Xiao Qin's Research

Auburn University

QoSec Project

A Middleware Approach to Teaching Computer Security (2009 - )



Project 5: A Secure Teller Terminal System


Goals:


Process – 30 points:

Create a text, doc, or .pdf file named “-2p” (for example, mine might read “xz10001-2p.txt”) and provide each of the following. Please submit a text file, a .doc file or .pdf file (if you want to use diagrams or pictures, use .doc or .pdf). Steps that you are responsible for in the process document are bolded. You are free to use tools like Visio to help you, but the final output needs to be .txt, .doc, or .pdf.


  1. The name and purpose of the classes
  2. The member variables and the functions of the class
  3. Show the interactions between classes (for example, ownership or dependency)
  4. Any relevant notes that don’t fit into the previous categories can be added

b. For the “Deposit Fund” feature (see sample usage 4.5), create a System Sequence Diagram. Make sure to include function names, data types, and ordering information. Feel free to add explanatory notes. To get extra help, check out the following links for some additional examples:

http://en.wikipedia.org/wiki/Sequence_diagram http://en.wikipedia.org/wiki/System_Sequence_Diagram




  1. For the system at large. In other words, describe inputs for “nominal” usage. You may need several scenarios. In addition, suggest scenarios for abnormal usage and show what your program should do (for example, entering a negative number for a menu might ask the user to try again).
  2. 2) For each object. (Later, these tests can be automated easily using a simple driver function in the object)






Program + Testing Results – 70 points:

Description :

Write a program called

<username>-2.cpp (for example, mine would read “xzq0001-2.cpp”).

Use comments to provide a heading at the top of your code containing your name, Auburn Userid, and filename. Please describe any help or sources that you used (as per the syllabus).

You will lose points if you: do not use the specific program file name, or do not have a comment block on EVERY program you hand in.



Background: Building a Secure Teller Terminal System

In this project, you will design and develop a secure teller terminal system for the Auburn branch of the Tiger Bank, which comprises multiple branches in the Alabama State. After the development of the secure teller terminal system, the system will be widely used in other branches of the Tiger Bank in Alabama. The Auburn branch manages a set of the Tiger bank's accounts, which contains a unique account number, a balance, as well as other important information. Once you complete this project, your terminal system at each Tiger Bank branch will be connected using insecure communications lines. If the Tiger Bank is satisfied with the teller terminal system developed by you, the Bank will sign another contract with you so that you can develop automated teller machines (ATMs) for the Tiger Bank.

In this project, you only will be focusing on the design and implementation of teller terminals for the Tiger Bank. A teller terminal system to be developed is a standard PC computer running Linux and handling local transactions. All human interaction with the teller terminal is through a keyboard. Other specialized input devices like smart-card readers are not considered a cost-effective option for our project.

Staffs at the Auburn bank branch access account information and customer data through the teller terminal system to be developed by you. In this project, let us refer to this information as client data. Client data must be carefully controlled in order to improve the security of the teller terminal system. Whether a given Auburn branch employee is permitted to access any particular piece of client data depends on the employee's job level.

In this prototype system, there are two types of users in the system - system administrators and branch staffs. Any system administrator can add new branch staffs to access the system or delete existing staffs from the system (see sample usage 2.1, 2.2, and 2.3). Branch staff identifiers used in this system are called user name.

Your teller terminal system must authenticate each access request to the system. You will implement a mechanism to authenticate requests made at the teller terminal.

A teller terminal is either in the inactive state or the active state. In what follows, we summarize the behaviors of the teller terminal in these two states.




For branch staffs, an active teller displays a “Branch Staff” main menu that invites a branch staff to manage client and account information or change user password (see sample usage 3.2).



Design and Implementation Requirements



1. System Login (see sample usage 1 and 2)

The teller terminal displays a login menu (see Sample Usage 1. Login). It invites a branch employee to enter a userid and password. If the user name and password are valid, then the teller terminal system is placed in the active state and a session with the teller terminal is started.

