PV080
Login

Assignment #3 - DH/RSA

Deadline: 30.03.2025 23:59:00 Brno time
Points: 7 points
Discussion forum: here
Submit: here

The goal of the assignment is to show you how all things you have learned in the seminars work together in practice. You will use mostly the functions and principles we used in the seminars. As we want you to understand public key crypto in more detail, Diffie-Hellman and RSA keys are transmitted as integers. This requires to use some functions (we prepared for you) to transform data between bytes, hexadecimal strings, and integers. In the part of the assignment, you will play the role of a bad guy who wants to cheat and gain some points unethically. From the practical part, you will directly give yourself 6 points. In the theoretical part, your goal is to identify the problem and propose the fix.

We'll start the assignment with a fictional story from the CRoCS laboratory. Afterwards, we define the API that you'll be using and then the format of your submission. Finally, we'll give you a few examples that you might find useful. Since this task is quite verbose and technical we encourage you to ask in the discussion forum, so that we can help you decrypt it and understand it.

A fictional story

When professor Vashek Matyas wants to assign points to students (i.e., for assignments) he needs to access the DATABASE server. Anyone can communicate with the DATABASE server but they need to agree on a shared key using Diffie-Hellman with the AUTH server first. AUTH server then transmits the shared symmetric key to the DATABASE server for further communication.

A plain Diffie-Hellman protocol is vulnerable to the man-in-the-middle (MITM) attack. In order, to prevent MITM attacks both communicating parties (client and the AUTH server) always sign their public key shares with their private RSA keys. Sides are authenticated by checking the RSA digital signatures. A high-level overview of the expected communication is shown in the figure below.

Diagram of Vashek's communication
Diagram of Vashek's communication

Your goal

Professor Matyas was asked by associate professor Petr Svenda, who has a strong passion for cryptographic smartcards, to test his new smartcard doing cryptographic operations. Unfortunately, asymmetric algorithms are slow (especially on smartcards), hence professor Matyas asked PV080 tutors to implement additional functionality - symmetric authentication for the DATABASE server. The functionality allows a client to send his randomly generated MAC key encrypted by the shared key. The MAC key will be used then by the CBC-MAC mechanism replacing the slow signing with RSA. This new authentication method requires adapting the protocol. Unfortunately, PV080 tutors rushed and proposed an insecure protocol that allows authenticating anyone as any other person. Your tasks are:

  1. Use the AUTH server and establish a shared_key, a symmetric AES-256 key(=Diffie-Hellman shared secret hashed using SHA256) for the communication with the DATABASE server. The Diffie-Hellman shares are signed by the RSA keys of the message senders.
  2. Establish a random mac_key, a AES-256-CBC-MAC key on the DATABASE server. The mac_key should be sent to the DATABASE server encrypted using the shared_key with AES-256-CBC and PKCS #7 padding. This encrypted message should be signed with your RSA key.
  3. Give yourself 3 points by sending the message b"Give XXXXXX 3 p" encrypted by the shared_key with AES-256-CBC and PKCS #7 padding to the DATABASE server. This encrypted message should be signed with the RSA key of the student whose UCO is included in the message. Furthermore, also include in the request a MAC of the UCO sending the request to give points, using the mac_key with AES-256-CBC-MAC.
  4. Give yourself 3 further points by using a leaked message that professor Matyas sent to the DATABASE server, in which he gave points to Jan Jancar with UCO of 445358. Change some of the values in a way the message has the required format and will be authenticated as Vashek's. In the case of success, the server will assign you a further 3 points. 
    msg = b"Give 445358 3 p"
msg_encrypted = bytes.fromhex("116911af5df639774a8cc0badff7068a2d0cdfee53dee0593aed8b08854b48b2")
signature = ...  # omitted, did not leak
uco = 344
uco_bytes = int_to_bytes(uco)
uco_mac = bytes.fromhex("5c7adf789b5b093889e7cda64a091bc0")  # MAC of uco_bytes
  5. Answer the questions:
    1. What is the main problem (or problems) with the DATABASE server that allows authentication as professor Vashek Matyas?
    2. How would you fix the problem(s)?

Resources and hints

The AUTH and DATABASE servers use cryptographic functions that you are already familiar with from seminars on symmetric and asymmetric cryptography, such as AES-256-CBC or RSA-PSS signatures. You can download and use an implementation of these functions here: functions.py. The following functions are defined there:

# Crypto functions
def aes_encrypt_cbc_pkcs7(key: bytes, plaintext: bytes) -> bytes
def aes_decrypt_cbc_pkcs7(key: bytes, ciphertext: bytes) -> bytes
def mac_create_aes_cbc(key: bytes, data: bytes) -> bytes
def mac_verify_aes_cbc(key: bytes, data: bytes, mac: bytes) -> bool
def rsa_sign_pss_sha256(private_key: rsa.RSAPrivateKey, data: bytes) -> bytes
def rsa_verify_pss_sha256(public_key: rsa.RSAPublicKey, data: bytes, signature: bytes) -> bool
def rsa_load_key(pem: bytes) -> rsa.RSAPrivateKey

