CS 181S: A3

# A3 Secure Channels **Deadline:** Monday, 10/05/20, 11:59 pm PT *This assignment should be completed with a partner. You should submit one solution to Gradescope* For this assignment, you will implement some core pieces of a secure instant-messaging application, as well as simulate a Dolev-Yao attack against that application. ### Part 1: Implementation Your task is to build a collection of four programs named Alice, Bob, Mallory, and Gen: * **Alice:** repeatedly prompts the user for a string then sends that string over the network to the recipient. * **Bob:** displays strings that are received from the sender. * **Mallory:** the Dolev-Yao attacker. Mallory receives a message as input from the network, displays the message, and prompts the user whether to forward the message as is, to modify the message before forwarding it, or to drop the message and not forward it. Mallory can also store and replay old messages. The sophistication of modification and replay that you implement is up to you, as long as you are able to carry out the demo described below. * **Gen:** generates public–private key pairs and stores them in files. To help you get started, I've provided simple starter code that sends messages over a TCP connection from Alice to Bob in both Python and Java. ### Requirements **Requirement 1: Network communication.** Alice, Bob, and Mallory communicate with one another over TCP. The communication architecture is that Alice sends messages to Mallory, who sends messages to Bob: ``` Alice ---> Mallory ---> Bob ``` Hostnames (or network addresses) and ports must not be hardcoded. They could be specified as command-line arguments, or accepted as program inputs. The expected workflow is as follows: 1. Run Gen to generate key files, which are then manually distributed to the filesystems from which Alice, Bob, and Mallory will run. Alice receives her public and private keys as well as Bob's public keys. Bob receives his public and private keys as well as Alice's public keys. Mallory receives both Alice and Bob's public keys, but not their private keys. 2. Start Bob. 3. Start Mallory, specifying Bob's address as the recipient. 4. Start Alice, specifying Mallory's address as the recipient. 5. Type strings into Alice, which are sent over the network to Mallory. Use Mallory to read, modify, and/or delete messages. Messages sent by Mallory to Bob should be displayed by Bob. If Bob is able to detect Mallory's actions on messages, then a notification about this action should be displayed. **Requirement 2: Cryptography.** At startup, the system should provide the ability to operate in each of four configurations: 1. *No cryptography:* messages are not protected. 2. *Symmetric encryption only:* the confidentiality of messages is protected. 3. *MACs only:* the integrity of messages is protected. 4. *Symmetric encryption then MAC:* both the confidentiality and integrity of messages is protected with Enc-then-MAC. Once an instance of the system is started, the configuration need not be changeable. The configuration must not be hardcoded. It could be specified as a command-line argument, or accepted as a program input. Since Alice and Bob do not initially share any symmetric keys, you need a key establishment protocol; use the protocol provided in the appendix of this writeup. Every message should be accompanied by a sequence number (aka message number). The system should use these sequence numbers to resist replay attacks, though the success of that countermeasure may depend upon the configuration in use. The system configuration should determine how Mallory interprets and displays messages. We ask that you make Mallory's display easy for the human grader to interpret. More specifically: 1. *No cryptography:* Mallory displays the same plaintext message that Alice sent. This should be the same as the string entered at Alice—not (e.g.) some human-unreadable byte array. 2. *Symmetric encryption only:* Mallory displays the ciphertext. 3. *MACs only:* Mallory displays both the plaintext message and the tag. 4. *Symmetric encryption then MAC:* Mallory displays both the ciphertext and the tag. **Requirement 3: Interface.** Your program should run on the command line. It may take additional configuration arguments as program input or command line arguments. The messages should be accepted as program input. **Implementation:** Choose a programming language with which you are comfortable and that has library support for the cryptographic and networking functionality you will need. Java, C#, and Python are good choices. Use library implementations of encryption schemes, block cipher modes, MACs, digital signatures, and hash functions. Do not use library implementations of higher-level protocols, such as SSL/TLS. For details of the environment that we will run your code in, see the Executable section. **Underspecification:** All further details are up to you. Make reasonable choices and be prepared to defend them. ### Part 2: Attacks Once you have have finished the implementation, execute the following series of four attacks: 1. Show how Mallory can read the contents of a message that is sent with no cryptography. 2. Show how Mallory can read the contents of a message that is sent with MACs only. 3. Show how Mallory can undetectedly modify a message that is sent with no cryptography. 