Learn Cryptography By Building a Digital Signature System

[lavanganji]

I am interested in working this out @QuincyLarson

[QuincyLarson]

@lavanganji Great - we would welcome your help with this.

The first step is to build the project itself. Then you can work backward to break it down into steps, like this: https://github.com/freeCodeCamp/CurriculumExpansion/pull/135/files#diff-99314d694942b489d28d8a6f0c3bc5a3

[lavanganji]

@QuincyLarson i am working on the Building Search Engine. @All anyone who is interested can take over this . if need will come back later to this.

[lmilliken]

I would be interested in working on this. I'm thinking that this would be an Express app using the bcrypt library that hashes and store passwords in a local object?

[scissorsneedfoodtoo]

@lmilliken, yes, I think that's a good way to go. Originally I thought this would be a tutorial about building something like an MD5 encoder/decoder. But we would have to make it really clear that MD5 is considered unsafe, and shouldn't be used for passwords.

A login page that uses bcrypt to has the passwords might work. The lessons could explain the basics of cryptography and how to safely handle/store passwords as students build the application. But what do you think? Do you have a different project idea?

[scissorsneedfoodtoo]

@lavanganji, I'm sorry, please ignore my last message. After thinking more about this project, it would be better to avoid libraries like bcrypt so the project can function seamlessly offline. Instead, it would be better to focus on the fundamentals of cryptography and have students build their own simple password hasher -- something that can encrypt and decrypt strings, and maybe cover other topics like salting the hash.

Again, my apologies if you've already started building this out using Express and bcrypt. Is this something you would still be interested in?

[lmilliken]

@scissorsneedfoodtoo , I'm working on the calorie counter and haven't started on this. Can someone else work on this?

[scissorsneedfoodtoo]

@lmilliken, okay, thanks for letting me know. Feel free to circle back to this project later if it's still unclaimed!

[vkWeb]

@scissorsneedfoodtoo I am interested in tackling this. I am new to the JavaScript world but I have prior experience with C and C++. I am aware of basic ciphering techniques like Caesar's cipher and Vigenere's cipher. These two techniques cover the basics of cryptography like the input string, encryption key, and the output i.e. ciphered(encrypted) text.

Umm, I am not sure how we'll demonstrate the salting technique. CS50's Crack problem was really great. I recently solved that (I am doing CS50, in week 3 right now <3). Maybe we can look into it and built something of similar shape: https://docs.cs50.net/2018/x/psets/2/crack/crack.html But in this case, we won't be able to demonstrate them the proper use of encryption key and decryption mechanism as hashing is just a one-way algorithm.

Or

We can just stick to the basics of cryptography by implementing Vigenere cipher and in another lesson, we can talk about salt. If you have any other thoughts about this please let me know :)

[scissorsneedfoodtoo]

@vkWeb, great to see you again!

This one will be tricky. While CS50's Crack problem looks great, it uses the crypt program which I believe we're trying to avoid here. We would like to teach the fundamentals of cryptography here, so it would be best to stick to the basics and implement Vigenere's cipher. There's probably no need to teach about things like salt since that would over complicate things. Does that sound alright?

[vkWeb]

@scissorsneedfoodtoo Thanks, man :) I missed you people and freeCodeCamp a lot <3. It's nice to be here. Actually, I was studying for my entrance exams. Now my exams are over. So, I have started my coding journey from scratch. I started only a few weeks ago with CS50, it's my first computer science course. Soon, I'll pick up with freeCodeCamp curriculum but first I'll try to make a grip on Data structures and Algorithms. I love the freeCodeCamp community <3 and almost every night I check the repository. So, I decided to tackle some issues. It'll give me some experience with JavaScript. With time as I acquire more skills, I'll dedicate more time to contributing :)

If we want to stick to the fundamentals then implementing Caesar's cipher will be the best option. It's easy, super straight forward and covers the required basics.

I am thinking a bit loud here. We should talk about salt... Instead of implementing MD5, SHA-256 or any other hashing algorithm which will make things pretty complex. Maybe we can invent our own simple hash function just for demonstration purposes. What do you think?

[scissorsneedfoodtoo]

@vkWeb, so sorry for the delay. I responded over the weekend, but for some reason my message isn't showing here.

Definitely glad to have you back! Hope all of your exams went well. I've heard so many good things about CS50, and I'm sure it'll help as you practice more data structures and algorithms with this project.

