Resources

Highlights

Summary

This project involved the design and implementation of a digital signature server, a trusted third party that creates private-public key pairs, stores them and generates digital signatures on the behalf of the users (a common requirement in organizational settings where centralized key management is preferred).

The core of the project was to build a robust authentication protocol and a secure communication channel without relying on existing high-level libraries like TLS:

  • Handshake: A secure channel is established using Elliptic-Curve Diffie-Hellman Ephemeral key exchange (X25519 curve) to ensure Perfect Forward Secrecy. The channel also provides confidentiality, integrity and no-replay through authenticated encryption (AES-128-GCM)
  • Authentication: The server authenticates to the client using a digital signature (ECDSA). Clients authenticate to the server using a username and a securely hashed password (Argon2id)

Finally, a sample conversation between a client and the server was captured and analyzed using Wireshark, verifying that each exchanged byte conformed to the designed protocol and confirming that an eavesdropper could only observe the ciphertext.

Pictures

Sequence diagram of the handshake (server authentication) protocol

Sequence diagram of the handshake (server authentication) protocol

Sequence diagram of the client authentication protocol

Sequence diagram of the client authentication protocol

Server’s response to a SignDocument operation, captured by wireshark (grey bytes are TCP headers)

Server’s response to a SignDocument operation, captured by wireshark (grey bytes are TCP headers)

Interpretation of the server’s response above

Interpretation of the server’s response above

See it in action