Information Security

Homework: 0 1 2 3 4 5 6 7

Assignment 2: Key exchange and authentication

Logistics

Your solution should be a zip-file containing two things: your source code, and a report that describes what you did and why. The report should be an HTML file named index.html. (It may contain links to other files, if you include those files in your submission.)

You must work in a group on this assignment. You may not collaborate with anyone outside your group.

Introduction

When a client connects to the chat server, the two programs execute a key exchange and authentication protocol. The result of this protocol is a shared symmetric key, which is used to set up secure communications. Your task in this assignment is to design and implement a protocol for key exchange and authentication. This will fit together with the code you wrote in Assignment 1, to make a secure chat application.

You will implement your solution by modifying your solution to Assignment 1. Your group should choose one member's solution to Assignment 1, and the whole group should use that as a starting point for this assignment. Obviously, you'll want to pick a correct solution to Assignment 1, if you have one.

In your solution, the server should have a private key that it uses to prove its identity to the client. The client will have to have some method of knowing the server's public key. Exactly how this works is up to you.

The client should use a password to prove its identity to the server. Each client (user) should have his/her own password. There will have to be some mechanism for setting up passwords for new users. Exactly how this works is up to you.

It's up to you to figure out what algorithm you want to use, and to figure out how any keys will be represented and where they will be stored.

In addition to mutual authentication of the client and server, your solution should negotiate a shared secret value that the client and server can use to carry on encrypted communication. This shared secret should then be used in place of the lame InsecureSharedValue.getValue() method from Assignment 1.

You have a lot of latitude in choosing which method to use.

Threat Model

The adversary wins if:

he can learn the shared "secret" value that your protocol generates, or
he can impersonate the server, so that a client who connects to the adversary is tricked into believing that he is really connected to the real server, or
he can connect to the server and impersonate a client, so that the server is tricked into believing that the connection came from a legitimate client.

Your goal is to prevent him from doing these things.

You should make the following assumptions:

The adversary knows the server's public key.
The adversary can read and/or modify messages in transit.
The adversary can inject messages into any connection.
The adversary knows what algorithm you are using. He can read all of your source code, but he cannot observe the contents of any data files you are using.
The adversary can join the system as a client (as many times as he likes, using different names). When he joins, he can receive a password, connect to the system, and do everything else a legitimate client can do.

Note that your design need not recover from message tampering, message injection, or impersonation attempts. It is enough to detect that one of these events has occurred and then raise an alarm.

Your Report

Your report should describe your solution, and explain how and why it prevents the adversary from achieving its goal, under the assumptions given above. Your report should be concise but should be as convincing as you can make it. The quality of your report will be a very important component of your grade, so pay at least as much attention to your report as to your code.

Helpful Hints

Think carefully about how you will generate and manage the keys and passwords, and where they will be stored.

Watch out for man-in-the-middle attacks.

You may find it useful to try addressing the key exchange and authentication problems together, rather than solving them separately and then bolting together the two solutions.

If you need to implement public-key algorithms that involve exponentiation, the java.math.BigInteger class might be useful. (As before, you may not use any of the java.security or javax.crypto classes, or any other outside crypto libraries.)

If you want to implement the Diffie-Hellman algorithm, you can use the parameters (i.e. the values of g and p) in the file DHParams.java.

If you need to generate cryptographically unguessable random bits, you can use the RandomSeed.getArray() method.