4. Show how Mallory can undetectedly modify a message that is sent with symmetric encryption only. 5. Show how Mallory can undetectedly replay an old message that is sent with Enc-then-MAC When you are done, write up instructions for executing these attacks in a file named `attacks.txt`. If you believe that one of these attacks is not possible because of how you designed implemented your system, explain why. ### Evaluation To evaluate your system, I will run your code on the experiments below: **Part 1** * Run Gen to generate new key files. * Start Bob, Mallory, and Alice in "no-cryptography" configuration. * Send messages from Alice to Mallory to Bob. * Use Mallory to delete a message. * Use Mallory to modify a message. **Part 2** * Start Bob, Mallory, and Alice in "Enc-only" configuration. * Send messages from Alice to Mallory to Bob. * Use Mallory to modify a message as described in your `attacks.txt` file **Part 3** * Start Bob, Mallory, and Alice in "Mac-only" configuration. * Send messages from Alice to Mallory to Bob. * Use Mallory to replay an old message. * Use Mallory to delete a message and pass the next message through. * Use Mallory to modify a message. **Part 4** * Start Bob, Mallory, and Alice in "Enc-then-Mac" configuration. * Send messages from Alice to Mallory to Bob. * Use Mallory to modify a message. * Use Mallory to replay a message as described in your `attacks.txt` file ### README.txt Include a README file that contains: 1. Detailed setup. This should include a list of line-by line instructions for installing any required dependencies needed to run your system on the course VM or my Mac. (It should also be clear which system your solution will run on!) 2. Detailed Usage. This should include a list of line-by line instructions for compiling (if necessary) and running the executables to perform the experiments listed above ### Overview document Prepare an overview document. The document should contain: 1. Rationale: Explain the use of cryptography in your system. The document should include protocol narrations to document the cryptographic protocol used in each of your four configurations. The document should also provide a justification for your choices of key lengths and cryptographic algorithms. 2. Specification. This part of the assignment is deliberately underspecified. Detail and justify your choices here. 3. External libraries. If you use any external libraries, list them here along with what your code uses them for. 4. Known problems. Detail any known problems with your rationale, specification,or implementation. You may also include anything else that you see fit. ### Executable Together with your source code, submit four standalone executable files corresponding to Gen, Alice, Bob and Mallory. These executables should be able to run offline purely on the command line using the instructions found in your README file. If you are intend to use a language other than Java or Python, please discuss this with me before you begin so that we can ensure that there are appropriate crytography libraries and that it can be run on one of the approved systems. ### Feedback In the interest of improving future iterations of this course, please answer the following questions and upload them in a file called ```feedback.txt```: 1. How long did you spend on this assignment? (Including time spent in class.) 2. Any other comments or feedback? Submit a feedback file feedback.txt containing the answers to the feedback questions. ### Evaluation You will be evaluated on the quality of your submission based on the experiments above, and on your README file and overview document (and whether you submitted a feedback file). Note that solutions that cannot be setup and run by copy-pasting from the list of instructions in your README file will be viewed poorly. The quality of your source code (documentation, style, etc.) will not explicitly be evaluated. # Submission If you work with a partner, submit only one copy rather than submitting the same solution independently. Be sure that your README and overview document both clearly identify both partners, and be sure to tag your partner on Gradescope when you submit. Submit a zip file containing the following: * Your README file * Your overview document. * Your source code and executables. Include any external libraries that you are using. * Your attacks.txt file. ### Appendix: Key transport protocol The following, known as ISO/IEC 11770-3 Key Transport Mechanism 2, is a key transport protocol based on asymmetric cryptography. It enables A to convey a fresh session key to B by sending a single message. ``` 1. A -> B: B, tA, Enc(A,kAB; K_B), Sign(B, tA, Enc(A,kAB; K_B); k_A) ``` where * A and B are identifiers for principals, which in this assignment may simply be strings * tA is a timestamp sampled from A's local clock and verified by B against B's local clock to be *recent*, which in this assignment is defined as "within the last two minutes" * Enc is an asymmetric encryption algorithm * Sign is a digital signature algorithm * kAB is a fresh session key generated by A * K_B is B's public encryption key * k_A is A's private signing key Furthermore, Enc must be a non-malleable encryption scheme. *Hint: RSA with OAEP padding is non-malleable.*