Assignment 2: Key exchange and authentication

Credits

Edward W. Felten, http://www.cs.princeton.edu/

Logistics

Your solution should be a zip-file containing two things: your source code, and a report that describes what you did and why. The report should be an HTML file named index.html. (It may contain links to other files, if you include those files in your submission.)

For this assignment, you must work in the same group that you worked in for assignment 1. You may not collaborate with anyone outside your group.

Introduction

You will implement your solution by modifying your solution to Assignment 1.

In your solution, the server should have a private key that it uses to prove its identity to the client. The client will have to have some method of knowing the server's public key. Exactly how this works is up to you.

The client should use a password to prove its identity to the server. Each client (user) should have his/her own password. There will have to be some mechanism for setting up passwords for new users. Exactly how this works is up to you.

It's up to you to figure out what algorithm you want to use, and to figure out how any keys will be represented and where they will be stored.

In addition to mutual authentication of the client and server, your solution should negotiate a shared secret value that the client and server can use to carry on encrypted communication. This shared secret should then be used in place of the lame InsecureSharedValue.getValue() method from Assignment 1.

You have a lot of latitude in choosing which method to use.

Threat Model

• he can learn the shared "secret" value that your protocol generates, or
• he can impersonate the server, so that a client who connects to the adversary is tricked into believing that he is really connected to the real server, or
• he can connect to the server and impersonate a client, so that the server is tricked into believing that the connection came from a legitimate client.

You should make the following assumptions:

• The adversary knows the server's public key.
• The adversary can read and/or modify messages in transit.
• The adversary can inject messages into any connection.
• The adversary knows what algorithm you are using. He can read all of your source code, but he cannot observe the contents of any data files you are using.
• The adversary can join the system as a client (as many times as he likes, using different names). When he joins, he can receive a password, connect to the system, and do everything else a legitimate client can do.

Note that your design need not recover from message tampering, message injection, or impersonation attempts. It is enough to detect that one of these events has occurred and then raise an alarm.

Your Report

Helpful Hints

Think carefully about how you will generate and manage the keys and passwords, and where they will be stored.

Watch out for man-in-the-middle attacks.

You may find it useful to try addressing the key exchange and authentication problems together, rather than solving them separately and then bolting together the two solutions.

If you need to implement public-key algorithms that involve exponentiation, the java.math.BigInteger class might be useful. (As before, you may not use any of the java.security or javax.crypto classes, or any other outside crypto libraries.)

If you want to implement the Diffie-Hellman algorithm, you can use the parameters (i.e. the values of g and p) in the file DHParams.java.

If you need to generate cryptographically unguessable random bits, you can use the RandomSeed.getArray() method.

Slides

- Presentation pdf