Secure communications with a different flavour of randomness

“One must acknowledge with cryptography no amount of violence will ever solve a math problem.”

Cryptography has always been a fascinating field of study. The core idea of transferring a message between two parties without letting anyone else know what it is, is interesting at the least. A minimalistic approach that is also information-theoretically secure (unbreakable irrespective of computational power) is the One Time Pad which uses a pre-shared common secret key. The security depends on the secret key which has to be as secure as possible and as random as possible. The task of generating a secret key is one of the most difficult and crucial tasks as we not only need to create a random key but also need to make sure that it does not get hacked by a third party. Keeping all of this in mind, we created a secure connection using P2P communication to transmit messages using the famous Diffie-Hellman Algorithm in our project. The Diffie-Hellman Key Exchange is a secure key exchange protocol widely used in practical cryptographic applications.

Idea Behind The Algorithm

Let us say Alice needs to send a secret message to Bob without letting Eve decipher the message. Before I begin, let me elucidate some notions of public keys and private keys. As the name suggests, a public key means publicly known. It is available to everyone. Likewise, a Private key is a confidential key known only to the owner.

So basically, the idea is that Alice and Bob decide two prime numbers, g and P, mutually and publicly, which can be referred to as Public Keys. Generally, g is a small prime number and P is taken large, usually 2000 or 4000 bits long. Now Alice decides a random number a which is private and not known to anybody including Bob. Similarly, Bob decides a random number say b, again private. I will later discuss a unique method that I implemented to decide the a and b with an appreciable level of randomness. After deciding on these keys, Alice performs an operation g^a mod P, let’s call this A since it comes from a. Bob then performs g^b mod P, which let’s call B. Alice then sends A to Bob, and Bob sends B to Alice. Finally, Alice takes B and performs B^a mod P. Similarly, Bob takes A and performs A^b mod P. This results in the same number i.e. B^a mod P = A^b mod P = g^ab mod P. They now have a shared number which can be called as the secret key K. Keep in mind that K is the final secret key which is linked to the public keys g and P, while a and b are the private keys known only to the user. Note that Eve has access to g, P, A and B. The beauty of this algorithm is that in spite of knowing all the public keys it will be a hard job for a third-party (Eve, in this example) figuring out the key without the knowledge of a and b.

How we randomized the private keys using mouse movement

Now that I have built the basic idea behind the Diffie-Hellman algorithm, let’s work on implementing it. But before we move on, there is still a big problem that needs to be addressed related to the selection of the private keys a and b. The private keys are generated by using algorithms depending on a parameter as random as possible, say the storage of the hard disk in bits, the temperature of the machine, etc. So, in our project, we generated a and b based on the mouse movements which can be considered as a random parameter. Generally, the random private keys are generated with random bits RNG or PRNG, which is although difficult, but can be attacked. Numbers are generated based on the position where the mouse changes horizontal or vertical direction. The script takes the coordinates of the mouse pointer in the 256 × 256 pixel field for the few seconds, and two random 8-bit numbers are generated based on the position where the mouse changes horizontal or vertical direction. Then, it concatenates them to produce a random number and combines it with a 16-bit computer-generated number using XOR operation to increase the level of randomness. This process happens every time a mouse changes its direction and the numbers generated keep on concatenating. Hence, we get a larger random number. This random number is our private key (a or b). As you can see this method results in a high degree of randomness and we can get a highly random number almost impossible for third party systems to guess.

What to do after getting the keys?

Now we have our Public and Private keys. The public keys being random prime numbers and the private keys being generated using the mouse movement algorithm described above. Note that the final secret key is K which is obtained after the completion of the algorithm i.e. g^ab mod P. The next step is an easy one. After receiving the secret key K, what we can do is to convert the message into hexadecimal or binary and XOR it with the Key K to use the One Time Pad.

The receiver can again XOR the XOR ‘ed message sent with the key. By converting it back to the text format he can obtain the message. We use the property of XOR

M XOR K XOR K= M

where M is the hexadecimal format of the message. This XOR operation has been proved to be secure since the probability of any bit being either 0 or 1 is 50% each.

How to send the data between a Client & a Server?

The last thing left to do is creating a pathway between the users who want to communicate. Establishing a connection between the two systems can be done in a variety of ways. One way is to implement a Peer to Peer Connection (P2P) between the clients. Wi-Fi direct (also known as peer-to-peer or P2P) allows an application to quickly find and interact with nearby devices, at a range beyond the capabilities of Bluetooth.

Sockets (aka socket programming) enable programs to send and receive data, bi-directionally, at any given moment. With streaming sockets, data can be sent or received at any time, which in this case can be the XORed message or parameters A & B.

This code makes a socket object, and binds it to any localhost’s port (8080 in the case) as a socket server. When the client connects to this address with a socket connection, the server listens for data, and stores it in the “from_client” variable. The data here comprises of the private key A which is sent by the client. Next, the program logs the client data using “print”, and then sends the its private key B (g^b mod P) to the client. If the connection fails it prints the message ‘client disconnected’.

Let’s take a look at the client code that would interact with this server program.

The client opens up a socket connection with the server, but only if the server program is currently running. The client simultaneously sends its private key A (g^a mod P) and receives the private key B it anticipates from the server. Finally, Both the client and the server perform the operation once again and likewise obtain the shared secret key K(g^ab mod P)

To test this out, we can use two terminal windows at the same time, one for establishing a server connection and the other for client.

As shown in the windows both the client and the server get the final secret key K. Now, the client encodes the message using the key after converting it into the hexadecimal format (as shown in the code above) and sends it to the server who decrypts the encoded message by again XOR ing it and obtains the required message.

Done! You can now start streaming public keys and messages between clients and servers using socket programming.

How to send data between 2 clients?

Sending data between 2 or more client devices over the internet is tricky. Due to protections implemented by network security, not all devices connected to the world wide web have a publicly accessible internet protocol (IP) address. How do we achieve reliability and speed when transmitting peer-to-peer data?

One way to accomplish this is by using the server in the middle. Client devices using the internet can connect to a server with a public IP address (or a website domain). Then, this broker in the middle can pass messages routed to 1 or many clients.

The Endless War between Encryption & Decryption

The history of decryption and encryption is a compelling one. It has included a constant battle between cryptographers (encryption) and cryptanalysts (decryption), with persistent attempts to break an existing cipher algorithm, followed by the creation of a new cipher algorithm to replace the broken one.
The same battle goes on today but with a greater emphasis on creating stronger and stronger keys, so a new key is ready and waiting whenever an existing key is hacked (or shows signs of weakening). This process is never-ending. With the growth of the internet and the evolution of computers and smartphones, the importance of day-to-day information security is no longer thought of as only a military or government concern. It’s a bigger idea which takes us into the never-ending battle of staying one step ahead of cybercriminals at every single point of time and to keep addressing the complex questions How can we stay one step ahead? What new deterrents are waiting in the shadows? To fall behind will mean the compromise of our data which will be the darkest hour in the history of information security.