Project CryptoGraphie - 1

Guillaume Dorschner & Jules Deleuse

A4 - CCC

This project is a comprehensive exploration of cryptographic principles and their application in securing user data. Through a two-part implementation focusing on password storage and Password-Authenticated Key Exchange (PAKE) see here, this project demonstrates robust security practices in application development.

Requirement for the implementation: password storage. Think about it as you are building some application that has user system (username and password) and you need to store the password securely. You should implement your solution, taking into accounts all the attack scenarios we have discussed. Basically the grade will be scored according to how secure your implementation is. The implementation needs to be runnable, where I can enter my username and password for registration and logging in (the interface can be a web app, or terminal etc).

If you are using any cryptographic encryption implementation, you need to use google tink library (except for the hash functions). Implementation using other libraries does not count.

We use docker to run the application for simplicity. You can install docker from here.

1. Download docker on your computer
2. Download the release of the project
3. Change the example.env to .env and fill in the environment variables. Then run the following command to start the application:

docker compose up

All the code is written in Python, and we will be using the following libraries:

• Flask
• PostgreSQL database
• Flask-Login
• Argon2
• Google Tink for all cryptographic operations.

graph LR
    Front[Flask Frontend] <--> Server
    Database[Postgres Database] <--> Server
    Server[Flask Backend] --> Postgres[PostgreSQL database]
    Server[Flask Backend] --> Flask-Login[Flask-Login]
    Server[Flask Backend] --> Argon2[Argon2]
    Server[Flask Backend] --> Tink[Google Tink]

Example of Sequence Diagram.

    sequenceDiagram
    participant U as User (Alice)
    participant S as Server (Bob)
    participant D as Database

    Note over U,S: Registration Phase
        U->>S: Hello I want to signup I'm Bob with password "1234"
        S-->>S: Hash the password with salt
        S-->>D: Store: hashed password & salt
        S-->>S: Generate a session token
        S-->>D: Store: session token
        S-->>U: Welcome Bob | send the session token

    Note over U,S: Login Phase
        U->>S: Hello, I'm Bob with password "1234"
        S-->>D: Retrieve: hashed password & salt
        S-->>S: Hash the password with the retrieved salt
        S-->>S: Compare the hashed password with the one in the database
        S-->>D: Generate a session token
        S-->>U: Welcome Bob | send the session token