FIles from tar gz:

1) func_desc.txt:

Built in functions information:

We will give a brief description of the merely built in functions you are allowed to use. You can find information on most of the built in functions we are using in the sample source codes at http://www.openssl.org/docs/crypto/crypto.html

- des_encrypt1 You will use a built in function called des_encrypt1 to do the actual DES encryption / decryption. As a reference on how to use this function, you can view the file tempdes.c.

des_encrypt1(long *data, des_key_schedule *ks, int enc)

a. data: This argument is a pointer to a two element array of type long (4 bytes) that will contain the data you will read from the file but packed in a type long variable. NOTE: Characters are loaded into this function in little endian format. For example, the string {0xA0,0xB7,0x07,0x08} is 08 07 B7 A0 in little endian format (least significant bit goes first). b. ks: is a pointer to the actual key array. Don.t worry about this argument data type. c. enc: has a value of 1 for encryption and 0 for decryption.

- des_set_key_checked This function will check that the key passed is of odd parity and is not a week or semi-weak key. If the parity is wrong, then -1 is returned. If the key is a weak key, then -2 is returned. If an error is returned, the key schedule is not generated.

des_set_key_checked(const_des_cblock *key, des_key_schedule *schedule) a. key: is a pointer to the actual key array. Don.t worry about this argument data type. b. schedule: is the new key, that will be used as an input argument to the function des_encrypt1

NOTE: On the Openssl web page, you might notice that the DES built in functions are written different than what we are showing here. For example, "des_encrypt1" is written as "DES_encrypt1" on the web page. This is because the server where we will test your code has an older Openssl version installed, so it does not accept the new format. Please keep using the format we are presenting here.

- RSA_generate_key This function will generate the public and private keys

RSA_generate_key(int num, unsigned long e, void (*callback)(int,int,void *), void *cb_arg) a. num: size (in bytes) of the public key b. e: value of the public exponent c. callback: Don't worry about this argument. Assign the value NULL d. cb_arg: Don't worry about this argument. Assign the value NULL

- RSA_public_encrypt This function will encrypt data using an RSA public key

RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) a. flen: number of bytes to encrypt b. from: buffer with data to encrypt c. to: buffer with data to decrypt d. rsa: pointer to the key data structure e. padding: Don't worry about this argument. Assign the following value to it: RSA_PKCS1_PADDING

- RSA_private_decrypt This function will decrypt data using an RSA private key

RSA_private_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) a. flen: number of bytes to encrypt b. from: buffer with data to encrypt c. to: buffer with data to decrypt d. rsa: pointer to the key data structure e. padding: Don't worry about this argument. Assign the following value to it: RSA_PKCS1_PADDING

- Sha1_Init This function will initialize some data structures necessary for the generation of the digest

Sha1_Init(SHA_CTX *c) a. c: initialize the SHA_CTX structure

- Sha1_Update This function will be called repeatedly using a block of certain size that have been read from the input file, to generate the digest

Sha1_Update(SHA_CTX *c, const void *data, unsigned long len) a. c: pointer to the data structure initialized by SHA1_Init b. data: buffer with the chunk of data to take the digest from c: len: size of buffer with chunk of data

- Sha1_Final This function will copy the resultant digest to an output buffer and will release any memory space used for the data structures created with SHA1_Init

Sha1_Final(unsigned char *md, SHA_CTX *c) a. md: output buffer b. c: pointer to the data structure initialized by SHA1_Init

2) README

README

In this folder you will find the following files:

- tempdes.c : is a sample code for encrypting / decrypting using DES - temprsa.c : is a sample code for encrypting / decrypting using RSA - tempsha1.c : is a sample code for digest generation using SHA1 - test.txt,test2.txt,test3.txt: are sample plain text files to test your code - test.des,test2.des,test3.des: are DES encrypted versions of files test.txt,test2.txt,test3.txt. Key and IV values used are as follows. - Key = 40fedf386da13d57 (Hexadecimal values) - IV = fedcba9876543210 (Hexadecimal values) - func_desc.txt: Brief description of built in functions you are allowed to use.

