Description

You are required to develop a simplified version of the TextSecure protocol, which provides forward secrecy and deniability. Working in the project will provide you with insight for a practical cryptographic protocol, a variant of which is used in different applications such as WhatsApp.

1      Introduction

The project has three phases:

• Phase I Developing software for the Registration and the Station-to-Station (STS) protocols. All coding development will be in Python programming language.
• TBA
• TBA

More information about Phase I is given in the subsequent section.

2 Phase I: Developing software for the Registration and Stationto-Station Protocols

In this phase of the project, you are required to upload one file: “Client.py”. You will be provided with “Client basics.py”, which includes all required communication codes.

In the Registration protocol (see below) you will register your long term public key with a server. You will also simulate the STS protocol with the same server. The server is accessible via cryptlygos.pythonanywhere.com. You may find the connection details in “Client basics.py”. JSON format should be used in all communication steps.

In the Station-to-Station (STS) protocol, each party must have a long term public and private key pair to sign messages and verify signatures. A variant of Elliptic Curve Digital Signature Algorithm (ECDSA) will be used with NIST-256 curve in this project. See Section 2.3 for the description of the variant of the ECDSA algorithm that will be used in the project. You should select “secp256k1” for the elliptic curve in your python code. Note that you will NOT use the ECDSA algorithm in the slides.

2.1     Registration

The long term public key of the server Q_SL is given below.

X:0xc1bc6c9063b6985fe4b93be9b8f9d9149c353ae83c34a434ac91c85f61ddd1e9

Y:0x931bd623cf52ee6009ed3f50f6b4f92c564431306d284be7e97af8e443e69a8c

In this part, firstly you are required to generate a long-term private and public key pair s_L and Q_L for yourself. The key generation is described in “Key generation” algorithm in Section 2.3. Then, you are required to register with the server. The registration operation consists of four steps:

1. After you generate your long-term key pair, you should sign your ID (e.g. 18007). The details of the signature scheme is given in the signature generation algorithm in Section 2.3. Then, you will send a message, which contains your student ID, the signature tuple and your long-term public key, to the server. The message format is

{‘ID’: stuID, ‘H’: h, ‘S’: s, ‘LKEY.X’: lkey.x, ‘LKEY.Y’: lkey.y}

where stuID is your student ID, h and s are signature tuple and lkey.x and lkey.y are the x and y and coordinates of your long-term public key, respectively. A sample message is given in ‘samples.txt’.

2. If your message is verified by the server successfully, you will receive an e-mail, which includes your ID, your public key and a verification code: code.
3. If your public key is correct in the verification e-mail, you will send another message to the server to authenticate yourself. The message format is “{‘ID’: stuID, ‘CODE’: code}”, where code is verification code which, you have received in the previous step. A sample message is given below.

{‘ID’: 18007, ‘CODE’: 209682}

4. If you send the correct verification code, you will receive an acknowledgement message via e-mail, which states that you are registered with the server successfully.

Once you register with the server successfully, you are not required to perform registration step again as the server stores your long-term public key to identify you. You need to store your long-term key pair as you will use them until the end of the project.

2.2       Station-to-Station Protocol

Here, you will develop a python code to implement the STS protocol. For the protocol, you will need the elliptic curve digital signature algorithm described in Section 2.3. The protocol has seven steps as explained below.

1. You are required to generate an ephemeral key pair s_A and Q_A, which denote private and public keys, respectively. The key generation is described in “Key generation” algorithm in Section 2.3

Then, you will send a message, which includes your student ID and the ephemeral public key, to the server. The message format is “{‘ID’: stuID, ‘EKEY.X’: ekey.x, ‘EKEY.Y’: ekey.y”, where ekey.x and ekey.y are the x the y coordinates of your ephemeral public key, respectively. A sample message is given in ‘samples.txt’.