There are two types of users in the system: system administrators and branch staffs. Administrators can manage staff information. Both Administrators and staffs can manage client and account information. After login to the Teller Terminal System as an administrator, the system administrator can choose the fist item - “Client and Account Management” - from the system administration menu (see Sample Usage 1). Compared with system administrators, branch staffs can easily start managing clients and transactions. In other words, a branch staff needs to login to the Teller Terminal System to manage clients and transactions (see Sample Usage 4)

1.1 Login as a system administrator (see sample usage 1)
A system administrator can either (i) to manage client and account information, (ii) add/delete/display users (branch staff employees), or (iii) to change his/her password. When a system administrator login to the system, the administrator can choose to do the following:



1.2 Default system administrator and password (see sample usage 1)
When the system is running for the first time, there is only a default system administrator – named “admin” - in the system. The default password of the default administrator is initially chosen to be 0000. Of course, this password can be changed later. Initially (i.e., before the first run), there is no system administrators and branch staffs except the default administrator. Thus, only admin can use 0000 as the password to access the system


1.3 Login as a branch staff employee (see sample usage 3.2)
When a branch staff employee login to the teller terminal, the staff can perform the following two tasks:



1.4 Change password (see sample usage 2.4)
Regardless of administrators or staffs, the user is first authenticated using his/her current password. Then, the password is updated. A changed password is valid only if (i) it is not equal to the old password and (ii) it is a non-empty password.

1.5 Masking passwords (see sample usage 1)
A sample source code for masking passwords can be downloaded from the following link:
http://www.eng.auburn.edu/~xqin/courses/comp2710/passwordc.cpp
After modify this sample C++ code, you can integrate this code into your teller terminal system.

2. System administration management
2.1 Add branch staffs to the system: (see sample usage 2.1)
A system administrator can add new user (branch staff employee) to the teller terminal system. When a new user is added into the teller system by the system administrator, user name and password of the new staff employee must be initialized. Empty values of the use name and password are not acceptable.

2.2 Display branch staffs: (see sample usage 2.2)
User names and roles of all the branch staff employees including administrators are displayed. Before display a list of staffs, the total number of staffs must be displayed. You can simply follow the format below:

There are 3 users in the system.
1. User Name: admin Role: System Administrator
2. User Name: abc0002 Role: System Administrator
3. User Name: acm0008 Role: Branch Staff
Press any key to continue...


2.3 Delete a branch staff: (see sample usage 2.3)
To delete a branch staff employee from the teller terminal system, a system administrator must login to the system and use the system administration menu. The system administrator must use a user name to identify which staff should be deleted. After the administrator enters the staff’s user name, the administrator needs to confirm this delete action. Sample user interface is given below:

Delete a user - User Name: abc0005
1) Confirm
2) Cancel
Please choose an option: 1


The system will first search the list of staffs for the staff to be deleted. If the staff’s information is not in the system, a warning message (see the sample warning message below) will pop up.

Warning - User acm0006 is not in the system. No user is deleted!


3. Client and Account Management
3.1 Add a client (see sample usage 4.2)
If “Add a client” is selected, new client's name, address, social security number, employer, and annual income must be entered. For simplicity, we assume that client names are unique, meaning that we can use client names as client identifiers.

3.2 Add an account (see sample usage 4.3)
If “Add an account” is selected, client's name must be entered first. If the client is not found in the system, an error message will pop up. If the client is in the system, then the branch staff has to enter account number, account type, and account balance.

3.3 Edit client information (see sample usage 4.4)
If “Edit Client Information” is selected, client's name must be entered. If the client is not found in the system, an error message will pop up. If the client is in the system, then the branch staff can edit the client’s information, including address, social security number, employer, and annual income. Before updating the client’s information, existing client information is displayed. If the branch staff selects “Confirm”, the client information can be updated. Note: In this prototype, clients can not be deleted. We also assume that client names should not be changed, because we use client names IDs.

3.4 Manage an account (see sample usage 4.5)
If “Manage an account” is selected, an account number will be entered. If the account does not exist in the system, an error message will pop up. The format of the error message is given below:

Error – Account <Account_Number> is not in the system!

