• Cryptomsg3.js
    In this version a user ID and password have been added
    The following is the output of one session. The setup function creates the cryptographic keys used in the client and server objects. Note that client and server have different random number keys and permutations. None of the permutation arrays are shown.

    PICO 1v86 
    >echo(0);
    In left pane enter setup(); and press return.
    =undefined
    >setup();
    Client Random # keys
    147,218,39,254,251,124,105,20,249,242,176,254,251,124,105,138
    124,171,219,12,155,172,248,197,93,220,85,14,86,211,101,122
    Msg Hash keys
    183,198,0,48,252,124,105,20,27,113,129,48,252,124,105,170
    232,149,224,242,228,159,142,123,127,115,23,205,73,51,112,58
    Auth Hash keys
    82,25,235,120,252,124,105,20,163,183,112,121,252,124,105,248
    90,33,23,232,223,50,115,84,170,190,44,139,113,153,65,249
    IDPW Hash keys
    179,197,74,194,252,124,105,20,240,89,206,194,252,124,105,142
    23,120,142,240,228,46,156,128,54,32,224,158,21,49,50,162
    IDPWkey Hash keys
    254,143,24,11,253,124,105,20,217,234,155,11,253,124,105,49
    255,224,2,245,157,160,44,204,179,206,10,57,236,82,67,23
    Server Random # keys
    53,87,29,162,253,124,105,20,95,37,162,162,253,124,105,26
    78,233,136,63,69,30,248,93,255,66,4,177,179,192,75,192
    To setup a User ID and password
    In the left pane enter ID="<user ID>";
    In the left pane enter PW="<password>";
    In left pane enter setupID(); and press return.
    =undefined
    

    The setupID() function performs a hash of the ID and Password and stores it in the server object for later reference.

    >ID="sam"
    ="sam"
    >PW="a1234";
    ="a1234"
    >setupID();
    IDPW_hash
    20,198,57,30,198,43,156,233,212,6,187,246,210,28,110,194
    In left pane enter connect(); and press return.
    =undefined
    

    The setup process is completed at this point.
    The connect() function sends a command from the client to the server. The message in the text, a random number Rnum, and a MHash of the text and Rnum blocks.
    The server calculated the hash1 of the text and Rnum blocks of the received message and performs a comparison.
    The server creates a reply message.

    >connect();
    {
      "text": [
        new Uint8Array([65, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107, 107]),
      "Auth": new Uint8Array(16),
      "Mhash": new ArrayBuffer([67, 224, 209, 99, 57, 134, 239, 227, 82, 141, 121, 73, 1, 34, 87, 53])
     }
    Client msg 1 hash OK
    

    The server creates a reply.
    It generates a new random number Rnum.
    It calculates the Auth value by hashing the Rnum in the clients message
    It calculates the MHash of the text, Rnum, and Auth blocks.

    {
      "text": [
        new Uint8Array([65, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95]),
      "Auth": new ArrayBuffer([177, 4, 182, 80, 32, 193, 133, 253, 206, 70, 222, 40, 50, 103, 253, 84]),
      "Mhash": new ArrayBuffer([174, 166, 145, 239, 250, 142, 29, 89, 132, 47, 94, 235, 3, 148, 16, 180])
     }
    

    The client validates the Mhash, and the Auth and asked the user for ID and password.

    Server msg1 hash OK
    Server is authentic
    Enter User ID and password
    In the left pane enter ID="<user ID>";
    In the left pane enter PW="<password>";
    In left pane enter login(); and press return.
    =undefined
    >
    

    The user enters the ID and password and the client sends a message to the server using the login() function.
    The message contains the text[0] block with the command, the text[1] block, a Rnum random number block, the Auth block and a Mhash of both text blocks, the Rnum and Auth blocks.
    An encryption key is created using a hash of the Rnum in the last server message.
    The encryption key is used to encrypt the hash of the ID and password.
    Text[1]= the permutation of the encrypted hash of ID and password.
    Note: the permutation uses an array of 128 values to swap bits in the block thus increasing the difficulty level for a hacker.