Caesar's Cipher would be a simple way to introduce some cryptography fundamentals. Unfortunately, it's still a required project for the Learn Algorithms and Data Structures section. We definitely don't want to give away the solution to that project! And you're right, even MD5 is way more complicated than I thought. Inventing our own is totally fine, though, and will make for a great learning opportunity!

[vkWeb]

@scissorsneedfoodtoo, No problem mate. Yes, my exams went well :)

Umm... If we implement Vigenere then we'll ultimately give away the logic of the Caesar. I think we should implement Caesar and update the project to Vigenere or any other more difficult ciphering technique. What do you think?

Btw, I am planning to first quickly push the ciphering prototype and then the hasher because it'll take some time.

[scissorsneedfoodtoo]

@vkWeb, that's great! Glad they went well.

The current plan is to keep all the required projects the same, and use these other projects as a way to teach concepts that students will need when they're working on said required projects. This project will likely come after the required Caesar's Cipher project, assuming students work through the curriculum from beginning to end. So using Vigenere's Cipher here should be fine, though there might be a better alternative that is about the same difficulty as Caesar's Cipher, but will still let us teach the fundamentals of cryptography.

I took a look at this list, and there seem to be a few that will work well for this lesson: http://practicalcryptography.com/ciphers/

The Columnar Transposition and Polybius Square ciphers look like they might be good. There are a couple others like Bifid and Autokey, though they might be a bit too difficult at this point in the curriculum. I'm leaning more toward Columnar Transposition since it will allow us to introduce concepts like symmetric encryption / shared key encryption.

How does that sound?

[vkWeb]

@scissorsneedfoodtoo Oh. If this project will come after Caesar cipher then I think we should not implement any of the shared key encryption algorithms like Vigenere or columnar transposition.

Instead, we should take a step forward and dive to public key (asymmetric) cryptography. This will help us in introducing the amazing concept of public and private keys - the underlying principle of our secure Internet. I am planning to implement the RSA encryption algorithm.

Btw, I looked at the freeCodeCamp Caesar cipher challenge. We'll need to add some theory about symmetric key cryptography and talk a bit about keys to make the journey of public key cryptography smooth for campers. If this plan looks good to you, I'll raise a PR to improve the Caesar cipher project and then I'll think deeply about implementing RSA in a lucid manner with a real JavaScript project.

What do you think about this?

[scissorsneedfoodtoo]

@vkWeb, sorry, I fear I've been letting this project grow too large in scope. This could really be much simpler, and teach some fundamentals of cryptography by having the student build a simple password hasher, then teach how password hashes should be stored rather than plain text, along with other concepts like salt and pepper. We could just use a simple algorithm to encode the passwords, with the disclaimer that they're not safe to use on a live site, and that this is just for learning the basics. All along the way we could be teaching the different ways that attackers try and decode a hashed password like brute force, a dictionary attack, or rainbow tables, and how to defend against those by using salt or pepper.

That said, if you can find a simple way to implement the RSA encryption algorithm to teach the fundamentals of cryptography without any libraries, then perhaps we can change this project. It would be cool if we can find a way to teach asymmetric cryptography since it's so common these days. Just keep in mind that we'll want students to write as much of the code as possible while working through these lessons.

I'm thinking we can just leave the Caesar's Cipher project alone for now. That comes pretty early in the curriculum and we won't want to scare away any campers that are working through it. Your project could mention why things like Caesar's Cipher are known as symmetric cryptography and that you'll be teaching asymmetric cryptography.

By the way, do you have about 20 to 30 minutes to hop on a call? I'd love to catch up and talk more about this project in detail. If so, could you send me a message at kris@freecodecamp.org? Then we can set something up for later this week or early next week.

[vkWeb]

@scissorsneedfoodtoo Yes, this project has grown up to a very large extent. I am super excited to see how we together unfold and ship this project. I think we should cover both the topics i.e. asymmetric cryptography and password hashing. Implementing RSA will enable us to teach asymmetric cryptography and then in the hash project, we'll teach about password hashes, attacks, salts and why passwords are hashed. In this way, we'll cover a large chunk of the basic fundamentals of Cryptography 😄!

As of now, I am not sure if I'll need any libraries or not because I am not familiar with JavaScript that much. But as far as the RSA algorithm is concerned, it's pure math. My vision is to teach RSA in a way such that campers actually understand and enjoy the lesson. If you want we can leave the Caesar cipher project alone and discuss the difference between symmetric & asymmetric cryptography with RSA project itself.