All the c codes can be compiled and executed using the following commands:

- In the linux command line, execute "gcc -o tempdes tempdes.c -lcrypto", where tempdes.c is the source code and tempdes is the name of the executable that sill be generated This command will compile your code and generate an executable. - To execute the program you just created (tempdes in our example), in the linux command line write "./tempdes"

3) tempdes.c

#include

#define ENC 1 #define DEC 0

int main() { int k; long in[2]; static unsigned char cbc_key[8] = {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; des_key_schedule key;

if ((k = des_set_key_checked(&cbc_key,key)) != 0) printf(" key error ");

in[0] = 3212314; in[1] = 1231233;

printf("DES Clear Text: %ld%ld ",in[0],in[1]); des_encrypt1(in,key,ENC);

printf("DES Encryption: %u%u ",in[0],in[1]);

des_encrypt1(in,key,DEC); }

4) temprsa.c

#include #include #include

int main() { RSA *key; unsigned char rbuff[] = "RSA Clear Text"; unsigned char wbuff[256]; unsigned char exbuff[256]; int num,i; static const char rnd_seed[] = "string to make the random number generator think it has entropy";

printf("Clear Text: %s ",rbuff);

memset(wbuff,0,sizeof(wbuff)); memset(exbuff,0,sizeof(exbuff)); RAND_seed(rnd_seed, sizeof rnd_seed); if( (key = RSA_generate_key(2048,3,NULL,NULL)) == NULL) printf(" error generating key ");

num = RSA_public_encrypt(sizeof(rbuff),rbuff,wbuff,key,RSA_PKCS1_PADDING);

printf("RSA Encryption:"); for(i=0;i

num = RSA_private_decrypt(sizeof(wbuff),wbuff,exbuff,key,RSA_PKCS1_PADDING);

RSA_free(key); }

5) tempsha1.c

#include #include #include

int main() { int i; unsigned char rbuff[]="SHA-1 Clear Text"; unsigned char wbuff[20]; SHA_CTX c;

memset(wbuff,0,sizeof(wbuff));

SHA1_Init(&c); SHA1_Update(&c,rbuff,sizeof(rbuff)); SHA1_Final(wbuff,&c);

printf("Clear text: %s ",rbuff); printf("SHA-1 digest:"); for (i=0;i

6) test.txt

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

7) test2.txt

Cybersecurity improvements could strengthen systems By Ben Steckler Assistant Campus Editor

A report approved by a presidential advisory committee said the government is not spending enough to support cybersecurity.

The President's Information Technology Advisory Committee's report concludes that the computer infrastructure supporting the nation financial, utility and telecommunications systems is vulnerable to terrorist and criminal threats.

Eugene Spafford, executive director of Purdue's Center for Education and Research in Information Assurance and Security, was on the committee that made recommendations to improve cybersecurity in key areas of the country.

"Parts of it are extremely vulnerable," Spafford said. "Many of the things we consider to be critical infrastructures have little or no security in place."

Spafford said the threats to the nation's computer systems are not just from terrorists or criminals.

"There are a number of concerns related to just general espionage, some of it is company against company and some of it is country against country."

"It's been a concern of many of us for literally decades. But there's been a growing awareness over the last couple of years," Spafford said.

Spafford said the threat from cyberterrorism was an issue, but not one of prime importance.

"Cyberterrorism by itself, at least in my estimation, is not a big threat," Spafford said.

The most dangerous aspect of an act of cyberterrorism, Spafford said, was the possibility of it coming into conjunction with a separate incident. The point of the cyberterrorism would then be slowing the emergency response, Spafford said.

The report also called for the government to better support research in cybersecurity.

"There's been very little money to support research in that arena from the government or industry," Spafford said. He also attributed some of the lack of research to government policy.

"The government in general has discouraged some civilian research in that area."

Pascal Meunier, an assistant research scientist, said the political environment isn't facilitating research.

"It is difficult for an academic institution to do research on cyberterrorism, because academics need to publish and discuss ideas publicly, whereas results on cyberterrorism would tend to get classified," Meunier said.

"Even results from doing an ordinary risk assessment are usually kept confidential."

Despite the difficulties in funding and public discourse, Spafford said the current state of security needs to be improved to prevent criminal attacks, not just terrorism.

"My personal belief is that we have far more threat from criminal acts than we do terrorism," Spafford said. "We don't have to speculate on terrorists to have a real problem that needs addressing."

8) test3.txt

Clear skies for Area 51 hacker

Federal prosecutors formally dropped charges this month against an amateur astronomer who exposed a buried surveillance network surrounding the Air Force's mysterious "Area 51" air base in Nevada.

Chuck Clark, 58, was charged in 2003 with a single count of malicious interference with a communications system used for the national defense, after prosecutors held him responsible for the disappearance of one of the wireless motion sensors buried beneath the desert land surrounding the facility.

