CIS444 – Spring 2024 - Project Specification
Secure Two-Party Communication with Hybrid Encryption and Attack Simulations
Overview
This project requires students to develop a secure communication application using Python (or another programming language you prefer – Assembly perhaps?) that simulates a two-party conversation over an insecure channel. The system employs a encryption scheme where RSA (public key cryptography) is used to securely exchange an AES symmetric key, which is then used for subsequent communication. In addition, the application simulates attacker activities including confidentiality attacks (eavesdropping), integrity attacks (impersonation), and availability attacks (channel flooding). The attacker’s observations and interventions will be logged and analyzed.
Objectives
- Ensure confidentiality by implementing both asymmetric (RSA) and symmetric (AES) encryption.
- Use RSA to exchange a symmetric key securely between two parties.
- Develop a UI with two distinct textboxes (along with the send button) on the same screen for User A and User B, and three buttons that activates attacks for the attacker
- Simulate an attacker impersonating one of the parties to modify or inject messages.
- Simulate a Denial-of-Service (DoS) scenario where the channel is overwhelmed with traffic.
- Record all data transmitted over the communication channel, including any attack traffic and modifications.
Functional Requirements
1) User Interface
- Dual Textboxes: Display two input areas along with “send” buttons on a single screen:
- User A’s textbox: For plaintext message entry.
- User B’s textbox: For plaintext message entry.
- Attacker: Buttons that start integrity and availability attacks
- Message Display: Show both sent and received messages along with status notifications (e.g., “public key received,” “symmetric key exchanged,” “message altered by attacker”).
- Attack Alerts: Display status on screen if an integrity or availability attack is simulated during the session.
2) Communication Flow
1. Initial Message:
- User A initiates the conversation by entering any plaintext.
- User B receives the initial message and must reply with their RSA public key.
2. Public Key Exchange:
- The first exchanged message containing a public key triggers the key exchange process.
- The party that receives the public key generates a new AES symmetric key.
3. Symmetric Key Exchange:
- The party generating the symmetric key encrypts it using the received RSA public key.
- The encrypted symmetric key is sent to the other party.
4. Secure Messaging:
- Once both parties share the symmetric key, subsequent messages are encrypted and decrypted using AES.
- Each message transmitted is subject to logging and potential interception or alteration by the attacker.
3) Attacker Simulation and Logging
Confidentiality Attack: Eavesdropping:
- Record all communication (both plaintext during initial key exchange and ciphertext during secure messaging) that is visible to an eavesdropper.
Integrity Attacks: Impersonation:
- Simulated Impersonation: The attacker pretends to be one of the legitimate parties by injecting or modifying messages. How? Figure it out.
- Logging Changes: Record the attacker’s injected messages or alterations and include a note indicating that the message has been tampered with.
- Verification Mechanisms: Optionally, implement message authentication codes (MACs) or digital signatures to detect such integrity violations.
Availability Attacks: Channel Flooding:
- Simulated DoS: The attacker generates a high volume of spurious traffic to overwhelm the communication channel.
- Logging Overloads: Record the timestamps and volume of traffic associated with the flooding to analyze the impact on the communication process.
Technical Requirements
Programming Language: Python (recommended) – or any other programming language you prefer.
Cryptographic Libraries:
- Use off-the-shelf libraries such as PyCryptodome or similar for AES and RSA operations.
Encryption Protocols:
- AES: For symmetric encryption after key exchange.
- RSA: For encrypting the AES key during the exchange.
User Interface Framework:
- A simple GUI (Tkinter, PyQt, or a web-based interface) that supports two separate text inputs on the same screen.
Attack Simulation Modules:
- Implement modules or threads that simulate integrity attacks (by altering or injecting messages) and availability attacks (by flooding the channel with data).
One-Page Report
Security Analysis: Discuss the vulnerabilities demonstrated by the simulated attacks and propose potential mitigation strategies.
How-to: Add an installation manual
Evaluation Criteria
Functionality (40%)
Code Quality (20%)
Security Understanding (20%)
Documentation (20%)