This project is a comprehensive exploration of cryptographic principles and their application in securing user data. Through a two-part implementation focusing on password storage and Password-Authenticated Key Exchange (PAKE), this project demonstrates robust security practices in application development.
- First part of the project is the following:
Requirement for the implementation: password storage. Think about it as you are building some application that has user system (username and password) and you need to store the password securely. You should implement your solution, taking into accounts all the attack scenarios we have discussed. Basically the grade will be scored according to how secure your implementation is. The implementation needs to be runnable, where I can enter my username and password for registration and logging in (the interface can be a web app, or terminal etc).
If you are using any cryptographic encryption implementation, you need to use google tink library (except for the hash functions). Implementation using other libraries does not count.
- Second part of the project is the following:
The second part of your project involves Password-Authenticated Key Exchange (PAKE), focusing on securely authenticating users without transmitting passwords in cleartext, even without an encrypted channel. This part delves into Asymmetric PAKE, a method to store user secrets on a server without giving the server access to those secrets. It employs a cryptographic exchange allowing the server to store a "locked" secret envelope, which the user can unlock using their password and a server-known secret key. The process involves Oblivious Pseudo-Random Functions (OPRF) for secure exchanges and outlines steps for registration and login phases, emphasizing the importance of not revealing any additional information beyond whether the password matches the expected value.
We use docker to run the application for simplicity. You can install docker from here.
- Download docker on your computer
- Download the Docker release of the project
- Change the example.env to .env and fill in the environment variables. Then run the following command to start the application:
docker compose upAll the code is written in Python, and we will be using the following libraries:
- Flask
- PostgreSQL database
- Flask-Login
- Argon2
- Google Tink for all cryptographic operations.
graph LR
Front[Flask Frontend] <--> Server
Database[Postgres Database] <--> Server
Server[Flask Backend] --> Postgres[PostgreSQL database]
Server[Flask Backend] --> Flask-Login[Flask-Login]
Server[Flask Backend] --> Argon2[Argon2]
Server[Flask Backend] --> Tink[Google Tink]Example of Sequence Diagram.
- Sign up
sequenceDiagram User->>Server: Hello I want to signup I'm Bob with password "1234" Server-->>Server: Hash the password with salt Server-->>Database: Store: hashed password & salt Server-->>Server: Generate a session token Server-->>Database: Store: session token Server-->>User: Welcome Bob | send the session token
- Log in
sequenceDiagram User->>Server: Hello, I'm Bob with password "1234" Server-->>Database: Retrieve: hashed password & salt Server-->>Server: Hash the password with the retrieved salt Server-->>Server: Compare the hashed password with the one in the database Server-->>Database: Generate a session token Server-->>User: Welcome Bob | send the session token
- Registration with PAKE
sequenceDiagram User->>Server: Initiate signup with username "Bob" User->>Server: Perform OPRF with password "1234" Server-->>User: Respond with OPRF result, storing public key User-->>User: Generate private/public key pair User-->>Server: Send encrypted envelope with public key Server-->>Database: Store user's OPRF key, public key, and encrypted envelope
- Login with PAKE
sequenceDiagram User->>Server: Initiate login with username "Bob" User->>Server: Perform OPRF with password "1234" Server-->>Database: Retrieve OPRF key, public key, and encrypted envelope Server-->>User: Send OPRF result and encrypted envelope User-->>User: Decrypt envelope, retrieve keys User->>Server: Start AKE protocol with server, establish shared secret Server-->>User: Confirm login, generate session token