    >ID
    ="sam"
    >PW
    ="a1234"
    >login();
    {
      "text": [
        new Uint8Array([66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
        new ArrayBuffer([188, 251, 96, 214, 196, 152, 12, 153, 116, 62, 142, 67, 36, 191, 9, 37])
       ],
      "Rnum": new Uint8Array([231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, 231]),
      "Auth": new ArrayBuffer([85, 202, 193, 237, 229, 82, 213, 28, 17, 66, 76, 168, 105, 110, 34, 181]),
      "Mhash": new ArrayBuffer([246, 246, 153, 109, 110, 234, 46, 198, 250, 173, 197, 70, 46, 130, 198, 8])
     }
    Client msg 2 hash OK
    Client is authentic
    User ID and password valid
    

    The server validates the Mhash, and the Auth blocks.
    The server reverses the permutation and decrypts the text[1] block and uses the previously saved IDPW hash to validate the user ID and password.
    The server replies as follows:

    {
      "text": [
        new Uint8Array([66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197, 197]),
      "Auth": new ArrayBuffer([203, 178, 225, 223, 185, 157, 208, 10, 205, 106, 25, 48, 148, 14, 178, 244]),
      "Mhash": new ArrayBuffer([136, 235, 215, 192, 46, 125, 93, 102, 232, 66, 154, 94, 254, 96, 125, 171])
     }
    

    The client validates the Mhash, and the Auth blocks.

    Server msg1 hash OK
    Server is authentic
    In left pane enter replay(); or LEDon(); or LEDoff(); and press return.
    =undefined
    >
    

    The user enters LEDon() and the client sends a message with text[0][1]=153

    >LEDon();
    {
      "text": [
        new Uint8Array([67, 153, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245, 245]),
      "Auth": new ArrayBuffer([84, 61, 229, 17, 188, 93, 153, 84, 8, 11, 141, 163, 234, 109, 215, 22]),
      "Mhash": new ArrayBuffer([161, 191, 122, 233, 14, 1, 107, 240, 101, 7, 97, 214, 109, 87, 47, 227])
     }
    

    The server validates the Mhash and Auth blocks and uses the value on text[0][1] to turn the Green LED on the PICO on or off.

    Client msg 3 hash OK
    Client is authentic
    {
      "text": [
        new Uint8Array([67, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9]),
      "Auth": new ArrayBuffer([25, 138, 122, 203, 160, 27, 197, 203, 83, 67, 94, 253, 166, 101, 177, 61]),
      "Mhash": new ArrayBuffer([156, 67, 30, 184, 3, 5, 237, 23, 4, 169, 138, 33, 245, 137, 166, 242])
     }
    Server msg hash OK
    Server is authentic
    In left pane enter replay(); or LEDon(); or LEDoff(); and press return.
    =undefined
    

    The user enters LEDoff(), and the client sends the following message to the server.

    >LEDoff();
    {
      "text": [
        new Uint8Array([67, 152, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32]),
      "Auth": new ArrayBuffer([173, 227, 7, 74, 231, 212, 57, 149, 211, 167, 182, 168, 50, 163, 100, 136]),
      "Mhash": new ArrayBuffer([166, 234, 76, 46, 39, 225, 249, 161, 72, 87, 168, 112, 131, 189, 17, 179])
     }
    Client msg 3 hash OK
    Client is authentic
    

    The server turns the LED off and replies as follows.

    {
      "text": [
        new Uint8Array([67, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
       ],
      "Rnum": new Uint8Array([91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91]),
      "Auth": new ArrayBuffer([69, 156, 77, 140, 124, 163, 20, 171, 113, 5, 219, 192, 52, 186, 236, 247]),
      "Mhash": new ArrayBuffer([58, 187, 167, 69, 103, 61, 35, 28, 56, 158, 186, 83, 30, 230, 152, 10])
     }
    Server msg hash OK
    Server is authentic
    In left pane enter replay(); or LEDon(); or LEDoff(); and press return.
    

    Along the way the client and server messages have been saved by Bill the black hat hacker. So Bill tries sending the client’s messages to the server with the following results.

    >replay();
    Trying to replay
    Client msg 1 hash OK
    Client msg 2 hash OK
    Client not authentic
    ((the calculated and message Auth values are shown here))
    73,37,138,217,81,69,32,247,92,136,225,154,124,8,83,157
    85,202,193,237,229,82,213,28,17,66,76,168,105,110,34,181
    =undefined
    

    Try it and have the client enter the wrong ID or password.
    The random number generator uses Date.now, and Math.random() as a seed.
    A permutation followed by encryption or decryption is applied to the seed.
    A one way matrix operation is applied followed by a second permutation and finally a second encryption or decryption. Again this makes life hard for hackers as compared to a simple counter applied to the AES algorithm.
    The hash function does a similar process permutation1, encrypt, one way, permutation2, encrypt. For the first block the one way is initialized. For subsequent blocks the one way uses the results from the previous block.


    1 Attachment

About