In a deal with the government last January, Clark agreed to enter a one-year term of "pretrial diversion" -- a kind of probation -- and to either locate and return the lost device, or make financial restitution to the Air Force. "He paid for the missing sensor, and complied with the conditions of his pretrial diversion and the case was dismissed," says Natalie Collins, a spokesperson for the U.S. Attorney's Office in Las Vegas.

Clark was already known to Area 51 buffs as an expert on the spot the government calls the "operating location near Groom Lake, Nevada," when, in 2003, he discovered an electronic device packed in a rugged case and buried in the desert, given away only by a slender wisp of an antenna poking through the dirt.

Along with fellow base-watcher Joerg Arnu, Clark began mapping the sensors, using a handheld frequency counter to sniff out their tell-tale radio transmissions, Arnu said in an interview last year. Together they exhumed as many as 40 of the boxes, noted their unique three-digit codes, then reburied and tested them, said Arnu.

The sensors -- an estimated 75 to 100 of them in all -- were marked "U.S. Government Property." In some cases they were planted miles outside Groom Lake's fence line on public land used by hikers and photographers, as well as the occasional tourist hoping for a Close Encounter.

On March 12th, 2003 one of the sensors went missing, according to the government. FBI and Air Force agents descended on Clark's trailer home in tiny Rachel, Nevada -- 100 miles north of Las Vegas along the Extraterrestrial Highway -- and prosecutors later filed the felony charge against Clark. As part of the deal settling the case, Clark was barred from interfering with any of the sensors or otherwise breaking the law, and was obligated to keep the court apprised of his whereabouts during his year of supervision.

Shrouded in official secrecy, the Groom Lake facility has become a cultural touchstone for UFO mythology. But the base is generally believed to be dedicated to the more terrestrial mission of testing classified aircraft.

Clark's emancipation from government scrutiny comes well in time for Area 51's unofficial 50th anniversary campout, planned for Memorial Day weekend, and likely to draw tourists, UFOlogists, and exotic aircraft buffs from all over. They'll celebrate with "a campfire with live music" outside the base's main gate, according to the event website. "Be sure to respect the Area 51 boundaries," the site suggests. "If you see the warning signs you have gone too far."

