In this assignment, we put ourselves in the shoes of cryptographic engineers. The goal is to gain experience with the uses of cryptography in practise. We’ll use standard tools, and finish securing PayBud by adding SSL/TLS, hashing, and secure password storage.

Description

Here.

Notes

  • gpg tasks

    • decrypt symmetric.txt.gpg. It is encrypted with a symmetric key, defined by the passphrase " takethis " (w/o quotations).

    • create a text file link:assignments/mysymmetric.txt. Include your name in it (you are welcome to include other things in the file, as long as it’s legal and not huge). Encrypt mysymmetric.txt with passphrase " takethis`` ".

    • create a public/private key pair, with your name & e-mail. Import Bob’s public key. Copy mysymmetric.txt to mypublic.txt. Encrypt mypublic.txt to Bob’s public key, and sign with your private key. Save the resulting file as mypublic.txt.gpg. (here’s Bob’s private key, in case you want to sanity-check; it’s password is " happytrees ")

  • server code (paybud.p12 in case you get stuck creating it)

    • to import the changes into your version of PayBud from A3: The new code is at the start of imports, at the start of main, and the cookie creation/validation code. Furthermore, the static files changed.

  • exploit demo

  • paybud.db, now with salt.

  • offline dictionary attack

    • if you want to dictionary attack PayBud, modify the following command accordingly. (delete ~/.john/john.pot to re-crack the hashes). here’s users.txt.

      $ john --wordlist=/usr/share/john/password.lst users.txt