# Utility functions for interacting with the API
def send_get(endpoint: str, params: Optional[Dict[str, str]] = None) -> Tuple[int, Dict[str, str]]
def send_post(endpoint: str, data: Optional[Dict[str, str]] = None) -> Tuple[int, Dict[str, str]]
def int_to_bytes(integer: int) -> bytes,  def bytes_to_int(data: bytes) -> int
def int_to_hex(integer: int) -> str,      def hex_to_int(hexa: str) -> int

The server uses these exact functions, which means that compatibility is guaranteed if you decide to use them. There is nothing inherently "special" about these functions that you would need to solve the assignment, they are just implementations of the stated cryptographic algorithms that are compatible with what is used on the servers (AES-CBC encryption (with 256 bit key), AES-CBC-MAC (with 256 bit key) and RSA signatures).

API description

To communicate with both AUTH and DATABASE servers you can use the following HTTP APIs. In the IS in the notebook HW03 keys you'll find your RSA private key that you should use while solving this assignment. Sharing keys with other students is forbidden! We are aware that sending you a private key is bad practice and should not be done under almost any circumstances, but it is done in this exercise to simplify it.

All valid API calls return the status code 200. Requests with missing or invalid values return a response containing JSON, where the field corresponds to the troublesome value (except for general errors, in which case the "error" field contains the description of the error). The following cards give API definitions and example requests and responses.

The API is rate-limited (at roughly 10 requests per second), brute-forcing is not required and therefore request spamming can result in a temporary ban (you will receive HTTP status code 429 when you hit the rate-limit). The whole assignment can be solved in just a few requests.

Interactive form

In addition to all the API endpoints a website is also available that allows you to interact with the endpoints via a web form.

The API endpoints available are listed below, color-coded by the server they belong to:

AUTH server
Interactive form
DATABASE server
Interactive form
Get Diffie-Hellman parameters
Request

Get the Diffie-Hellman parameters from the AUTH server.

Path: /hw03/auth-server/api/dh
Method: GET
Response

Returns the AUTH server's public parameters for the Diffie-Hellman key agreement: the prime modulus $p$ and the generator $g$. The values "modulus_p", "generator" are all integers in hexadecimal using big-endian.

{ "modulus_p": "910731b1d8adf0415cb9d7f22f0baa133f827641ceb296
                ...
                12317d9f23afdf004bbb53f5c4164d136a0636249290bb",
  "generator": "02" }
Get RSA public key
Request

Get the AUTH server's RSA public key.

Path: /hw03/auth-server/api/rsa
Method: GET
Response

Returns the AUTH server's RSA public key.

{ "modulus_n": "aa85277b6ecd314b55cfe4f8c86fc0f8ead3cbc0205315df8c
                ...
                2597105c9cf9fee1a2f6e106efa752624111db6b3f86b6a06d",
  "public_exponent_e": "010001" }
Perform key agreement
Request

Perform Diffie-Hellman key agreement with the server to agree on a shared_key, authenticated by RSA signatures. The shared_key is the shared secret resulting from the Diffie-Hellman key agreement, padded with zero-bytes on the left to the length of 256 bytes and hashed with SHA-256.

Path: /hw03/auth-server/api/kex
Method: POST
Body: JSON (application/json) dictionary with three keys: "uco" containing the UCO of the student performing the key agreement, "payload" containing the Diffie-Hellman public key as an integer in hexadecimal in big-endian, "signature" containing the RSA signature in hexadecimal (RSA-PSS is used with SHA256 and MGF1). The signature is over the "payload" bytes (decoded from hexadecimal). 
{ "uco": 123456,
  "payload": "09a90e5c306ebdca03175cdb216135dc606720ee31856c
              ...
              296ab67679e5c3ee49803000a91c6d0af816eef46be922",
  "signature": "4955639e0a1a6598919bf9b96e931e9f8ffe6e738d937
                ...
                a0fb703864eb80b49400e051233c075bdbe79e36d4612" }
Response

The server replies with JSON containing its Diffie-Hellman public key and signature, in the same format as in the request.

{ "payload": "3f89fb2056ee5dce71a5c389115affe90be144825bb618
              ...
              3720bee29d637982ce47f03a60cd0ac469f3ade83c9d80",
  "signature": "caa07ff61f4a0b9f9f0d73aa74436d0dd6d8820232f96
                ...
                4f9cb699886465a329f016bf5f907a5da0fb703864eb8" }
Errors
  • Wrong uco (student not found).
  • Signature cannot be verified.
  • Cannot establish shared key.
Get RSA public key
Request

Get the DATABASE server's RSA public key.

Path: /hw03/database-server/api/rsa
Method: GET
Response

Returns the DATABASE server's RSA public key.

{ "modulus_n": "aa85277b6ecd314b55cfe4f8c86fc0f8ead3cbc0205315df8c
                ...
                2597105c9cf9fee1a2f6e106efa752624111db6b3f86b6a06d",
  "public_exponent_e": "010001" }
Establish MAC key
Request

Establish a MAC key with the DATABASE server.

