# A3 Secure Channels
**Deadline:** Monday, 10/05/20, 11:59 pm PT
*This assignment should be completed with a partner. You should submit one
solution to Gradescope*
For this assignment, you will implement some core pieces of a
secure instant-messaging application, as well as simulate a Dolev-Yao
attack against that application.
### Part 1: Implementation
Your task is to build a collection of four programs named Alice, Bob, Mallory,
and Gen:
* **Alice:** repeatedly prompts the user for a string then sends that string
over the network to the recipient.
* **Bob:** displays strings that are received from the sender.
* **Mallory:** the Dolev-Yao attacker. Mallory receives a message
as input from the network, displays the message, and prompts the user
whether to forward the message as is, to modify the message
before forwarding it, or to drop the message and not forward it. Mallory
can also store and replay old messages. The sophistication
of modification and replay that you implement is up to you, as
long as you are able to carry out the demo described below.
* **Gen:** generates public–private key pairs and stores them in files.
To help you get started, I've provided simple starter code that sends messages
over a TCP connection from Alice to Bob in both Python and Java.
### Requirements
**Requirement 1: Network communication.**
Alice, Bob, and Mallory communicate with one another over TCP.
The communication architecture is that Alice sends messages
to Mallory, who sends messages to Bob:
```
Alice ---> Mallory ---> Bob
```
Hostnames (or network addresses) and ports must not be hardcoded.
They could be specified as command-line arguments, or accepted
as program inputs.
The expected workflow is as follows:
1. Run Gen to generate key files, which are then manually distributed
to the filesystems from which Alice, Bob, and Mallory will run.
Alice receives her public and private keys as well as Bob's public
keys. Bob receives his public and private keys as well as Alice's
public keys. Mallory receives both Alice and Bob's public keys, but
not their private keys.
2. Start Bob.
3. Start Mallory, specifying Bob's address as the recipient.
4. Start Alice, specifying Mallory's address as the recipient.
5. Type strings into Alice, which are sent over the network to Mallory.
Use Mallory to read, modify, and/or delete messages. Messages
sent by Mallory to Bob should be displayed by Bob.
If Bob is able to detect Mallory's actions on messages, then a notification about
this action should be displayed.
**Requirement 2: Cryptography.**
At startup, the system should provide the ability to operate in each of
four configurations:
1. *No cryptography:* messages are not protected.
2. *Symmetric encryption only:* the confidentiality of messages is protected.
3. *MACs only:* the integrity of messages is protected.
4. *Symmetric encryption then MAC:* both the confidentiality and integrity of
messages is protected with Enc-then-MAC.
Once an instance of the system is started, the configuration need not be
changeable. The configuration must not be hardcoded.
It could be specified as a command-line argument, or accepted
as a program input.
Since Alice and Bob do not initially share any symmetric
keys, you need a key establishment protocol; use the protocol provided
in the appendix of this writeup.
Every message should be accompanied by a sequence number (aka message
number). The system should use these sequence numbers to resist replay
attacks, though the success of that countermeasure may depend upon the
configuration in use.
The system configuration should determine how Mallory interprets and
displays messages. We ask that you make Mallory's display easy for
the human grader to interpret. More specifically:
1. *No cryptography:* Mallory displays the same plaintext message that Alice sent.
This should be the same as the string entered at Alice—not (e.g.) some
human-unreadable byte array.
2. *Symmetric encryption only:* Mallory displays the ciphertext.
3. *MACs only:* Mallory displays both the plaintext message and the tag.
4. *Symmetric encryption then MAC:* Mallory displays both the ciphertext
and the tag.
**Requirement 3: Interface.**
Your program should run on the command line. It may take additional configuration
arguments as program input or command line arguments. The messages should be accepted
as program input.
**Implementation:**
Choose a programming language with which you are
comfortable and that has library support for the cryptographic and
networking functionality you will need. Java, C#, and Python are
good choices. Use library implementations of encryption schemes,
block cipher modes, MACs, digital signatures, and hash functions.
Do not use library implementations of higher-level protocols, such as SSL/TLS.
For details of the environment that we will run your code in, see the
Executable section.
**Underspecification:**
All further details are up to you. Make reasonable choices and be
prepared to defend them.