2. After you send your ephemeral public key, you will receive the ephemeral public key Q_B of the server. The message format is “{‘SKEY.X’: skey.x, ‘SKEY.Y: skey.y}”, where x and skey.y denote the x and y coordinates of Q_B, respectively. A sample message is given in ‘samples.txt’.
3. After you receive Q_B, you are required to compute the session key K as follows.
   • T = s_AQ_B
   • U = {x||T.y||“BeY ourselfNoMatterWhatTheySay”}, where T.x and T.y denote the x and y coordinates of T, respectively.
   • K = SHA3 256(U)

A sample for this step is provided in ‘samples.txt’.

4. After you compute K, you should create a message W₁, which includes your and the server’s ephemeral public keys, generate a signature Sig_A using s_L for the message W₁. After that, you should encrypt the signature using AES in the Counter Mode (AES-CTR). The required operations are listed below.
   • W₁ = Q_A.x||Q_A.y||Q_B.x||Q_B.y, where Q_A.x, Q_A.y, Q_B.x and Q_B.y are the x and y coordinates of Q_A and Q_B, respectively.
   • (Sig_A.s,Sig_A.h) = Sign_sL(W₁)
   • Y₁ = E_K(“s”||Sig_A.s||“h”||Sig_A.h)

Then, you should concatenate the 8-byte nonce Nonce_L and Y₁ and send {Nonce_L||Y₁} to the server. Note that, you should convert the ciphertext from byte array to integer. A sample for this step is provided in ‘samples.txt’.

5. If your signature is valid, the server will perform the same operations which are explained in step 4. It creates a message W₂, which includes the server’s and your ephemeral public keys, generate a signature Sig_B using s_SL, where s_SL is the long-term private key of the server. After that, it will encrypt the signature using AES-CTR.
   • W₂ = Q_B.x||Q_B.y||Q_A.x||Q_A.y. (Note that, W₁ and W₂ are different.)
   • (Sig_B.s,Sig_B.h) = Sign_sL(W₁)
   • Y₂ = E_K(“s”||Sig_B.s||“h”||Sig_B.h)

Finally, it will concatenate the 8-byte nonce Nonce_SL to Y₂ and send {Nonce_SL||Y₂} to you. After you receive the message, you should decrypt it and verify the signature. The signature verification algorithm is explained in Section 2.3. A sample for this step is provided in ‘samples.txt’.

6. Then, the server will send to you another message E_K(W₃) ^[1] where, W₃ = {Rand||Message}. Here, Rand and Message denote an 8-byte random number and a meaningful message, respectively. You need to decrypt the message, and obtain the meaningful message and the random number Rand. A sample for this step is provided in ‘samples.txt’.
7. Finally, you will prepare a message W₄ = {(Rand+1)||Message} and send E_K(W₄) ^[2] to the server. Sample messages for this step is given below.

W₄ : 86987

MessagetoServer : 86987

8. If your message is valid, the server will send a response message as E_K(“SUCCESSFUL”||Rand + 2) ¹

2.3           Elliptic Curve Digital Signature Algorithm (ECDSA)

Here, you will develop a Python code that includes functions for signing given any message and verifying the signature. For ECDSA, you will use an algorithm, which consists of three functions as follows:

• Key generation: A user picks a random secret key 0 < s_A < q − 1 and computes the public key Q_A = s_AP.
• Signature generation: Let m be an arbitrary length message. The signature is computed as follows:
  1. k ← Zn, (i.e., k is a random integer in [1,n − 2]).
  2. R = k P
  3. r = x (mod n), where R.x is the x coordinate of R
  4. h = SHA3 256(m + r) (mod n)
  5. s = (s_A h + k) (mod n)
  6. The signature for m is the tuple (h,s).
• Signature verification: Let m be a message and the tuple (s,h) is a signature for m. The verification proceeds as follows:
  • V = sP − hQ_A
  • v = x (mod n), where V.x is x coordinate of V
  • h⁰ = SHA3 256(m + v) (mod n)
  • Accept the signature only if h = h⁰ – Reject it otherwise.

Note that the signature generation and verification of this ECDSA are different from the one discussed in the lecture.

[1] The first 8-byte of message, which you receive in this step, is nonce.

[2] All encrypted messages must be generated using unique nonce values. For each encryption, you must use AES.new(). Then, you must concatenate nonce and ciphertext.