After the account is chosen, the staff can either deposit or withdraw funds by choosing a menu option. Thus, if the account exists in the system, the following menu will appear:

Manage account <Account_Number> for <Client Name> ...
1) Deposit
2) Withdraw
3) Cancel

3.5 Save client and account information (see sample usage 4.6)
If “Save Client and Account Information” is selected, then the Teller Terminal System writes all current accounts to a file called “account-info” and writes all client information to a file called “client-info”. Each time the teller terminal is started, the “account-info” and “client-info” files containing the account and client information are loaded and initialized. For simplicity, the names of the two files are pre-specified. Branch staff employees are not authorized to change the file names.

4. Press any key to continue... (see all the sample-usage cases where it is applicable)
The pause command in the teller terminal requests the user to "Press any key to continue…" A sample source code of the implementation for the pause command can be downloaded from the following link:
http://www.eng.auburn.edu/~xqin/courses/comp2710/continue.cpp
After modify this sample C++ code, you can integrate this pause commend into your teller terminal system.

5. System Quit
This should safely terminate the system. Information of a list of system administrators and branch staffs (i.e., user names, passwords, roles) must be saved to a file called “staff”

6. Suggested Classes
You will use classes in this assignment. You will identify which classes to use in your design. One obvious basic class will be Password, Staff, Administrator, Client, Account, and Menu. Administrator is a class derived from the Staff class.
Your underlying data structure for lists of branch staff employees, clients, and accounts will be standard Vectors (no arrays). Thus, good classes to be considered include EmployeeVector; ClientVector, and AccountVector.

You are free to implement more classes as you see fit, but a functional decomposition will not be sufficient to meet the basic requirements described in this section.

7. Operator Overloading
You must at a minimum overload the comparison operator “= =” in the Password class to help you to compare the new password with old password.

8. Reuse well-written classes
You are welcome to reuse well-written classes from earlier COMP 2710 projects (but indicate where they came from).

9. No Global variables
You may not use global variables or global functions – all your data/operations must be contained within your objects.

10. Usability concerns and error-checking
Your program's output does not necessarily need to match the style of the sample output, but the contents should be understandable and no functionality should be lost. You should appropriately prompt your user and assume that they only have basic knowledge of the system.

You should provide enough error-checking that a moderately informed user will not crash your program. This should be discovered through your unit-testing of functions.

11. Comments
Follow the comment standard posted on the web or some alternate, approved standard.



Submission:
Please submit your program through the Blackboard system (e-mail submission will not be accepted).

You should upload three files:

<username>2.cpp <username>2p.txt or <username>2p.pdf or <username>2p.doc <username>2p-original.txt or <username>2p-original.pdf or <username>2p-original.doc



Hints:



Sample Usage:

1. Login as system administrator
===========================================================
| Welcome to the Auburn Branch of the Tiger Bank! |
===========================================================

1) Login
2) Quit
Please choose an option: 1

===========================================================
| Login to Access the Teller Terminal System |
===========================================================

User Name: admin
Password: **** (incorrect password)
The user name or password is incorrect. Try again!
User Name: admin
Password: **** (correct password)

===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option:



2. System administration management
2.1 Add branch staffs to the system:



===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit

Please choose an option: 2
User Name: abc0002
Password: ****

===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit

Please choose an option: 2
User Name: acm0008
Password: *****

Role (1 – Administrator; 2 – Branch Staff): 1
1) Confirm
2) Cancel

Please choose an option: 1
A new branch staff is added!
User Name: xzq0001 Role: System Administrator
Press any key to continue... Enter


2.2 Display branch staffs:


===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit

Please choose an option: 4
There are 3 users in the system.
1. User Name: admin Role: System Administrator
2. User Name: abc0002 Role: System Administrator
3. User Name: acm0008 Role: Branch Staff
Press any key to continue... Enter

2.3 Delete a branch staff:

===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option: 3
Delete a user - User Name: abc0005
3) Confirm
4) Cancel
Please choose an option: 1
Warning - User acm0006 is not in the system. No user is deleted!
Press any key to continue... Enter

===========================================================
| Teller Terminal System – System Administration |
===========================================================
1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option: 3 Delete a user - User Name: abc0002 1) Confirm
2) Cancel
Please choose an option: 1
User abc0002 was deleted!
Press any key to continue... Enter

