网络编程大作业4

Network Security– Secure Multi-user Chat

Programming Assignment 4 (40 points)

Objective:

To use Java Cryptography Extension (JCE) to develop a fully-secured multi-user chat program. Background:

In your previous course, Network Programming, you developed a multi-user chat program, which your older sister frequently uses to communicate with her boyfriend over the Internet. However, by hiring the CNSA (the Chinese equivalent of the USA's National Security Agency) to eavesdrop on her communication, your big mother discovered that she and her boyfriend plan to drop out of 大连理工大学and run away to get married. Your sister, although much smarter than you, knows little about computers and specifically, computer and network security and has agreed to pay you 1,000,000Ұ to develop a fully-secured multi-user chat program so that she and her boyfriend can continue to communicate but this time, secretly. Most importantly, your sister demands that all communications should be fully secured not just from your nosy and intrusive mother, but also from anybody, including the CNSA and the NSA.

Requirements:

Using your last program from Network Programming as the building block, we now need to add several layers of security.

First, the communication between the server and user should be encrypted using RC4 and a session key, which is a temporary key used only for securing the communication between the server and user. As you know, RC4 is a stream cipher, but is as secure as block ciphers such as 3DES and AES. The main advantage of using RC4 here is because it is very fast and is ideal for encrypting streams of data (arbitrary lengths of data), such as users' messages.

The server not only acts as the chat server, but also as the authentication center. The chat server keeps a list of all the users' (users who have already set up an account with the server) names and passwords in a file on the hard drive. The file should at all times be encrypted with AES using a 128-bit key (See below for the key) that only the server knows.

Login Procedure for an existing user

1.It contacts the server and requests its public key. The public key is sent to the user.

2.The user generates a session key (RC4) and sends its user name, password, and the

session key to the server.

3.The server decrypts the message with its private key and recovers the user name,

password, and session key.

4.The server checks to see if the password is correct for this user. If so, it sends a status

(either "OR" or "USER NOT EXIST", or "PASSWORD INCORRECT") back to the user encrypted with the session key.