This repository is the official code skeleton for your Assignment #2.
You will build a console-based, PKI-enabled Secure Chat System in Python, demonstrating how cryptographic primitives combine to achieve:
Confidentiality, Integrity, Authenticity, and Non-Repudiation (CIANR).
You are provided only with the project skeleton and file hierarchy.
Each file contains docstrings and TODO markers describing what to implement.
Your task is to:
- Implement the application-layer protocol.
- Integrate cryptographic primitives correctly to satisfy the assignment spec.
- Produce evidence of security properties via Wireshark, replay/tamper tests, and signed session receipts.
securechat-skeleton/
├─ app/
│ ├─ client.py # Client workflow (plain TCP, no TLS)
│ ├─ server.py # Server workflow (plain TCP, no TLS)
│ ├─ crypto/
│ │ ├─ aes.py # AES-128(ECB)+PKCS#7 (use cryptography lib)
│ │ ├─ dh.py # Classic DH helpers + key derivation
│ │ ├─ pki.py # X.509 validation (CA signature, validity, CN)
│ │ └─ sign.py # RSA SHA-256 sign/verify (PKCS#1 v1.5)
│ ├─ common/
│ │ ├─ protocol.py # Pydantic message models (hello/login/msg/receipt)
│ │ └─ utils.py # Helpers (base64, now_ms, sha256_hex)
│ └─ storage/
│ ├─ db.py # MySQL user store (salted SHA-256 passwords)
│ └─ transcript.py # Append-only transcript + transcript hash
├─ scripts/
│ ├─ gen_ca.py # Create Root CA (RSA + self-signed X.509)
│ └─ gen_cert.py # Issue client/server certs signed by Root CA
├─ tests/manual/NOTES.md # Manual testing + Wireshark evidence checklist
├─ certs/.keep # Local certs/keys (gitignored)
├─ transcripts/.keep # Session logs (gitignored)
├─ .env.example # Sample configuration (no secrets)
├─ .gitignore # Ignore secrets, binaries, logs, and certs
├─ requirements.txt # Minimal dependencies
└─ .github/workflows/ci.yml # Compile-only sanity check (no execution)
-
Fork this repository to your own GitHub account(using official nu email).
All development and commits must be performed in your fork. -
Set up environment:
python3 -m venv .venv && source .venv/bin/activate pip install -r requirements.txt cp .env.example .env
-
Initialize MySQL (recommended via Docker):
docker run -d --name securechat-db -e MYSQL_ROOT_PASSWORD=rootpass -e MYSQL_DATABASE=securechat -e MYSQL_USER=scuser -e MYSQL_PASSWORD=scpass -p 3306:3306 mysql:8
-
Create tables:
python -m app.storage.db --init
-
Generate certificates (after implementing the scripts):
python scripts/gen_ca.py --name "FAST-NU Root CA" python scripts/gen_cert.py --cn server.local --out certs/server python scripts/gen_cert.py --cn client.local --out certs/client -
Run components (after implementation):
python -m app.server # in another terminal: python -m app.client
-
Do not use TLS/SSL or any secure-channel abstraction
(e.g.,ssl, HTTPS, WSS, OpenSSL socket wrappers).
All crypto operations must occur explicitly at the application layer. -
You are not required to implement AES, RSA, or DH math, Use any of the available libraries.
-
Do not commit secrets (certs, private keys, salts,
.envvalues). -
Your commits must reflect progressive development — at least 10 meaningful commits.
When submitting on Google Classroom (GCR):
- A ZIP of your GitHub fork (repository).
- MySQL schema dump and a few sample records.
- Updated README.md explaining setup, usage, and test outputs.
RollNumber-FullName-Report-A02.docxRollNumber-FullName-TestReport-A02.docx
✔ Wireshark capture (encrypted payloads only)
✔ Invalid/self-signed cert rejected (BAD_CERT)
✔ Tamper test → signature verification fails (SIG_FAIL)
✔ Replay test → rejected by seqno (REPLAY)
✔ Non-repudiation → exported transcript + signed SessionReceipt verified offline