===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option: 4
There are 2 users in the system.
1. User Name: admin Role: System Administrator
2. User Name: acm0008 Role: Branch Staff
Press any key to continue... Enter


2.4 Change password:



===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option: 5
New Password: ****
Error - Your new password must be different from the old one!
New Password: ******
Password was changed!
Press any key to continue... Enter

===========================================================
| Teller Terminal System – System Administration |
===========================================================

1) Client and Account Management
2) Add a branch staff
3) Delete a branch staff
4) Display branch staffs
5) Change password
6) Exit
Please choose an option: 6


3. Branch staff – Login and Change password
3.1 Login as a branch staff:


===========================================================
| Login to Access the Teller Terminal System |
===========================================================

User Name: acm0008
Password: *****


3.2 Change the branch staff’s password (see also sample usage 2.4):


===========================================================
| Teller Terminal System – Branch Staff |
===========================================================

1) Client and Account Management
2) Change password
3) Exit
Please choose an option: 2
New Password: ***
Password was changed!
Press any key to continue... Enter


4. Client and Account Management
4.1 Start the management of clients and transactions:


===========================================================
| Teller Terminal System – Branch Staff |
===========================================================

1) Client and Account Management
2) Change password
3) Exit
Please choose an option: 1


4.2 Add a client:


=============================================================
| Teller Terminal System – Client and Account Management |
=============================================================

1) Add a client
2) Add an account
3) Edit Client Information
4) Manage an account
5) Save Client and Account Information
6) Exit
Please choose an option: 1
A new client will be added:
Client name: Bob Smith
Address: 3101 Shelby Center, Auburn, AL
Social security number: 123-45-6789
Employer: Auburn University
Annual income: 56000
A new client was added!
Press any key to continue... Enter


4.3 Add an account:

=============================================================
| Teller Terminal System – Client and Account Management |
=============================================================

1) Add a client
2) Add an account
3) Edit Client Information
4) Manage an account
5) Save Client and Account Information
6) Exit
Please choose an option: 2
Choose a client: Alice Smith
Error – The client is not in the system!
Choose a client: Bob Smith
A new account will be created for Bob Smith ...
Account Number: 12345
Account Type: Checking
Balance: 500
A new account was created for Bob Smith!
Press any key to continue... Enter


4.4 Edit client information:


=============================================================
| Teller Terminal System – Client and Account Management |
=============================================================

1) Add a client
2) Add an account
3) Edit Client Information
4) Manage an account
5) Save Client and Account Information
6) Exit
Please choose an option: 3
Choose a client: Bob Smith
Display Bob Smith’s information:
Address: 3101 Shelby Center, Auburn, AL
Social security number: 123-45-6789
Employer: Auburn University Annual income: 56000 Client Bob Smith’s information will be updated ...
1) Confirm
2) Cancel
Please choose an option: 1
Address: Shelby Ctr, Auburn, AL
Social security number: 123-45-6789
Employer: Auburn University
Annual income: 70000
Client Bob Smith’s information was updated!
Press any key to continue... Enter

4.5 Manage an account:


=============================================================
| Teller Terminal System – Client and Account Management |
=============================================================

1) Add a client
2) Add an account
3) Edit Client Information
4) Manage an account
5) Save Client and Account Information
6) Exit
Please choose an option: 4
Which account will be managed? 12000
Error – Account 12000 is not in the system!
1) Manage an account
2) Cancel
Please choose an option: 1 Which account will be managed? 12345
Manage account 12345 for Bob Smith ...
4) Deposit
5) Withdraw
6) Cancel
Please choose an option: 1
Deposit Amount: 10
Balance of account 12345 is: 510
1) Deposit
2) Withdraw
3) Cancel
Please choose an option: 2
Withdraw Amount: 100
Balance of account 12345 is: 410
1) Deposit
2) Withdraw
3) Cancel
Please choose an option: 3

4.6 Save client and account information:

=============================================================
| Teller Terminal System – Client and Account Management |
=============================================================

1) Add a client
2) Add an account
3) Edit Client Information
4) Manage an account
5) Save Client and Account Information
6) Exit
Please choose an option: 5
Client information has been saved in the client-info file; account information has been saved in the account-info file!
Press any key to continue... Enter