代写密码算法中的RC4算法,对明文进行加密,并抵御常见攻击,通过测试。
Objective
For your previous homework, you have implemented the random one-time pad and
its approximation (i.e., stream cipher) RC4. I have mentioned in class that it
is often futile to design or implement cryptographic constructs. This is a
sound advice, for most of us, because often in-house designed cryptographic
constructs do not have the theoretically proven, rigorous, and well-vetted
security assurances that the existing well studied constructs have.
Furthermore, implementing an existing construct adds another level of
challenge because the security of some of the existing constructs requires
carefully chosen parameter values which are not often mentioned in the initial
specification. Overall, it is always a good idea to use a well-established
cryptographic library which has been vetted by experts and also attackers. The
overarching goal of this project is to give you hands-on experience on using
cryptographic constructs and libraries.
Participants
This is a group project. I highly recommend doing it in a group of two people.
If you do it alone, please note that the workload may be high and you will be
responsible for the consequences. You can choose your group members.
Problem
This project requires you to design and develop a simple but secure password
manager with 256-bit security. Please read the security requirement and
adversary model section to understand what I mean by a secure password
manager.
Note that your password manager does not need to auto-fill your password
fields in the browser.
You will run your password manager from the command line or terminal.
Adversary Model
You can assume the adversary can read the file your password manager uses to
store the username, domain, and password of each account. You can also assume
that the adversary may modify the password file (i.e., passwd file) in an
arbitrary fashion. You can safely assume that the adversary will not delete
the files.
Deliverables
You are going to provide 3 electronic documents along with your full source
code. The first document will state the compilation process of your source
code from the terminal or command prompt. The second document will detail your
design and your choice of implementationlevel functions and constructs with
necessary information. It should also argue how your design provides the
security guarantees expected. For instance, what is the format of your
password file, and what is your IV length and which functions did you use to
generate them? The final document will precisely state the work division among
the group members.
Programming Languages allowed
For this programming project, you can use C/C++, Java, and Python. Please note
that the instructor is not proficient in Python. Hence, the instructor may not
be able to provide language level assistance if you are using Python.
Cryptographic Libraries to use
Depending on the language of your choice use one of the following
cryptographic libraries: C/C++ (OpenSSL), Java (BouncyCastle), Python
(OpenSSL). For groups using C/C++/Python on MAC OSX, please use the Common
Crypto Library ( https://opensource.apple.com//source/CommonCrypto/
) as it is often
difficult to install OpenSSL for MAC OSX.
Cryptographic Constructs to use
For all your encryption purposes, please use AES with CTR (counter) mode with
256-bit block size. For hashing, you should use SHA512. For HMAC or MAC, you
can use any built-in functions provided by the respective cryptographic
libraries. When generating keys and IVs, please make sure you use a secure
pseudo-random number generators (PRNG) provided by the cryptographic
libraries. Please do not use the PRNGs provided by the standard libraries of
the language you are using; they are often not secure.
Functionality expected from your password manager
The password manager you are required to design will interact with the user
through the standard input. When you first run your password manager, it is
going to look for two files named “passwd file” and “master passwd,”
respectively, in the same directory, the executable is executing. If it cannot
find any of those files, your program will assume that the user has not
registered yet, and the password manager is running for the first time. In
that case, the user will be given a prompt to submit a master password. After
the master password has been obtained from the user, the password manager will
generate two files: one file named “passwd file” where it will store all the
encrypted account information; the other file named “master passwd” where it
will store a 256-byte salt followed by the master password hashed with the
salt.
After this registration phase, every time you execute the password manager, it
is going to first prompt the user for the master password. It will then check
whether the password matches according to the salted hash. If it does not
match, your program should output the following error message without quote
signs in the standard output: “WRONG MASTER PASSWORD!\n”. Note that your
program should not recreate either the passwd file or master passwd file after
the registration phase.
It will then perform an integrity check as to verify that no one has modified
the passwd file in an unauthorized fashion. If it fails the integrity check,
your program should output the following error message without the quote signs
in the standard output: “INTEGRITY CHECK OF PASSWORD FILE FAILED!\n”. If in
the case the integrity check passes, your program should not print anything to
the standard output.
Then your password manager will wait for input commands from the user. The
user can pose one of the following commands. When your program receives one of
the following commands, it will perform the functions as described below. For
processing commands, you may need to create
- check_integrity: Your program should check the integrity of the password file and output either “PASSED!\n” or “FAILED!\n” in the standard output without the quotes.
- register_account: Your program should take as input the username, password, and the domain name, and should store it in the passwd file encrypted. You can safely assume that username, password, and the domain name will have a length less than 80 characters. Note that when you register for a new account, you should re-encrypt the whole passwd file with a new random IV. If you are registering for an account that already exists (if all of the following matches: username, domain), your program should output the following message without quotes in the standard output: “USER ACCOUNT ALREADY EXISTS!\n”. You do not need to print anything when the operation is successful.
- delete_account: Your program should take as input the username, password, and the domain name to delete, and should delete it from the passwd file. Note that when you delete an existing account, you should re-encrypt the whole passwd file with a new random IV. If you are trying to delete an account that does not exist, your program should output the following message without quotes in the standard output: “USER ACCOUNT DOES NOT EXIST!\n”. You do not need to print anything when the operation is successful.
- change_account: Your program should take as input the username, the old password, the new password, and the domain name to delete, and should change the old password with the new password in the passwd file. Note that when you change an existing account, you should re-encrypt the whole passwd file with a new random IV. If you are trying to change the password for an account that does not exist, your program should output the following message without quotes in the standard output: “USER ACCOUNT DOES NOT EXIST!\n”. You do not need to print anything when the operation is successful.
- get_password: Your program should take as input the domain name, and should print the username and the password for that domain obtained from the passwd file. Your program should print the username, password in the following format without quotes in the standard output: “username[SPACE][username][SPACE]password[SPACE][password]\n” where [username], [password], and [SPACE] are the actual username, password, and the space character, respectively. If you are trying to retrieve the password for an account that does not exist, your program should output the following message without quotes in the standard output: “USER ACCOUNT DOES NOT EXIST!\n”.
Hint and Other Information
There is a question of how would you connect a master password to an
encryption key. There are secure algorithms for generating encryption keys
from textual passwords. For instance, you can use PKCS5 PBKDF2 HMAC from
OpenSSL. Such functions are available for other libraries too.
Please do not use any insecure cryptographic constructs or constructs which
have been proven to be insecure, e.g., SHA1, MD5, RC4.
Assume all the passwords, domain names, and also the usernames that can be
submitted by the user can contain all printable ASCII characters except the
space character and ‘!’.
Security guarantees expected from your design
The first security guarantee expected from your design and implementation is
the confidentiality guarantee. Precisely, anyone without the correct master
password should not be able to know any one of the following information: (1)
Which accounts you have registered for; (2) Username of any of the accounts
you have registered for; (3) Passwords of any of the registered accounts. This
security guarantee dictates that the file in which your password manager
stores the password should be encrypted. Note that we want a 256-bit security
of our system.
The second security requirement your design and implementation should provide
is integrity guarantees. More precisely, if anyone has modified your file, you
should be able to detect it. This security guarantee dictates that you should
use some form of message authentication code (MAC) or Merkle hash tree.
Your design does not need to protect the integrity of the contents of the
master passwd file. You can assume there is some other way to protect this
file.
Note that your design does not need to provide freshness guarantees. A
password manager with freshness guarantee ensures that if the adversary
replaces the current version of your password file with an old version, it
will be able to detect it.
