Differences
This shows you the differences between two versions of the page.
|
ac:laboratoare:07 [2019/11/07 15:29] marios.choudary [Task 2: Implement DH + RSA signature] |
ac:laboratoare:07 [2024/11/14 13:05] (current) dimitrie.valu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 07 - TOFU-based Authenticated Key Exchange ===== | + | ===== Lab 07 - Whatsapp End-to-end Encryption ===== |
| - | ==== Task 1: Generate a pair of RSA public/private keys ==== | + | In this lab you will implement a simplified version of the Signal Protocol, which is the basis for WhatsApp's end-to-end encryption. |
| - | Use these commands to generate a pair of public/private keys: | + | The first versions of Whatsapp protocol were described [[https://cryptome.org/2016/04/whatsapp-crypto.pdf|here]]. A more recent document is available [[https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf|here]]. |
| + | WhatsApp's security is based on the Signal protocol, which was first used by TextSecure. The Signal protocol is | ||
| + | described in detail in [[https://s3.amazonaws.com/files.douglas.stebila.ca/files/research/papers/EuroSP-CCDGS17-full.pdf|this]] paper. | ||
| + | |||
| + | For the Elliptic Curves, you can use [[https://github.com/Muterra/donna25519|this]] library. | ||
| + | |||
| + | For installation, follow these steps (NOTE: **you can use your ''%%fep%%'' instance via Python3 environments**): | ||
| + | * Install the necessary tools (not necessary on ''%%fep%%''): | ||
| <code> | <code> | ||
| - | openssl genrsa -out private.pem 2048 | + | sudo apt install build-essential python3-dev |
| - | openssl rsa -in private.pem -outform PEM -pubout -out public.pem | + | sudo apt install python3-pip |
| + | </code> | ||
| + | * Use ''%%wget%%'' to download the required zip (find it below) | ||
| + | * Create a Python3 environment, make sure PyPI is up to date and install the required packages: | ||
| + | <code> | ||
| + | python3 -m venv create env | ||
| + | source ./env/bin/activate | ||
| + | pip install --upgrade pip | ||
| + | pip install cryptography donna25519 | ||
| </code> | </code> | ||
| - | ==== Task 2: Implement DH + RSA signature === | + | **If local installation does not work, use your ''%%fep%%'' instance.** |
| - | Modify your DH key exchange implementation (see lab 5) such that when one of the parties (the server) sends its public DH share, | + | === Task === |
| - | it also sends a signature over this share using its private RSA key (generated in the previous task). The other party (the client) should have access to the server's public key (e.g. just write it on a file). | + | Find the required zip here - {{:ac:laboratoare:lab07.zip|}}. |
| - | On reception of the public DH share from the server, the client should verify the signature from the server by using its public key and should also store this public key and associate it with the IP of the server. | + | Create a common ''%%master_secret%%'' for two clients which communicate through a server. (**TODO 1.1** & **TODO 1.2**) |
| + | Print it on both clients and make sure they both have the same secret. | ||
| - | Initial files | + | == How to run == |
| - | {{:ac:laboratoare:lab_dh_tofu.zip|}} | + | Open three different terminals. |
| + | First terminal (start the server): | ||
| + | <code>python main_server.py</code> | ||
| - | ==== Task 3: Implement DH + RSA + TOFU === | + | Second terminal (start the first client and enter ''%%RECV%%'' mode: |
| + | <code> | ||
| + | python main_client.py | ||
| + | RECV | ||
| + | </code> | ||
| - | Perform the RSA-based authenticated DH key exchange between the client and server implemented earlier several times. On the first connection, the client should store the public key of the server and associate it with the IP of the server. Then, on subsequent connections, the client must check that the public key of the server matches the one that is stored (if the client already has a public key for the given IP of the server). If it matches, it will use that key for verification of the signature over the DH share of the server. If it doesn't match, it should print an error message and exit. | + | Third terminal (start the second client and send a message): |
| + | <code> | ||
| + | python main_client.py | ||
| + | MSG <id_other_client> Hello! | ||
| + | </code> | ||
| - | This is very similar to what SSH does when connecting to a server using a pair of public/private keys and is known as Trust On First Use (TOFU) authentication. | ||
