- Learn the overall workflow of the Kerberos authentication protocol.
Use Python 3.7+ and the PyCryptodome library to implement the Kerberos authentication protocol and AES (with the EAX mode of operation) to encrypt and decrypt the messages used by the Kerberosprotocol. Figure 1 outlines the messages exchanged by the Kerberos protocol. Your task is to implement the classes/functions outlined in the provided skeleton code. You should not need any other imports or 3rd-party libraries. The file also contains testing code that you can use to validate whether your implementation works as expected. For more information about the PyCryptodome library, visit the documentation.
- For AES encryption, use EAX mode and ensure you handle the number once (nonce) and MAC tag requirements of this algorithm.
- The AES encryption function should be able to encrypt any Python object (not just bytes) and the decrypt function should return the the exact object that was encrypted.
- Ensure you salt passwords using the username and realm name before hashing them using the SHA256 hash function.
- The client should print appropriate error messages if any stage of the Kerberos process fails.
- Do not change the class/function names given in the skeleton code. Your code will be tested using other test programs that expect the given naming.
- main.py: The Python file you are required to complete and submit.
- users.json: JSON file containing the database of users and their secret keys (used by AS). The correct usernames and password combinations that can be used to test the program are given in Table 1.
- test.txt: Sample text file used to test the program.
The expected output of the testing code provided in the skeleton code is given below. You may wish to test your code further using different inputs.
$ python main.py
Password: <correct password>
Retrieved test.txt from FS:
this is a test file
the file server will return this to the client
after successfully authenticating using kerberos
$ python main.py
Password: <incorrect password>
Failed to decrypt client/TGS session key.