CS99M:   Project


Pick one of the following three projects.  The goal in the first two projects is to give you some hands on experience with crypto programming.  There is no need to go overboard with features, etc.

Due date:  Wenesday, Dec. 8th.
What to submit for project 1&2:  A short description of what you did.  Source code.


Project 1:  Secure Tunnel

The goal is to build a secure tunnel that can be used tranparently by many applications such as a POP3 mail reader, ftp, etc. The secure tunnel is made up of two components: tunnel-server and tunnel-client.  Tunnel-client runs on the client machine and waits for a connection from an application (e.g. a mail reader).  When a connection to a local port is received the tunnel-client looks up the port number in an internal table and determines the name and port number of the remote service to contact. For example, the table might say that the local POP3 port is mapped to the POP3 port on the host The tunnel-client then connects to the tunnel-server on the remote host (e.g., establishes a secure session with the tunnel-server, and functions as a relay between the application and the remote service (e.g. the POP3 server). On the remote host, the tunnel-server accepts the connection from the client, establishes a secure session with the client and connects to the local service port (e.g. the local POP3 port).  From that point on the tunnel-server acts as a relay between the remote application and the local service.  The picture looks as follows:

You can implement the secure tunnel using either C or Java.  The implementation is likely to be easier using Java.

  • If you choose to use Java.

    • The easy solution: download SSLava from .  Use SSLava to establish a secure connection between the tunnel-client and tunnel-server.

    • Doing it yourself:  try to design a secure session-key exchange yourself and encrypt all communication using the session-key.  To do so, use the Java Crypto Extension (JCE),  see , which has support for Diffie-Hellman key-exchange and symmetric ciphers.

    • Most of the network code can be significantly simplified by using Java's Remote Method Invocation (RMI).  Look for the appropriate documentation and examples on .


  • If you choose to use C or C++.

    • The easy solution:  download openSSL from .  Use openSSL to establish an SSL connection between the tunnel-client and tunnel-server.

    • Doing it yourself:  use the public-key and symmetric-key functions available with openSSL to design and implement a secure connection.

    • Documentation for openSSL is a bit sparse.  See for more information.

    • Don't cheat by looking at the stunnel implementation.


Project 2:  Authenticated Tunnel

The project framework is similar to the secure tunnel.  You will build an authentication-server and an authentication-client. The picture above applies equally to the authenticated tunnel.  Your goal is to enable the authentication-client to prove its identity to the authentication server. For example, you could use Fiat-Shamir authentication.  In this case, the authentication-client has a Fiat-Shamir private-key, while the authentication-server has the corresponding Fiat-Shamir public key.  You will implement the authentication protocol.  If you wish, you are free to choose other authentication protocols.

It is recommended that you implement the authentication tunnel in Java.  Use the BIGINT type to manipulate the required arithmetic operations.  In addition to the authentication tunnel code you will need to write a short utility to generate a public/private key pair and write them to files.  The public key file is given to the server while the private key file is given to the client.


Project 3:  A couple of questions

Answer four of the following six questions.  Try to solve these questions yourself.  You are also free to research these questions by looking them up in textbooks and research papers.

Question 1:  Show that 2-key 3-DES can be broken in time  256  using a chosen-ciphertext-attack.

Question 2:  bit security of RSA.  Recall that the RSA function is   f(M) = Me mod N .  This function is easy to compute, but hard to invert without the factorization of N.  However given  f(M)    an attacker may still be able to compute some of the bits of M.  Show that an attacker that always succeeds in computing the least significant bit of  M  given  f(M)  can completely break RSA.  In other words, suppose you are given an oracle that given  f(M)  returns the least significant bit of  M.  Show that using this oracle it is possible to completely invert the function f  (without knowing the factors of  N).

Question 3:  Let  N  be a large modulus.  In class we described a zero-knowledge proof of knowledge for proving knowledge of the square root of  x  modulo  N.   Show a zero-knowledge proof of knowledge for proving knowledge of the fourth root of  x  modulo  N.  Try to minimize the number of rounds in your proof.  Prove security of your protocol by giving a simulator and an extractor.

Question 4:  Given a cryptosystem Ek, define the randomized cryptosystem Fk by 
                    Fk(M)  =  [ Ek(R) ,  R xor M ]
where  R  is a random bit string of the same size as the message. That is, the output of  Fk(M)  is the encryption of a random one-time pad along with the original message XORed with the random pad. A new independent random pad  R  is chosen for every encryption. We consider two attack models. The goal of both models is to reconstruct the actual secret key  k  (this is a very strong goal - one might be able to decrypt messages without ever learning  k ):

  • In the key-reconstruction chosen plaintext attack (KR-CPA), the adversary is allowed to generate strings
    M1, M2, ... and for each  Mi  learn a corresponding ciphertext.
  • In the key-reconstruction random plaintext attack (KR-RPA), the adversary is only given random plaintext/ciphertext pairs.

Note that for the case of  F the opponent has no control over the random pad  R  used in the creation of the given plaintext/ciphertext pairs.  Prove that if   Eis secure against KR-RPA attacks then  Fk is secure against KR-CPA attacks.  Typically proofs of this type are done by proving the contra-positive: show that a KR-CPA attacker on Fgives rise to a KR-RPA attacker on  Ek .

Question 5:  Compare the security features provided by SSL versus those provided by SSH.

Question 6: Factor the following number:

  RSA-232 = 100988139787192354690956489430946858281823382195557395514112051620 \
            583102133852854537436610975715436366491338008491706516992170152473 \
            329438927028023438096090980497644054071120196541074755382494867277 \
            1374075011577182305398340606162079    (digits = 232, bits = 768)
A factorization will get you an automatic `A+' and ten thousand dollars from RSA Labs.