Since this project has grown up to a large Cryptography project. I would love to discuss this project in detail with you over a call. But right now, I think I need some time alone to properly understand RSA, learn JavaScript and design a project prototype. Give me around one and a half week time, I'll message you when I feel ready to take this whole project further.

[QuincyLarson]

@vkWeb Keep in mind that we will need to write a series of tests (lessons) that walk learners through building this step by step, and it needs to be simple to explain. We can't say "here's an MIT lecture on [math concept] and expect them to go watch it. Everything has to be communicatable through one- or two- sentence test messages.

Could you build a basic prototype with the RSA implemented? I am curious to see how complicated it is.

[vkWeb]

@QuincyLarson Okay, I'll keep that in mind. Though I might need to write some theory of one or two paragraphs to explain some concepts.

Btw, I'll think more deeply how to deal with those concepts while designing the project. Right now, I am focusing on understanding RSA and learning JavaScript. I'll soon update you about the progress. It won't take more than two weeks to come with a prototype.

[vkWeb]

@QuincyLarson It's over two weeks now so here I am to update you about the project status. I have already updated @scissorsneedfoodtoo through email.

After understanding RSA and looking to its application in the real world, I have decided to build a Digital Signature System. The process of digital signing is as stated below:

Step 1: Hash the message or data to be sent Step 2: Generate key pairs - public and private key using RSA Step 3: Encrypt the hash with the private key which acts as a signature and send the data along with the signature Step 4: The receiver decrypts the signature and hashes the received data. Then checks if the decrypted signature and hash are equal or not. If they are equal then the signature is valid.

In this project, we'll cover concepts of hashing, generation of the key pairs, asymmetric algorithm (RSA), encryption, and decryption. In this way, almost all the fundamental concepts of Cryptography will be covered. Right now, I'm implementing Step 1 of the project. I'm a bit slow with the prototype but eventually, I hope it'll take good shape :) Here's the Git repo I'm working on https://github.com/vkWeb/Digital-Signature-System

@QuincyLarson What do you think about this?

[scissorsneedfoodtoo]

@vkWeb, awesome! This is looking great so far. Thank you for all your hard work on this. It's certainly a daunting subject, but I think your project will do an excellent job of teaching the fundamentals of modern cryptography. Great work!

I've been playing with your prototype (https://vkweb.github.io/Digital-Signature-System/) and it looks great. Just a couple of things I noticed:

• The initial message has a couple of minor typos. Here's an edited version:

Hey Bob, Alice here. This is a secret message. 

We will buy around a thousand shares of AAPL this evening ;)

I also have plans to invest in India's real estate market. It's one of the fastest growing economies in the world and will benefit our portfolio.

• Seems like you're already working on the bug with some of the bigger prime numbers that's causing the failure error. Let me know if there's anything I can do to help!

[scissorsneedfoodtoo]

@vkWeb, I looked at your prototype a bit longer and I think the problem is that the max safe integer in JS is 9007199254740991, and Math.pow(digitalSignature, publicKey) returns a larger number than that. There's a way around this with BigInt, and I have a working prototype here: https://codepen.io/scissorsneedfoodtoo/pen/mZPMdN.

BigInt isn't supported in the current version of FireFox, though it will be supported in FF 68 which releases in early July, so we should be able to use it in the new curriculum. Feel free to clean up my code to use in your lessons!

[vkWeb]

@scissorsneedfoodtoo Thank you so much, man! I played with your prototype and it's working with bigger primes too! 🎉 Btw RSA was easier than I thought, campers will enjoy the lesson :stuck_out_tongue:

I'll soon push commits to #184 to fix the prime issue and message text. @scissorsneedfoodtoo Please rename this issue and move it to "writing test description" in the kanban board.

[scissorsneedfoodtoo]

@vkWeb, no worries, glad to help a little bit. Awesome job breaking this down! Should be a really fun project and I'm sure all the campers will enjoy working through it.

[vkWeb]

@scissorsneedfoodtoo Yeah!

[vkWeb]

@scissorsneedfoodtoo Please rename this issue to "Learn Cryptography By Building a Digital Signature System".

[scissorsneedfoodtoo]

Awesome! Thank you for thinking of a more appropriate project name. I'll update the title here and in Quincy's forum post now.