Project topic ideas
This is not an assignment. Read it and start thinking.
You and a partner (or two) are going to pick a topic to work on for the remainder of comps, and you're going to do it pretty soon. Here are some ideas. You can pick something from this document or develop an idea of your own. Let's talk.
I have organized this document by security topic rather than by specific tools because I want to keep the focus on deeply understanding some algorithm, problem, protocol, or technique.
1. Foundational security algorithms
1.1 Symmetric cryptography
Symmetric cryptography is encryption where sender and receiver share a key, and that key is used to both encrypt and decrypt messages. Symmetric encryption and decryption algorithms are much faster and generally more secure than asymmetric algorithms for comparable key sizes, but they suffer from a difficult key exchange problem. As a result, key exchange usually involves a protocol involving asymmetric/public-key cryptography, after which the remainder of the communication takes place using symmetric cryptography.
If you are excited to learn the details of one of these algorithms, writing your own implementation would make a great comps topic. Here are some possibilities.
- Write an implementation of AES. This is the winner of the US National Institute of Standards and Technology (NIST) competition to create a modern symmetric algorithm for securing online communication. It's extremely widely used, notably within the TLS connections at the heart of https.
- Write an implementation of TwoFish. This is one of the runners-up in the NIST competition, and is used a lot, too.
- Write an implementation of ChaCha20. Unlike the block ciphers AES and Twofish, ChaCha20 is a stream cipher, which makes it particularly well-suited for fast real-time encryption like VPNs. ChaCha20 is also reportedly easier to implement correctly than AES, which means that its implementations have a higher probability of being correct.
- Write an implementation of the long-obsolete DES plus an attack that can decrypt DES-encrypted ciphertext without a key.
- ...
My video intro to symmetric cryptography (25:54).
1.2 Asymmetric cryptography
Asymmetric cryptography, also known as public-key cryptography, also known as public-key cryptography, helps solve a bunch of very tricky problems. It makes digital signatures possible, it helps solve the problem of key exchange between parties who have never communicated with each other before, and so on. It's a central piece of modern online commerce and encrypted communication.
Interested in learning more? Possible projects could include:
- Implement some variant of elliptic curve cryptography
- Implement some variant of RSA (see also section 2.2 below)
- Implement a tool to do some basic chain analysis of the bitcoin blockchain
- Implement something involving PGP
- ...
My video intro to asymmetric cryptography (21:40).
1.3 Cryptographic hash functions
Cryptographic hash functions are essential building blocks for safe password storage, digital signatures, data integrity, version control systems like git, etc. Unlike the hash functions we might study to make a good hash table data structure, cryptographic hash functions have to have a bunch of properties--pre-image resistance, collision resistance, etc.
If you want to dig deeper into these functions, you could:
- Implement one or more common hash functions like SHA-1, SHA-2, BLAKE2, etc.
- Explore the literature of common attacks against one of the older hash functions (e.g., MD5) and use those attacks in some way that subverts security based on the hash function.
- ...
My video intro to cryptographic hash functions (33:41).
1.4 Digital signatures
Digital signatures give you way to ensure that the owner of a private key has approved a particular document, and that the document has not been changed since that approval took place.
Built up out of public-key encryption and cryptographic hash functions, digital signatures are another essential part of making
- Implement one or more of the digital signature algorithms (I'm running out of link-making steam, so look through the wikipedia page for ideas)
- ...
2. Public Key Infrastructure (PKI)
2.1 Certificates
Getting a browser to trust that it is actually talking to the server it thinks it's talking to is a tricky problem, and is typically handled by some kind of public key infrastructure (PKI).
The most common scheme for this involves a thing called a certificate authority and either certificates in X.509 or EMV form. EMV is used for credit cards, but X.509 is used for https websites, among other things. In essence, a certificate says "this identity (e.g. jeffondich.com) is associated with this public key (0x31da593b6...))". But of course, it gets a lot more complicated than that.
You could try one of these:
- Implement tools analogous to the openssl command for constructing, parsing, validating, and displaying X.509 certificates
- I don't know anything about EMV, but you could do something similar with that standard
- ...
2.2 Public Key Cryptography Standards (PKCS)
The very first practical PKIs, back in the early 80s, were developed and documented by the RSA corporation. They published and have maintained a document series called PKCS.
If you want to see what's involved in developing a professional-level RSA encryption system, for example (as opposed to just doing the little "Being Eve" assignment in my security course), you could identify the appropriate PKCS documents and implement at least part of the specifications they describe.
3. TCP/IP networking
3.1 Making and maintaining TCP connections
Can you write a C program that sets up and maintains TCP connections from both a client or server side? How about implementing a variant of netcat/nc?
3.2 Port scanning
nmap does so many things, and combines low-level networking with clever heuristics for learning stuff about various kinds of servers. Implementing a subset of nmap's services would be cool.
3.3 Host detection
This is one of the things nmap does. Can you make it fast?
3.4 Port forwarding
A very useful technique when you're attacking a networked collection of computers is to forward a port on one machine to a different port on the same or a different machine. I'm not going to explain exactly how this gets used here, but it's very useful. There are several tools that support port forwarding (ssh, ligolo, socat), and you could replicate some of their features.
This topic would also give you experience in setting up a small network of VMs to help you illustrate how network architectures can be used to protect computers on the inside of a local network (and, of course, can in turn be subverted by various hacking techniques).
3.5 ARP cache poisoning
ARP spoofing (also known as ARP cache poisoning) is one technique for performing an adversary-in-the-middle attack, interposing yourself in between two communicating computers with the intent of eavesdropping, diverting the communication, or modifying the communication in-flight.
There are a bunch of tools that do ARP spoofing for you (e.g. ettercap). Replicating one would give you a close look at Ethernet and other "medium access layer" protocols.
3.6 SSH
You could write a rudimentary SSH client or server. Just getting the handshake right would teach you a huge amount about encrypted communication and the various vulnerabilities in such a system.
3.7 TLS
Implementing a rudimentary web browser that speaks TLS would be a lot like writing an SSH server. And again, you'd learn a ton about the relevant protocols.
3.8 Packet sniffing
tcpdump, tshark, etc.
4. Authentication and authorization
4.1 Password cracking
Speaks for itself, and you've seen presentations on john and hashcat to motivate you. There are a ton of techniques here to choose from. Or you could pick a narrow slice of cracking techniques and focus on making the cracking fast (e.g. by exploiting GPU programming, multi-threaded programming, etc.)
4.2 Password spraying
How do you attack an SSH server or a password-protected web application? One way is to sling millions of username/password pairs at them really fast. See the tool hydra for inspiration.
4.3 OAuth
You know how sometimes a website wants you to login using your Gmail or Facebook or Apple account? Such websites are typically using OAuth to delegate the process of Authorization (what do you get to do?) to a third party. Sometimes they're also delegating Authentication (are you who you say you are?) to the third party, though there are those who say doing authentication like this is a a very bad idea.
Anyway, there are various software entities involved in OAuth interactions, and it could be fun to implement some of them.
5. Web security
5.1 SQL injection
Pick a subset of sqlmap features and reimplement them. Part of the fun here would be creating a web application that was vulnerable to a variety of injection attacks.
5.2 Proxying
Do some of what Burp Suite's proxy tool does.
6. Other
I'll doubtless keep throwing ideas here, but this is a start.