Authentication and Basic Cryptography, 28 July 2009

For the third lab practical section of IT Security course, we implement the concept of authentication and cryptography which we have learned during lecture time. Lab section starts with En. Mohd Zaki briefly explanation on what we needed to do in lab. Besides that, he reminds us some important steps in installation of Pretty Good Privacy (PGP). After that, we were required to perform lab activities according to lab sheets.

As usual, I used VMware Workstation to perform this lab activity. Before I do any changes in virtual machine, I take snapshot so that virtual machine can roll back to saved status after lab activity end. In order to continue lab activity, I have to ensure the file system is NTFS because data encryption cannot occur without NTFS. First task that I have performed is to verify data encryption. I have created an Encryption folder with User2Folder inside. After that, I created a private text document inside User2Folder and change setting to encrypt the file. As a result, access is denied when I try to access private text document by login as another user. This has proven that data encryption occurs.

For the second task, I have changed the local password policy settings for length to at least 9 characters. After that, I try to set a new password with less than 9 characters and it is not successful. A new password can only be set by at least 9 characters. For third task, I have changed local password policy setting for complexity by enabled the [Passwords must meet complexity requirements]. As a result, a new password formed must be at least 9 characters, must contain capitals, numerals or punctuation. Complex and long password is recommended to avoid being easily cracked.

For the fourth task, I have learned to set an Account Lockout Policy that contains three policies which are Account Lockout Threshold, Reset Account Lockout Counter After and Account Lockout Duration. Account Lockout Threshold policy specifies the number of failed login attempts allowed before the account is locked out. Reset Account Lockout Counter After defines a timeframe for counting the incorrect login attempts. Account Lockout Duration specifies a timeframe after which the account will automatically unlock and resume normal operation. In this lab activity, I have set Account Lockout Threshold to 3, Account Lockout Duration and Reset Account Lockout Counter After to 30 minutes. As a result, account was lockout after I enter incorrect password for fourth times continuously. The account either lockout for 30 minutes or I log on as administrator to unlock the account. After performed this task, I understand that Account Lockout Policy can help to delay a successful hack attempt or discourage the hacker from continuing hack the account.

For the last task, I installed PGP that provide asymmetric cryptography in VMware Workstation. After that, I created a key pair that contain private and public key. In order to secure key pair, I have entered a passphrase. En. Mohd Zaki has reminded us to remember this passphrase because it is require in encryption and decryption. Then, I exchange my public key with my partner. Followed by, I encrypt a message using PGP and then send it to my partner. She can read the messages after decrypt it. I also received a message which has been encrypted by my public key. I can read the message after decrypt using PGP!!! So, by using PGP, information can convert into a form that cannot be easily understood by unauthorized people and can converting encrypted data back into its original form that can be understood.