item Best practices + \item Database configuration + \item Deployment recommendations + \end{enumerate} + + \item Validation + \begin{enumerate}[\itemsep=0em] + \item Unit tests + \item Integration tests + \item Click-ops + \end{enumerate} +\end{enumerate} +\textbf{Conclusion} + +\newpage +\section{Theoretical part status} +Chapters started include: 3.1.1, 4.3.3, 6, 6.1, 7.1, 7.2, 7.3, 8.\\ +Pages written in total amount to less than 5 (@\today).\\ +Given how much I've written so far. I have not cited any resources. + +\newpage +\section{Practical part status} +Chapters started include: 12.1, 12.2, 12.3., 12.4.\\ + +The application is going to a be monolithic (no microservices planned), +statically linked (ideally), self-contained \href{https://go.dev/}{Go} program +serving generated HTML using a combination of the SSR-first +\href{https://github.com/kyoto-framework/kyoto}{Kyoto} framework and Go's +native templating support. The exposed REST API will enable potentially +plugging in alternative clients (such as CLI or mobile ones) in the future. +The fitness of a GraphQL API is also going to be explored. + +Client-side JS might be added, should building a particular component of the +application be hardly feasible without it, although I'd love to get by without +it, if at all possible. + +On the backend the application is going to talk to a +\href{https://www.postgresql.org/}{PostgreSQL} database for raw data +and to \href{https://immudb.io/}{immudb} for verification of data integrity +(append only mode immudb-side). Data is going to be stored encrypted at rest +and is only going to be ever decrypted momentarily in memory. +\\ + +It's very likely that I will use the Go \textit{standard library} for the vast +majority of my coding needs (apart from my original code, of course), with the +exception of database connectors and hash algorithms (such as Argon2 or +Blake3), for which third-party libraries will most probably be utilised, and of +course the \textit{Kyoto} framework itself. + +Background tasks within the application (such as periodic checks) will be +spawned using Go's native lightweight \textit{"threads"} - \textbf{Goroutines}. +\\ + +Development environment will be brought up with the help of +\href{https://builtwithnix.org/}{Nix} (specifically \texit{flakes}), which can +then equally be used in CI and production, although alternative, containerised +approach will also be evaluated for production (Kubernetes). +The two, however, are not at all contradictory, Nix, for example, could be used +to generate the container images (OCI) reproducibly (not just repeatably) in +the exact same environment every single time. +\\ + +So far I have only created the project's +\href{https://git.dotya.ml/mirre-mt/pcmt}{home}, I have not written any code +though (as of \today). + +\newpage +\section{Statement of the supervisor}