Assignment2-Courses/CYBR372_2024T2

Part1:TLSClient and Server lmplementation Using Java Sockets  and SSLAPls(60%)

Objective:

Implement  a  client  and  server  that  communicate  securely  using  TLS,focusing  on  low-level  Socket   and  SSL  APls  (i.e.,avoiding  higher-level  libraries).The  client  should  authenticate  the  server  using  a certificate  issued  by  a  self-created  certificate  authority(CA).

Learning Outcome:

You  will  understand  the  process  of  establishinga  secure  connection  using  TLS,including  client-side certificate validation  and  server  authentication.You will  also  learn  how  to  create  your  own  PKI  by becoming  your  own  certificate  authority  and   issuing  server  certificates!

Requirements:

1.Client:

■Establish a connection to the server over a secure channel using TLS.

Verify the server's certificate,which is issued by a you as a trusted certificate authority(CA).

■ Authenticate the server.

■ Send a simple message (e.g.,"Hello,Server!")once the connection is established.

2. Server:

■Create a TLS server socket that listens on a specified port.

Accept connections from clients and send a simple response (e.g.,"Hello,Client!")back. ■Use a certificate signed by you as a trusted CA for authentication.

3.Certificate  Authority(CA):

■ The students should become their own certificate authority by generating a root CA certificate and private key.

Issue  a  certificate for the  server signed  by  the  root  CA's  private  key.This  certificate  should  be used  by the server for the TLS connection.

■ The client must trust the CA and verify the server certificate against it.

4.Certificates:

Create   a    certificate   chain    that   includes    the   root    CA   certificate    (yourself)and    the   server certificate.

Configure  the  server  to  present  its  certificate,and  configure  the  client  to  validate  the  server certificate  against  the  trusted  CA.

5.Additional Notes:

■No mutual authentication is required.The client only verifies the server's certificate.

Provide thorough error handling if certificate validation fails (e.g.,invalid certificate,untrusted

Technologies:

■    Java     Sockets(java.net.Socket    /java.net.ServerSocket).

Java Secure Sockets Extension(JSSE)APls like SSLContext,SSLSocket,and SSLSocketFactory.

■ Java  Keytool  or openssl to generate certificates.

Deliverables:

1.Java code for the client and server.

2.The process of generating the root CA certificate and issuing the server certificate.

3.A PDF report (500 words limit)that explains the certificate generation and the process of using

your own CA.Include an explanation of how the client authenticates the server.

Part 2:Capture and Break-down TLSHandshake with Wireshark(40%)

Objective:

Capture  and  analyse  the  TLS1.2  and  TLS  1.3  handshakes  using  Wireshark  and  identify  cryptographic details.

Learning Outcome:

You will gain a deep understanding of the TLS handshake process and the differences between TLS

1.2 and 1.3,by literally seeing it!

Requirements:

1.Capture Setup:

Set up a TLS connection to a website using any secure service (e.g.your browser)or your own implementation (e.g.,from Project  1).

■Use Wireshark to capture network traffic during the TLS handshake

Deliverables:

1.Wireshark  capture  files(.pcap  or  .pcapng).

2.A  PDF  report(500  words  limit)with  screenshots:

■ identifying each step of the TLS handshake for both versions,clearly identifying each piece of exchanged  information

plus mentioning what each side does in between the steps.For this,you may need to consult

with the TLS 1.2 and TLS 1.3 documentations:RFC 5246-The Transport   Laver  Security(TLS)

Protocol Version 1.2 and RFC8446-The  Transport   Laver  Security(TLS)Protocol  Version   1.3.

Part 3:CryptographicInspectionof Open-Source Communication Apps(40%)

Objective:

Analyse  the  cryptographic  services  and  mechanisms  used  in  open-source  communication applications  by  inspecting  their  source  code.

Learning Outcome:

You will gain experience in practical code analysis,understanding how cryptography is implemented in real-world systems.

Steps:

1.Application Selection:

■ Choose at least two open-source communication applications (text/chat,call,video  conferencing)for analysis.Here are some suggestions,but feel free to select your own(as long as it is relatively known application,and not e.g.some student's project!),The source code should be publicly available (e.g.,on GitHub):

■ Signal(Private Messenger)-messaging,voice,and  video  calls

o Source Code:Available on GitHub-Signal Android and Signal Server.

■ Jitsi(Video Conferencing)-video  conferencing

o Source Code:Available on GitHub -Jitsi.

Wire(Secure  Messenger)-text,voice,and  video  calls

o Source Code:Available on GitHub -Wire Android and Wire Server.

Matrix/Element(Decentralized   Communication)-decentralized   messaging   platform.

o Source Code:Available on GitHub-Element  Web or GitHub-Element iOS and Matrix Synapse.

Tox(Peer-to-Peer  Messenger-peer-to-peer instant messaging and video chat

o Source Code:Available on GitHub-Tox Core.

Linphone(VolP and Video Conferencing)-voice and video communication over the internet

o  Source  Code:Available  on GitLab-Linphone      Desktop or GitLab-Linphone    Android or GitLab-Linphone      IPhone.

Mumble(Low-Latency Voice Communication)-voice chat,often  used  by  gamers

o Source Code:Available on GitHub-Mumble .

OpenFire(Real-Time Collaboration)-a real-time collaboration server based on XMPP

o Source Code:Available on GitHub-Openfire .

■ Zulip(Team Chat)-threaded team chat platform similar to Slack

o Source Code:Available on GitHub-Zulip .

RetroShare(Decentralized    Communication)-peer-to-peer    messaging     and    file    sharing with   end-to-end   encryption

o   Source Code:Available on GitHub-RetroShare .

Nextcloud Talk(Video and Text Chat)-self-hosted video and text chat for teams

o Source Code:Available on GitHub -Nextcloud Talk.

XMPP/Jabber(Protocol and Client Implementations)-multiple XMPP-based chat clients and servers are open source and widely used.

o  Example  Clients:

o  Conversations: Codeberg  -Conversations

o   Gajim: Gitlab-Gajim

Briar(P2P Messaging with Strong Privacy Focus)-a peer-to-peer messaging app with a focus   on   anonymity   and   privacy

o Source Code:Available on Gitlab -Briar.

Mattermost(Team   Communication)-an  open-source Slack alternative for team communication.

o Source Code:Available on GitHub-Mattermost .

Rocket.Chat(Team         Collaboration         and          Messaging)-an      open-source       chat      platform.      for

team                   collaboration

o Source Code:Available on GitHub-Rocket.Chat .

2.Source Code Analysis:

Download  and  inspect  the  source  code  to  identify  the  cryptographic  algorithms  and  libraries used.

■ Focus on the following cryptographic services:

o Confidentiality:How are messages encrypted (e.g.,AES,ChaCha20)?

o Message Authentication:What mechanisms ensure message integrity (e.g.,HMAC,

digital signatures)?

o Entity Authentication:How are users authenticated (e.g.,certificates,passwords,public

o End-to-End             Encryption(E2EE):Are      communications     encrypted     from     sender     to     receiver? How       is       this       achieved?

3.Documentation:

■  For each service identified (confidentiality,authentication,etc.),explain:

o The cryptographic technique used.

o The specific implementation in the source code(e.g.,mention libraries,functions, protocols).

o Any  limitations(if found).

Deliverables:

A PDF report(1000 word limit for both applications combined)that includes:

■ o The selected applications.

o   A   description   of   the    cryptographic    primitives    and    services.

o Code snippets or references to relevant parts of the source code.

o A discussion of the security guarantees provided by these mechanisms.