### Part 2: Attacks
Once you have have finished the implementation, execute the following series
of four attacks:
1. Show how Mallory can read the contents of a message that is sent with no cryptography.
2. Show how Mallory can read the contents of a message that is sent with MACs only.
3. Show how Mallory can undetectedly modify a message that is sent with no cryptography.
4. Show how Mallory can undetectedly modify a message that is sent with symmetric encryption only.
5. Show how Mallory can undetectedly replay an old message that is sent with
Enc-then-MAC
When you are done, write up instructions for executing these attacks in a file
named `attacks.txt`. If you believe that one of these attacks is not possible
because of how you designed implemented your system, explain why.
### Evaluation
To evaluate your system, I will run your code on the experiments below:
**Part 1**
* Run Gen to generate new key files.
* Start Bob, Mallory, and Alice in "no-cryptography" configuration.
* Send messages from Alice to Mallory to Bob.
* Use Mallory to delete a message.
* Use Mallory to modify a message.
**Part 2**
* Start Bob, Mallory, and Alice in "Enc-only" configuration.
* Send messages from Alice to Mallory to Bob.
* Use Mallory to modify a message as described in your `attacks.txt` file
**Part 3**
* Start Bob, Mallory, and Alice in "Mac-only" configuration.
* Send messages from Alice to Mallory to Bob.
* Use Mallory to replay an old message.
* Use Mallory to delete a message and pass the next message through.
* Use Mallory to modify a message.
**Part 4**
* Start Bob, Mallory, and Alice in "Enc-then-Mac" configuration.
* Send messages from Alice to Mallory to Bob.
* Use Mallory to modify a message.
* Use Mallory to replay a message as described in your `attacks.txt` file
### README.txt
Include a README file that contains:
1. Detailed setup. This should include a list of line-by line
instructions for installing any required dependencies needed to run your system
on the course VM or my Mac. (It should also be
clear which system your solution will run on!)
2. Detailed Usage. This should include a list of line-by line instructions for
compiling (if necessary) and running the executables to perform the experiments
listed above
### Overview document
Prepare an overview document. The document should contain:
1. Rationale: Explain the use of cryptography in your system.
The document should include protocol narrations to document the cryptographic
protocol used in each of your four configurations. The document should also
provide a justification for your choices of key lengths
and cryptographic algorithms.
2. Specification. This part of the assignment is deliberately underspecified.
Detail and justify your choices here.
3. External libraries. If you use any external libraries, list them here along
with what your code uses them for.
4. Known problems. Detail any known problems with your rationale,
specification,or implementation.
You may also include anything else that you see fit.
### Executable
Together with your source code, submit four standalone executable files
corresponding to Gen, Alice, Bob and Mallory. These executables should be able
to run offline purely on the command line using the instructions found in your
README file.
If you are intend to use a language other
than Java or Python, please discuss this with me before you begin
so that we can ensure that there are appropriate crytography libraries and
that it can be run on one of the approved systems.
### Feedback
In the interest of
improving future iterations of this course, please answer the following
questions and upload them in a file called ```feedback.txt```:
1. How long did you spend on this assignment? (Including time spent in class.)
2. Any other comments or feedback?
Submit a feedback file feedback.txt containing the answers to the
feedback questions.
### Evaluation
You will be evaluated on the quality of your submission based on the
experiments above, and on your README file and overview document (and whether
you submitted a feedback file). Note that
solutions that cannot be setup and run by copy-pasting from the list of
instructions in your README file will be viewed poorly. The quality
of your source code (documentation, style, etc.) will not explicitly be
evaluated.
# Submission
If you work with a partner, submit only one copy rather than submitting the same solution independently. Be sure that your README and overview document both clearly identify both partners, and be sure to tag your partner on Gradescope when you submit.
Submit a zip file containing the following:
* Your README file
* Your overview document.
* Your source code and executables. Include any external libraries
that you are using.
* Your attacks.txt file.
### Appendix: Key transport protocol
The following, known as ISO/IEC 11770-3 Key Transport Mechanism 2,
is a key transport protocol based on asymmetric cryptography.
It enables A to convey a fresh session key to B by sending a single message.
```
1. A -> B: B, tA, Enc(A,kAB; K_B), Sign(B, tA, Enc(A,kAB; K_B); k_A)
```
where
* A and B are identifiers for principals, which in this assignment may simply be strings
* tA is a timestamp sampled from A's local clock and verified by B against B's
local
clock to be *recent*, which in this assignment is defined as "within the last two minutes"
* Enc is an asymmetric encryption algorithm
* Sign is a digital signature algorithm
* kAB is a fresh session key generated by A
* K_B is B's public encryption key
* k_A is A's private signing key
Furthermore, Enc must be a non-malleable encryption scheme. *Hint: RSA with OAEP
padding is non-malleable.*