Skip to content

DLFDL/cyber-students

BranchesTags
 
 

Repository files navigation

cyber-students

Registration.py is responsible for user registration by securely handling sensitive user information through encryption and password hashing. This ensures that the stored data in the database is protected, and even if the database is compromised, the sensitive information remains secure.

Registration.py retrieves user data during the registration process. Encrypts sensitive user data using AES (Advanced Encryption Standard) in CTR (Counter) mode. The encrypted data (ciphertext) is then stored in the database. A random 32-bytes key is generated for encryption implements a method for hashing user passwords. The password hash and salt are saved in the database.

Login.py retrieves the hashed password and salt from the database for a given email. An error is returned if the email, password, or salt is missing or invalid. The entered password is hashed using the stored salt. A token is generated and returned if the newly hashed password matches the stored hashed password. If the password does not match, an error is returned.

User.py, handling the GET request to retrieve the user's information, it first checks if the user is authenticated using the token. If the user is authenticated, the handler retrieves the encrypted user data, nonce, and password hash from the database. Using AES-CTR encryption, the password hash is used as the encryption key to decrypt the encrypted user data. The decrypted user data is then included in the response object, which is returned to the user.

A new user can be added and check using the following:

Registration: curl -X POST http://localhost:4000/students/api/registration -d "{"email": "[email protected]", "password": "1GoodPassWord", "displayName": "daniel", "fullName": "daniel lazarczyk", "address": "11 any street", "phone": "023874078", "disabilities": "crazy"}"

Logging In: curl -X POST http://localhost:4000/students/api/login -d "{"email": "[email protected]", "password": "1GoodPassWord"}"

Displaying a Profile: curl -H "X-TOKEN: bf546448ab864bd8b02476ac2f74765d" http://localhost:4000/students/api/user

Logging Out: curl -X POST -H "X-TOKEN: bf546448ab864bd8b02476ac2f74765d" http://localhost:4000/students/api/logout

This repository provides some sample code for the Shared Project for Modern Cryptography and Security Management & Compliance. The project requires git, Python 3, and MongoDB. The following sections briefly explain how to setup the project on your local machine.

Get the Sample Code

Create a GitHub account. Download and install git. We will use git to manage our source code.

Verify that git is installed correctly:

git --version

Fork this repository and clone your forked repository to your local machine:

git clone https://github.com/YOUR_GITHUB_USERNAME/cyber-students.git

Setup the Project

Create a Python 3 virtual environment:

python -m venv project-venv

Activate the virtual environment:

:: ... on Windows:
.\project-venv\Scripts\activate
# ... on macOS/*nix:
source project-venv/bin/activate

Install the required packages:

cd cyber-students
pip install -r requirements.txt

Download, install and start MongoDB Community Edition. We will use MongoDB as our database.

Download and install MongoDB Shell. Open a MongoDB shell:

mongosh

Create two databases with a collection named users in each:

use cyberStudents;
db.createCollection('users');

use cyberStudentsTest;
db.createCollection('users');

The first database will store our 'real' data. The second database will be used by our tests.

Download and install curl. curl is also shipped by Microsoft as part of Windows 10 and 11. curl is a command-line tool for interacting with web servers (and other protocols).

Verify that curl is installed correctly:

curl --version

Start the Project

The server contains functionality for:

  • registering new users (api/handlers/registration.py)
  • logging in (api/handlers/login.py)
  • logging out (api/handlers/logout.py)
  • displaying profile (api/handlers/user.py)

To start the server:

python run_server.py

The server is available on port 4000 at http://localhost:4000/students/api. However, it is not possible to use all of the functionality offered by the server directly using a browser. Instead we will use curl to interact with the server.

Registration

To register a new user:

curl -X POST http://localhost:4000/students/api/registration -d "{\"email\": \"[email protected]\", \"password\": \"pass\", \"displayName\": \"Foo Bar\"}"

If the registration is successful, it will confirm the email address and the display name of the newly registered user:

{"email": "[email protected]", "displayName": "Foo Bar"}

If the registration is unsuccessful, for example, if you try to register the same user twice, it will return an error message:

{"message": "A user with the given email address already exists!"}

Logging In

To login:

curl -X POST http://localhost:4000/students/api/login -d "{\"email\": \"[email protected]\", \"password\": \"pass\"}"

If the login is successful, it will return a token and expiration timestamp:

{"token": "d4a5d8b20fe143b7b92e4fba92d409be", "expiresIn": 1648559677.0}

A token expires and is intended to be short-lived. A token expires two hours after login, after a logout, or if there is another login from the same user, generating a new token.

If the login is unsuccessful, for example, if you provide an incorrect password, it will return an error message:

{"message": "The email address and password are invalid!"}

Displaying a Profile

To display a user's profile you need to a token that has not expired. Then you can use:

curl -H "X-TOKEN: d4a5d8b20fe143b7b92e4fba92d409be" http://localhost:4000/students/api/user

Note that this API call does not require the -X POST flag.

If successful, it will return the email address and the display name for the user:

{"email": "[email protected]", "displayName": "Foo Bar"}

Logging Out

To logout, you also need a token that has not expired. Then you can use:

curl -X POST -H "X-TOKEN: d4a5d8b20fe143b7b92e4fba92d409be" http://localhost:4000/students/api/logout

Test the Project

You can run the automated tests using:

python run_test.py

This command runs a number of automated tests in the tests folder. The tests read and store data in the cyberStudentsTest database only. They perform tests such as registering new users (tests/registration.py), logging in (tests/login.py), and logging out (tests/logout.py).

The project also includes a program called run_hacker.py. You can run it using:

python run_hacker.py list

It displays all information stored in the MongoDB database. It produces output similar to the following:

There are 1 registered users:
{'_id': ObjectId('6242d9c34536b3a16b49aa6b'), 'email': '[email protected]', 'password': 'pass', 'displayName': 'Foo Bar'}

As you can see, all of the information is stored in the clear; there is no encryption or password hashing. If a hacker was to compromise the database, they could easily run a similar program to retrieve all of the users personal information and passwords.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%