Path: /hw03/database-server/api/mac
Method: POST
Body: JSON (application/json) dictionary with three keys: "uco" containing the UCO of the student performing the MAC establishment, "payload" containing the MAC key encrypted using the key shared with the AUTH server using AES-256-CBC with PKCS #7 padding, "signature" containing the RSA signature in hexadecimal (RSA-PSS is used with SHA256 and MGF1). The signature is over the "payload" bytes, not in hexadecimal but as an integer in big-endian.
{ "uco": 123456,
  "payload": "09a90e5c306ebdca03175cdb216135dc606720ee31856c
              ...
              296ab67679e5c3ee49803000a91c6d0af816eef46be922",
  "signature": "4955639e0a1a6598919bf9b96e931e9f8ffe6e738d937
                ...
                a0fb703864eb80b49400e051233c075bdbe79e36d4612" }
Response

Returns a confirmation if the MAC key was successfully set, else returns an error. 

{ "status": "OK" }
Errors
  • Wrong uco (student not found).
  • Payload cannot be decrypted, a shared_key is not setup.
  • Signature cannot be verified.
  • Payload could not be decrypted.
  • The MAC key should be 32 bytes.
  • Cannot establish MAC key.
Get points
Request

Get the amount of points a given student has.

Path: /hw03/database-server/api/points
Method: GET
Query parameters: "uco" containing the UCO to get the points for. 
/hw03/database-server/api/points?uco=123456
Response

The amount of points the student has. 

{ "points": 0 }
Give points
Request

Give a student some points, using a message of the form b"Give 123456 4 p" that would give student with UCO 123456 four points.

Path: /hw03/database-server/api/points
Method: POST
Body: JSON (application/json) dictionary with four keys:
  • "uco" containing the UCO of the person giving the points,
  • "payload" containing the message encrypted using the key shared with the AUTH server using AES-256-CBC with PKCS #7 padding,
  • "signature" containing an RSA signature of the "payload" by the RSA key corresponding to the UCO of the person receiving the points (RSA-PSS is used with SHA256 and MGF1),
  • "mac" containing the MAC of the "uco" using the MAC key of the person giving the points.

The signature is over the "payload" bytes, not in hexadecimal. The MAC is over the "uco" in bytes (int_to_bytes).

{ "mac": "e96d0c46cb4e872c3601bde728bd4535",
  "payload": "290a7425fafacf53ff00cc78aa615b423515187f421ea587df8351d9b75173d0",
  "signature": "9eef9311873cbdf88b3a643f275e3df2ae2eabf8a22049897df08af25ff7980a854b7164b32299a27a96596ff3c34dbd341d933120881866000721c837d0326363fb26b2e658e9b79a62e6acb25987bcc59a365b0a36573c63c7fe0115bed57a42932dabae368c43932637c3df2d1e63956fd1f3bc69bab4d61b65d7289d23c8974d90f29a1b21ff82afbce3e6de9109b7e6a73878c7f9f50d99a7b9ad25deb4780ead43fff66bb0f69690cd42fe36835489c95957b04fca6568b1ae7049c792b26cb7bf012c3499637ab2e84372ffde1872479c23e8e7bf36c7a1b816cfd975973b210efcbca185f1301fe5ca99382de929ca76c60a7e15a81ff920e8d5dd42",
  "uco": 123456}

or

{ "mac": "98d3f38a11f50b98e12b3622aecf9dc0",
  "payload": "b59ba414860ee3005d020e44b29241f9624e2fdfc5efe700a538cb5b70b8dc70",
  "signature": "61a8ce60fe6e0a7889271b934e39b17fcc18ee64f5d72fb58b15d1e63ea8f60b617304c7a7d0862be43c0879deb195a3738662f13d671e65c95362dd478a39bf934260adb6aec296b8f9ae72cf18e217abc76d4678505eb0ce48a55744bdc2eeae420b0739d5ed1acaf524e2b6c9a7d0b1e223264f787e82bbe79b9f97ef44ca7961044cbb1c1ca29920998733dddc649a6e0c040cafe63476c35db314a2712d59691f913b3092f3bd95a7653355b93751388833d5ed2a97e3c3abd19e2068f89c448dc49bdea4040cbc35f39b4e45171286af3b64cbd960d5d2d5875c8534059175c24c7f1d95266c21710b43d39f88bdae8e4563f74878ee9595639bcd5064",
  "uco": 344}
Response

An error message or a report of successful point addition. 

{ "payload": ["Points successfully added."] }
Errors
  • Wrong uco (student not found).
  • No shared key setup to decrypt.
  • No MAC key setup to verify.
  • MAC cannot be verified.
  • Payload could not be decrypted.
  • Decrypted payload cannot be decoded in UTF-8.
  • Decrypted payload does not match message format, only 'Give <uco> <x> p' is allowed.
  • Student with UCO <UCO> couldn't be found.
  • Signature cannot be verified.
  • Only 3 points can be given by Vashek.
  • You can only give points to yourself. Only Vashek can give points to anyone.
  • You can only give 3 points to yourself.
  • Points couldn't be added.

Grading

The 6 points you receive for this assignment are automatically gathered from the DATABASE server. The last 1 point is given based on your answers to the questions.

Submission

Submit a ZIP file containing two things: