online_security_project/protocol.md

161 lines
7.2 KiB
Markdown
Raw Normal View History

2024-12-01 19:40:08 +02:00
# The Protocol
2025-01-07 18:40:03 +02:00
1. Encryptions used:
- RSA-1024 (can be of somewhat arbitrary length):
used for initial server communication,
client to client communication and for client authentication.
- SHA3-256 hash:
verification of information by signing with the RSA keys (messages and authentication).
- AES-CFB-256:
Used for encryption of communication between the client and the server.
- both PKCS7 and padding-less messages are being sent as
most requests are made to be exactly 1 block (128 bits),
which technically results in a cookbook style encrytion.
2. Registration is done by getting a public key from the user, and in a
second packet getting the 6 digit code, the code is then signed to make
sure the key given in the first packet is indeed the expected key.
For more details see Registration below
3. Public keys are generated by the client when it wants to register, it is
then the clien't job to save private key in a secure fashion
(currently it is saved as an unencrypted file in pem format for ease of debug).
The AES session keys are also generated by the client, but they are not
saved anywhere as they are only for the current session (if a disconnect
happend, a new key needs to be generated). The session key is sent to the
server as the first packet, signed with the server's public key, so only
the server could obtain them.
The server saves each user public key (and each client can cache other
users public keys to reduce network usage), while the keys should be saved
in a secure fashion, it is more important for them to not be changed rather
then not having general access, as getting someone's public key is as easy
as registering and making a simple request.
2024-12-01 19:40:08 +02:00
2025-01-07 18:40:03 +02:00
Passing keys between users is not of a great security risk, as all keys
passed are public keys.
4. Messages are first encrypted using the recipient's public key, then signed
using the sender's private key (the signature is appended). This allows the recipient to verify the message's claimed origin. Message
Acknowledgements are special messages, being sent as normal messages with
the same id as the acknowledged message but with the IsAck flag set to true.
5. See Passing messages below
6. See Requests below
7. The server uses 2 Dictionaries as the data structure (see `server/Data.cs`)
(not saved to disk due to the non-trivial nature of it),
1 dictionary is used to save the public keys, and the other acts as a
mailbox for each client.
2024-12-14 17:17:58 +02:00
2025-01-07 18:40:03 +02:00
### About Key Derivation Function
2024-12-14 17:17:58 +02:00
2025-01-07 18:40:03 +02:00
KDF isnt necessary here, as the client already has the server's public key and no key exchange needs to happen,
the client can send an encrypted symmetric key to the server, and a secure connection can be established using only 1 request.
NOTE: the server in this case trusts the client to create a good symmetric key. This is not a big issue in my opinion,
as the client (if malicious) can send a third party the transfered data regardless.
## Initializing a connection
First packet of each connection needs to be an encrypted packet
(using the server's public key) of an AES-256 session key appended by
some random IV.
2024-12-14 17:17:58 +02:00
2024-12-01 19:40:08 +02:00
## Registration:
2025-01-07 18:40:03 +02:00
- User sends a `Register` requset giving them a public key and a phone number.
- Server sends the user a `VerificationRequired` message (not in current code, as the 6 digit code does that for now) & a 6-digit code (Secure channel)
2025-01-06 20:55:13 +02:00
- User sends the server a `ConfirmRegister` with the 6-digit code, signed using the key provided at previous stage
- Server verifies the signature and code, and if both are valid it sends a last `Confirm` and the registration process is done
2024-12-01 19:40:08 +02:00
2025-01-06 20:55:13 +02:00
## Login
2024-12-01 19:40:08 +02:00
2025-01-06 20:55:13 +02:00
Login is done by a challenge, the user sends a `Login` request, the server sends a random block of 16 bytes for the user to sign,
then the server validates the signature with the known saved key.
2024-12-01 19:40:08 +02:00
## Passing messages
In order to send a message from A to B, A will ask the server for B's key,
2025-01-06 20:55:13 +02:00
A will then encrypt the message using B's key, append a signature, and send a `SendMessage`
request with the payload having the structure of `Enc_b(Message object) + Signature_A(Message object)`.
2024-12-01 19:40:08 +02:00
2025-01-07 18:40:03 +02:00
The server will hold on to the message until B will send a `GetMessages`
request to the server.
