This is the project for the CSE451 Computer and Networks Security course taught by Prof. Dr. Ayman Bahaa at the Faculty of Engineering, Ain Shams University. In this project, we implement secure file transfer and authentication over FTP using from scratch implementations of DES, AES, and an algorithm of our own with a GUI application to enable users to securely upload and retrieve files from the FTP server.
- We have content that we wish to transfer via vanilla FTP securely.
- We obtain a master key unique to us whose usage will be discussed later.
- The content is split into
Nparts whereN = content size in bytes / 16such that these parts are cycled in a round robin fashion through three block cipher cryptography algorithms that we implemented from scratch which are our custom algorithm, DES, and AES (128-bit key version). Parts are either split in two into our custom algorithm and DES (which both take 8 bytes of input plaintext) or taken as a whole by AES (for 16 byte plaintext input). - We apply PKCS5 padding in this process and use ECB for the block cipher mode of operation.
- The three algorithms use keys that are randomly generated on the fly, which are then concatenated into one entity and encrypted with the aforementioned master key using AES 256-bit with PKCS7 padding and ECB mode of operation.
- Now we have two files: An encrypted data file and an encrypted keys file.
- For the data file, we simply invoke the
STORcommand to store it on the vanilla FTP server. - For the keys file, we request the public certificate of the FTP server such that we encrypt the master key with it using RSA, then upload that to the FTP server.
- On the receiving end, to request a file a user must first request the master key, and they do so by sending their public certificate to the FTP server such that it can be encrypted and sent to the user to decrypt at their end.
- As for the data file, it is afterwards fetched with a
RETRcommand then decrypted using the keys that would be unconcatenated and decrypted using the master key obtained in the previous step.
Note that the FTP server can be hosted on one of the clients' ends, or as a separate node (which is the case in our project as we deployed the server over an Azure VM) while still being secure in both cases.
Here is another representation of the operational summary through a collaboration diagram for any two clients and a server:
And here is a sequence diagram for the exchange protocol for the master key:
Note that lots of socket programming went into the master key exchange protocol, and we also devised an exchange protocol for the data and keys files, but did not use it since we are using FTP anyway.
Here's a quick demo for a full run of uploading and encrypting a file on the FTP server backend and requesting, downloading, and decrypting it on the client.
2023-01-25-02-30-16.mp4
The code has been made to be self-explanatory with regards to our custom cryptography algorithm, so please feel free to go through it. It is heavily based on the use of RNGs and influenced by both DES and AES (for the prior's use of Feistel structures, and the latter's use of simple yet effective substitution-permutation combinations).
The following video summarizes the encryption path of the algorithm for one inner round from its rounds. It is easy to deduce the decryption path from it also.
Custom.algorithm.one.round.example.mp4
ftp_testjust tests raw file list retrieval from the FTP server and a dummy upload.round_robin_crypto_jpg_testtests the encryption and decryption of a.jpgimage (Linux's Tux!) using the round robin algorithm.round_robin_crypto_txt_testtests the encryption and decryption of a.txtfile using the round robin algorithm.des_test_zerostests DES encryption and decryption of a block of zeros (check if plaintext recovery is ok and cross-check ciphertext with external tool).aes128_test_zerostests AES encryption and decryption of a block of zeros (check if plaintext recovery is ok and cross-check ciphertext with external tool).custom_algo_internal_testinvokes theinternal_testof our custom algorithm which prints out a very verbose log of each round and its inner rounds through the encryption and decryption processes of a randomly generated block of plaintext and randomly generated seed key.custom_algo_test_zerostests our custom algorithm's encryption and decryption of a block of zeros (check if plaintext recovery is ok).custom_algo_avalanche_effect_testtests all-zeros, one-bit-flip in message, and one-bit-flip in key to demonstrate the strength of the custom algorithm's avalanche effect.custom_algo_avalanche_effect_test2is a stronger test than the previous one, encrypting 1000 different plaintexts and comparing each to get the minimum, maximum, mean, and median statistics of no. of bits changed between every two consecutive ciphertexts, again to demonstrate the strength of the custom algorithm's avalanche effect.- In the GUI, there's an
Unsecure Uploadbutton to test the integration of the FTP server in the backend with the file browse and upload GUI in the frontend without performing any encryption along the way.
The GUI was made using ttkbootstrap which is a wrapper around the tkinter library for python.
The following libraries and tool were used:
python-ftp-serverandvsftpdfor hosting the FTP server.ftplibfor the FTP client code.ttkbootstrapandtkinterfor the GUI.osfor browsing file to upload / folder to download.threadingfor multi-threaded GUI to avoid hanging during encryption / decryption / upload / download / file list retrievel.numpyfor the implementation of DES, AES128, our custom algorithm, and the round robin crypto algorithm.pickleandsocketfor socket programming for master key exchange protocol.pycryptodomeandpyca/cryptographyfor AES256 (to encrypt/decrypt the master key) and RSA (for client-server asymmetric cryptography), respectively.