<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang=""> <head> <meta charset="utf-8" /> <meta name="generator" content="pandoc" /> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" /> <meta name="author" content="" /> <title>Computer Security Project: Secure(?) Chat</title> <style> code{white-space: pre-wrap;} span.smallcaps{font-variant: small-caps;} span.underline{text-decoration: underline;} div.column{display: inline-block; vertical-align: top; width: 50%;} div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} ul.task-list{list-style: none;} pre > code.sourceCode { white-space: pre; position: relative; } pre > code.sourceCode > span { display: inline-block; line-height: 1.25; } pre > code.sourceCode > span:empty { height: 1.2em; } code.sourceCode > span { color: inherit; text-decoration: inherit; } div.sourceCode { margin: 1em 0; } pre.sourceCode { margin: 0; } @media screen { div.sourceCode { overflow: auto; } } @media print { pre > code.sourceCode { white-space: pre-wrap; } pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; } } pre.numberSource code { counter-reset: source-line 0; } pre.numberSource code > span { position: relative; left: -4em; counter-increment: source-line; } pre.numberSource code > span > a:first-child::before { content: counter(source-line); position: relative; left: -1em; text-align: right; vertical-align: baseline; border: none; display: inline-block; -webkit-touch-callout: none; -webkit-user-select: none; -khtml-user-select: none; -moz-user-select: none; -ms-user-select: none; user-select: none; padding: 0 4px; width: 4em; color: #aaaaaa; } pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; } div.sourceCode { } @media screen { pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; } } code span.al { color: #ff0000; font-weight: bold; } /* Alert */ code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */ code span.at { color: #7d9029; } /* Attribute */ code span.bn { color: #40a070; } /* BaseN */ code span.bu { } /* BuiltIn */ code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */ code span.ch { color: #4070a0; } /* Char */ code span.cn { color: #880000; } /* Constant */ code span.co { color: #60a0b0; font-style: italic; } /* Comment */ code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */ code span.do { color: #ba2121; font-style: italic; } /* Documentation */ code span.dt { color: #902000; } /* DataType */ code span.dv { color: #40a070; } /* DecVal */ code span.er { color: #ff0000; font-weight: bold; } /* Error */ code span.ex { } /* Extension */ code span.fl { color: #40a070; } /* Float */ code span.fu { color: #06287e; } /* Function */ code span.im { } /* Import */ code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */ code span.kw { color: #007020; font-weight: bold; } /* Keyword */ code span.op { color: #666666; } /* Operator */ code span.ot { color: #007020; } /* Other */ code span.pp { color: #bc7a00; } /* Preprocessor */ code span.sc { color: #4070a0; } /* SpecialChar */ code span.ss { color: #bb6688; } /* SpecialString */ code span.st { color: #4070a0; } /* String */ code span.va { color: #19177c; } /* Variable */ code span.vs { color: #4070a0; } /* VerbatimString */ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */ .display.math{display: block; text-align: center; margin: 0.5rem auto;} </style> <!--[if lt IE 9]> <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script> <![endif]--> <style type="text/css"> body { font-family:Gill Sans MT; color:#657b83; background-color:#fdf6e3; max-width:500pt; padding-left:25pt; padding-right:25pt; padding-bottom:20pt; margin:0 auto 0 auto; text-align:justify; } a:link {color:#6c71c4;} a:visited {color:#859900;} a:hover {color:#268bd2;} a:active {color:#d33682;} h1{} h2{border-style:solid; text-align:center; } h3 { margin-bottom:2pt; /*color:#268bd2;*/ font-weight:bold; } strong { color:#d33682; font-weight:bolder; } em { color:#268bd2; font-style:italic; font-weight:bolder; } code { background-color:#eee8d5; color:#586e75; } table.sourceCode { background-color:#eee8d5; color:#586e75; } pre.sourceCode { background-color:#eee8d5; color:#586e75; } .math { /*background-color:#eee8d5;*/ color:#586e75; font-family:Times New Roman; } /*use a contextual style to undo the blue-ness:*/ .math em { color:#586e75; font-weight:normal; } .descrip { max-width:500pt; padding-left:25pt; text-align:justify; } .descripbig { max-width:575pt; padding-left:0pt; text-align:justify; } .emph { color:#d33682; font-weight:bolder; } .litem { color:#268bd2; font-style:italic; font-weight:bolder; } .hl { color:#268bd2; font-style:italic; } .required { color:#268bd2; font-style:italic; font-weight:bold; } .inputbox { background-color:#eee8d5; color:#586e75; font-family:Gill Sans MT; font-weight:bolder; } </style> </head> <body> <header id="title-block-header"> <h1 class="title">Computer Security Project: Secure(?) Chat</h1> <p class="author"></p> </header> <h2 id="due-monday-decmeber-4th-1159pm"><em>Due:</em> Monday, Decmeber 4th @ 11:59pm</h2> <h2 id="synopsis">Synopsis</h2> <p>Write a chat program in C that provides:</p> <ul> <li>Authentication of correspondents</li> <li>Message secrecy (encryption)</li> <li>Message integrity (MACs)</li> </ul> <p>Given that this program processes formatted input from a network, you should naturally focus on software security as well.