1. General Description The notion of cryptography consists of hiding secret information from non-trusted peers by mangling messages into unintelligible text that only trusted peers can rearrange. In this lab, we will use and compare three different techniques commonly employed to hide or encrypt information: secret-key eryptography (DES). public key cryptography (RSA) and meige digests (SHA-1) There is a group of built-in functions that will help you complete this assignment. These functions are included in OpenSSL. OpenSSL is an open-source toolkit that implements security protocols such as SSL but also includes a general-purpose eryptography library which you will use. OpenSSL is usually part of most of the recent Linux distributions. 2. File with sample codes and results We are giving a group of files (compressed in tar.gz) as a reference on how to use certain built-in functions that we will mention in this handout and that you must use in your implementations. These files are just skeletons that you should modify in order to obtain the expected results. Included in the compressed file is also a test case for your DES-CBC implementation (test.txt and test,des) and a file with general 2. File with sample codes and results We are giving a group of files (compressed in targz) as a reference on how to use certain built-in functions that we will mention in this handout and that you must use in your implementations. These files are just skeletons that you should modify in order to obtain the expected results. Inchuded in the compressed file is also a test case for your DES-CBC implementation (test.txt and test.des) and a file with general descriptions of some built in functions. 3. DES encryption / decryption In this part of the lab, we will-be coding a tool to encrypt and decrypt files using DES in mode CBC (Cipher Block Chaining), "tempdes. c" is a skeleton file that encrypts/deerypts a fixed 64-bit block. In this assignment, you will extend this skeleton code to take an abitrarily sized imput file and encrypt/decrypt it, by implementing the Cipher Block Chaining DES mode of operation. You must actually implement the CBC mode, and you are not allowed to use any built-in function besides what is present in tempdes.c. You can find information about DES-CBC in youtextbookk. You may want to check your work against the input file "test.txt". If you have implemented the algorithm correctly, you should get the output in "test.des". These files are part of labl.tar gz. 3.1 Requirements a. Just use the built in functions that appear in tempdes.e b. Your code should result in an executable of the following form: tempdes iv key inputfile outputfile The parameters description is as follows: - iv: the actual IV to use; this must be represented as a string comprised only of hexadecimal digits. - key: the actual key to use; this must be represented as a string comprised only of hexadecimal digits. - inputfile: imput file name - outputfile: output file name For example: Jtempdes fecdba9876543210 0123456789 abedef test.txt test.des If any of the arguments is invalid, your code should return an appropriate message to the user. Be sure to consider the case when the keys are invalid. 4. Performance measures for DES, RSA and SHA1 The final past of this lab consist on measuring the time DES, RSA and SHA-I take to process files of different sizes. a. Generate text files with the following sizes: - For DES (in bytes): 8, 64, 512, 4096,32768,262144, 2047152 - For SHA-1 (in bytes): 8, 64, 512,4096,32768, 262144, 2047152 - For RSA (in bytes): 2,4,8,16,32,64,128 b. Encrypt and decrypt all these files using the DES function that you wrote in part 3. Measure the time it takes to encrypt and decrypt each of the files. To do this, you might want to use the C function "gettimeofday". Add these timing functions to your implementation of part 3 . c. Measure the time for RSA encryption and decryption for the file sizes listed in "temprsa.c". This skeleton code shows how to use built-in RSA encryption and decryption functions, but you will need to augment it to allow for reading from arbitrary files, and to insent necessary instrumentation code for timing purposes. d. Measure the time for SHA-1 hash generation for the file sizes listed in part a. To do this, make appropriate changes to the file "tempshal c". This skeleton code shows how to use built-in SHA-1 hashing functions, but you will need to augment it to allow for rading from abbitrary files, and to insert necessary instrumentation code for timing purposes. e. Prepare a report of your observations in the format requested tuder "Deliverables" (section 6). 5. Non-Programming Problems: a. Suppose the DES mangler fumction (or function F) mapped every 32 bit value to zero, regardless of the value of its imput. How does the output after Round 16 of DES compare to the input at the start of Round 1 of DES? Show your work and provide appropriate explanations. b. Consider the following message digest (hash) function: Take the input messages, and divide it into 128-bit chunks. XOR all the chunks together to get a 128-bit result. Run a standard message_digest aleorithm_on the resalt. Is this-a eood 4. Iveasure the time for SHA-1 hash generation for the file sizes listed in part a. To do this, make appropriate changes to the file "tempshal.c". This skeleton code shows how to use built-in SHA-1 hashing functions, but you will need to augment it to allow for reading from arbitrary files, and to insert necessary instrumentationcode for timing purposes. e. Prepare a report of your observations in the format requested under "Deliverables" (section 6). 5. Non-Programming Problems: a. Suppose the DES mangler fumction (or function F) mapped every 32 bit value to zero, regardless of the value of its input. How does the output after Round 16 of DES compare to the input at the start of Round I of DES? Show your work and provide appropriate explanations. b. Consider the following message digest (hash) function: Take the input messages; and divide it into 128-bit chunks. XOR all the chunks together to get a 128-bit result. Run a standard message digest algorithm on the result. Is this a good message digest function? c. Perform encryption and decryption using the RSA algorithm for the followme: p=3,q=11,e=7,M=5. Please show all the steps in a systematic fashion, like in page 270 of the Stallings textbook. d. In the public-key system using RSA, you intercept the cipher text C=10 sent to a user whose public key is e=5,n=35. What is the plaintext M ? Show the steps. 6. Deliverables: a. A physical copy of the file tempdes.c, submitted using the "turnin" command. Name your file 1> des.c, where loginl and login2 are login names of the two member of the goup. For example: samjay rtorresg des.e b. Printout. Turn in a typed report with the following information: - C code implemented in parts 3,4.c and 4.d - Graphs showing: (i) DES encryption / decryption times: (ii) RSA encryption times; (iii) RSA decryption times; and (iv) SHA1 digests generation times, In each of these graphs, the X axis should plot the file sizes in units of bytes, and the Y axis should plot time measurements in units of microseconds (s). - Answer the following questions: - Compare DES eneryption and RSA encryption. Explain your observations. - Compare DES encryption and SHA-1 digest generation. Explain your observations. and the Y axis should plot time measurements in units of microseconds (s). - Answer the following questions: - Compare DES encryption and RSA encryption. Explain your observations. - Compare DES encryption and SHA-1 digest generation. Explain * your observations. - Compare RSA eneryption and decryption times. Can you explain your observations? [Hint: Refer to section 6.3.4.3 of the book "Network Security, private communication in a public world" by Kaufman. Perlman and Speciner.] - Answers to all non-programming problems in Part 5. 7. Note on Grading Points will be deducted if any of the deliverables in Section 6 is missing. Futher, points will be deducted if the program implemented in section 3 - Does not have a name as specified in section 6 a, (or) - Does not compile (or) - Does not produce the expected results. Please make sure you compare your results against the given test case