NOTE: The server actually doesnt know (and care) how the message is
constructed, allowing the change of the message structure without updating
the server itself.
2024-12-14 17:17:58 +02:00
2025-01-06 20:55:13 +02:00
## Requests
2024-12-14 17:17:58 +02:00
2024-12-17 20:41:30 +02:00
- Register:
data: Phone - 8 bytes, RSA key size (payload length) - 2 bytes
2025-01-07 18:40:03 +02:00
Response: a simple `ValidationRequired`, not implemented as the 6 digit
code covers that.
2024-12-14 17:17:58 +02:00
- ConfirmRegister (signed & encrypted 6 digit code)
2025-01-06 20:55:13 +02:00
data: 6 bytes for the 6 digit code, 4 bytes for signature length
2025-01-07 18:40:03 +02:00
Response: UTF-8 string of either `OK` or `SIG INVALID`, with PKCS7 padding
2025-01-02 18:49:58 +02:00
- Login:
data: 8 bytes of user's phone
2025-01-07 18:40:03 +02:00
Response: 16 bytes to be signed, no padding (1 block)
2025-01-02 18:49:58 +02:00
- ConfirmLogin (signed hash):
data: hash length
2025-01-07 18:40:03 +02:00
Response UTF-8 string of either `OK` or `INVALID SIG`, PKCS7 padding
2024-12-17 20:41:30 +02:00
- GetMessages:
data: EMPTY
2025-01-07 18:40:03 +02:00
Response: 8 shorts, appended with the messages themselves.
The last short marks if there are more messages to be read, the rest
are the lengths of each corresponding message (by order).
No padding as only the 8 shorts are encrypted using the session key.
2025-01-06 20:55:13 +02:00
- GetUserKey:
2024-12-14 17:17:58 +02:00
extra data: 8 bytes (4 bits per digit) of whoever we want to get the key of
2025-01-07 18:40:03 +02:00
Response: The key, PKCS7 padded
2025-01-06 20:55:13 +02:00
- SendMessage:
2024-12-17 20:41:30 +02:00
extra data: 8 bytes (4 bits per digit) of who to send the data, 4 bytes (32bit) for length in bytes
2025-01-07 18:40:03 +02:00
Response: NONE
Request format (see `lib/Request.cs:3` - `#RequestType` for request type numbers):
2024-12-14 17:17:58 +02:00
```
{
2025-01-06 20:55:13 +02:00
Version byte (0) - 1 byte,
2024-12-14 17:17:58 +02:00
RequestType - 1 byte,
2025-01-06 20:55:13 +02:00
looping counter - 1 byte,
2024-12-17 20:41:30 +02:00
data - up to 13,
} = 16 bytes = 128 bits
2024-12-14 17:17:58 +02:00
```
2024-12-17 20:41:30 +02:00
2025-01-07 18:40:03 +02:00
The SendMessage payload structure can be seen in `client/Message.cs:55` in
the `Bytes()` function.
The binary format contains:
- 1 version byte
- 4 bytes for a message ID
- 8 bytes for the sender's phone number
- 1 byte for flags (IsAck)
- The rest is filled with the message itself
## Notes and assumptions
- Print statements are color coded: RED - unencrypted, GREEN - encrypted, ORANGE - General server stuff, WHITE - Messages.
- The given code does not handle errors nicely (connection will simply shutdown and client will crash).
- Stream handling is also not ideal, as both server and client reads all
that was sent and not actually read only the amount needed.
- Client does not get messages automatically,
instead a `/get` command (among others such as `/pull` and `/fetch`) are
present in order to get new messages from the server
- The client does not handle getting message properly, as not extra reading
and no proper buffering is being done (if the incoming messages are
too long for the buffer, it will crash).
- The server does not save its current data and does not load from disk.
Saving the data and is not as trivial as in python since the RSA class
does not contain a constructor.
# Part 3
Availability cannot be guaranteed, as the server can always get hit by a rocket,
a malicious actor can attempt to scramble or change the packets in transit (which only
a reconnect attempt can really solve this, assuming the connection will not be tempered with
this time), the client's or server's area might have an extended power/internet outage and a meteor might hit earth and society might collapse.