</p> <h3 id="goals-for-the-student">Goals for the student</h3> <ul> <li>Gain familiarity using cryptographic libraries (<code>openssl</code>).</li> <li>Experience in protocol design.</li> <li>Understanding various issues in network programming.</li> <li>How to avoid common software security issues.</li> </ul> <h2 id="important-notes">Important Notes</h2> <p>If you’d like, feel free to collaborate in small groups (<span class="math inline"> ≤ 3</span> members). If you do collaborate in a group, please <strong>use git</strong>. This ought to help you organize, but it will also be useful for me to make sure everyone was contributing to the project. If you have not collaborated with git much, I have some maybe helpful notes <a href="http://www-cs.ccny.cuny.edu/~wes/CSC103/scm.html#collaborate">here</a>.</p> <h2 id="details">Details</h2> <p>I’ve given you a skeleton which does very basic chat stuff: Depending on the invocation, it will listen for connections, or make one with another host. Beyond that, it just sends and receives text, displaying each message in a log window. It will be up to you to:</p> <ul> <li>Write some sort of handshake protocol to setup ephemeral keys (your protocol should have <a href="https://en.wikipedia.org/wiki/Forward_secrecy">perfect forward secrecy</a>!).</li> <li>Mutual authentication, using public key cryptography.</li> <li>After authentication, each message should be encrypted and tagged with a message authentication code. You may also want to take measures to prevent replay attacks.</li> </ul> <p>I think <a href="https://en.wikipedia.org/wiki/Ssh">SSH</a> will be a good model on which to base your protocol. In particular, don’t use PKI (public-key infrastructure, with certificates and such), and instead assume that communicating parties have already exchanged public keys. However, implementing deniable authentication would be a nice touch (and is something SSH does not provide). If you want to use 3DH, you can find an example in <code>dh-example.c</code>.</p> <h3 id="compiling-the-skeleton">Compiling the skeleton</h3> <p>You will need:</p> <ul> <li><a href="https://en.wikipedia.org/wiki/Gtk">gtk3</a> and the header files. If you are on linux/BSD, you might have to get a package like <code>gtk+3-devel</code> or similar, although some distributions (e.g. Arch Linux) will include header files in the normal package (no <code>-devel</code> needed).</li> <li><a href="http://www.openssl.org/">openssl</a> and headers (<code>openssl-devel</code>).</li> <li><a href="http://gmplib.org/">gmp</a> and its header files (<code>gmp-devel</code>).</li> </ul> <p>Running <code>make</code> should just work on most linux or BSD systems if you have all the above installed, but let me know. I’m confident you could also get this working just fine on a mac via <a href="https://brew.sh/">homebrew</a>. You should be able to get it working on Windows as well, but it might be easier to just do it in a virtual machine. If you do get it working natively on Windows, I’d be interested, so please let me know what steps were needed.</p> <p>Once you do have the skeleton compiled, you can run <code>./chat -h</code> and see a list of options. You should be able to test it out like this:</p> <div class="sourceCode" id="cb1"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true"></a>$ <span class="ex">./chat</span> -l <span class="kw">&</span> <span class="fu">sleep</span> 1 <span class="kw">&&</span> <span class="ex">./chat</span> -c localhost <span class="kw">&</span></span></code></pre></div> <p>Two windows should appear in a moment, connected over the loopback interface.</p> <h3 id="other-notes">Other notes</h3> <p>There is a directory <code>openssl-examples</code> that demonstrates how to get most of the functionality you’ll need from <code>openssl</code>. However, your professor decided to write his own Diffie-Hellman key exchange, as the openssl version was somehow even more obfuscated and confusing than usual. You can see the Diffie-Hellman stuff in files <code>dh.h</code>,<code>dh.c</code>, and you can see some example usage in <code>dh-example.c</code>. Note that the function <code>dhFinal(...)</code> will also do key derivation for you (transforming the Diffie-Hellman value into pseudorandom bits that you can use as keys for encryption and MACs).</p> <p>You might also find the following links helpful.</p> <ul> <li><a href="https://beej.us/guide/bgnet/">network programming guide</a></li> <li>If you ever need to manipulate <code>mpz_t</code> types, read <code>info gmp</code>. Alternatively, you can read <a href="https://gmplib.org/manual/">the manual online</a>.</li> </ul> <h2 id="submission-procedure">Submission Procedure</h2> <p>Have one of your group members send me your repository. If you have it hosted somewhere, you can just send a link, but if you’ve done things on your own servers, just make me an archive like this:</p> <div class="sourceCode" id="cb2"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true"></a>$ <span class="bu">cd</span> /path/to/your/chat/../</span> <span id="cb2-2"><a href="#cb2-2" aria-hidden="true"></a>$ <span class="fu">tar</span> -czf chat.tgz chat/</span></code></pre></div> <p>Importantly, there should be a <code>.git/</code> folder in there containing the commit history.</p> <!-- links --> </body> </html>