Assignment 8 revised: 10/26/06 Assigned: 10/17/06 Due: 6:00pm 11/4/06 Objective: use Diffie-Hellman to create an AES key in ncp.c Points: 30 Description: Modify assignment 7 to use Diffie-Hellman (D-H) to establish the AES key instead of the MD5 hash of a passphrase. To use D-H, you'll need to add another sendto() and recvfrom() to your client. Hack in the Diffie-Hellman code from ~dunigan/cns06/dhtest.c to do the Diffie-Hellman exchange. -use the generator and modulus in dhtest.c to calculate your private and public D-H key. Use BN_bn2hex() to convert your public key into an ASCII hex string, and copy the string and trailing null into outpkt.data. Set the outpkt.datlth to the length of the string (not including the null) -- remember length should be converted to network byte order (htonl()) -set outpkt.type = htonl(NCP_DH); and construct the user_authenticator and msg_authenticator and send the packet (not encrypted -- we don't have a key yet). -issue the recvfrom() and verify the user_authenitcator and msg_authenticator, then copy the server's public key from inpkt.data (it will be an ASCII hex string). Convert the server public key to binary with BN_hex2bn() and calculate the D-H shared secret -convert the D-H shared secret to an ASCII hex string with BN_bn2hex() and then do an MD5 hash of the string, and use the 16-byte output of the MD5 as the 16-byte key for the AES encryption -now that you have an AES key, just use the rest of your assignment 7 code to do the actual encrypted ncp transaction. -don't forget to zero the msg_authenicator before doing the HMAC for your second (encrypted) sendto() client sends his D-Hpublic ------> <----- server sends his D-H public both caculate the D-H shared secret and create AES key client sends his encrypted request ----> <----- server sends his encrypted reply You must test your client with whisper on port 4323. 1) Include in your ANSWERS file the first-byte authenticator values, and the value of the data[] field in the response packet you get back from whisper. whisper will only accept write's to a file called out.tmp and read's from a file called in.tmp. You must use the password secret06 For example, ncp-dh 4323 secret06 myfile.dat whisper:out.tmp ncp-dh 4323 secret06 whisper:in.tmp my.tmp 2) Using the UNIX "bc" command (or your favorite big integer arithmetic software) to calculate your half of the shared secret for a D-H exchange were p = 97, g=5, and random value x=77 Paste the value in your ANSWERS file. 3) Is the D-H exchange that your client does with whisper vulnerable to a man-in-the-middle attack? Explain. Use the 594cns_submit to submit ANSWERS and the source files (*.c *.h Makefile). Remember that encryption code is subject to export restrictions. It would be best if you could isolate most of the D-H code in its own C function/source file. Notes: -use the same socket for all of your sendto/recvfrom -since the code uses UDP, it is possible for packets to get lost and your test might hang. -whisper should echo something back even if you've messed up. -you should only have to mess with the key setup part of assignment 7, assuming your assignment 7 was working. -update your program documentation to describe what's goin' on in your code