Security and Cryptography (CSS 322)
Assignment 2
Task 1
Complete the following steps:
- Implement RSA in PHP. See the template source code for detailed guidelines and conditions. (Note: after downloading the source code, change the file extension from .txt to .php).
- Generate your own RSA keys (using your PHP code).
- Submit your Public Key and source code via email to steve@siit.tu.ac.th by 8:00am Tuesday 3 February 2009. The email must containing the following (where you replace the example ID 4912345678 with your ID number):
Task 2
By 9am Thursday 5 February 2009, I will publish all public keys on this website (here) in the form a (simplified) digital certificate. Each certificate will be a string of the form:
PublicKeyOfUser IDOfUser RSA_Encrypt(Hash_Simple(PublicKeyOfUser IDOfUser),PrivateKeyOfSteve)
where:
- PublicKeyOfUser is your Public Key in serialized form
- IDOfUser is your ID
- PrivateKeyOfSteve is my Private Key. My Public Key, in serialized form, is: a:2:{i:0;s:3:"209";i:1;s:5:"73543";}
- RSA_Encrypt() and Hash_Simple() are two PHP functions in your assignment source code.
- Note that the items are separated by a single space.
Complete the following steps:
- Download the certificate of another user (known as your partner).
- Validate the certificate of your partner using RSA_ValidateCertificate() (you have to write the RSA_Validate() function yourself - you will also have to write RSA_Sign() for the next part).
- Using RSA send a signed and encrypted message to your partner via email and CC the email to: me at steve@siit.tu.ac.th; and to your malicious user by 8:00am Tuesday 10 February 2009. The email must containing the following (of course replacing the data with the appropriate values):
The certificates file contains the following information:
- User X's ID, name and email address
- User X's certificate, that is, user X's public key signed by the Certificate Authority. Note that I have formatted the public keys to be a common format, and for several people (those that submitted incorrect or bad public keys in Task 1) I have created new public keys (those people received their public/private key by email from me).
- The ID of the partner for user X. User X can obtain their partners name, email and certificate from the list.
- An encrypted form of the message that user X will send to their partner. This is encrypted by me (the CA) so that only user X can get the original message. This message is not signed by me.
- The ID of the malicious user for user X. User X can obtain the email address of the malicious user from the list.
Task 3
Complete the following steps:
- Validate and decrypt the message from your partner.
- Write the function RSA_Attack() that a malicious user can apply to try to discover a plaintext message (from a captured ciphertext, and any other public information). Try to develop a generic function which will work efficiently for many different input values (e.g. larger than the values used in this assignment).
- Apply RSA_Attack() to determine the plaintext for the message you intercepted as a malicious user (that is, the email that you were CCed from the other user in Task 2). Note that, your attack can only make use of the information that normally would be publicly available to a malicious user (that is, you cannot simply ask your friend what the plaintext is!).
- Email a copy of your PHP code to me at steve@siit.tu.ac.th by 8:00am Tuesday 17 February 2009. The email must containing the following (where you replace the example ID 4912345678 with your ID number):
Marking Scheme
- RSA_Encrypt() and RSA_Decrypt(): 10 marks
- RSA_GenerateKeys(): 10 marks
- RSA_Validate() and RSA_Sign(): 10 marks
- RSA_Attack(): 10 marks
- Following instructions, good code, etc.: 5 marks
- TOTAL MARKS: 45
Return to: CSS322 Home | Course List | Steven Gordon's Home | SIIT