zoeyande2/lab_subrosa
1
0
Fork 0
generated from mwc/lab_subrosa
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
966da30fddf330aa6eab3430aa5323687551bad8
lab_subrosa/subrosa_analysis.md
zoeyande2 966da30fdd Finished checkpoint 1
2026-04-13 17:13:23 -04:00

46 lines
2.4 KiB
Markdown
Raw Blame History

# Sub Rosa Analysis
## Checkpoint 1
encrypted message: "cqHvxMiC6Z0+B+1yRMO4EX0fhhjhhI2C4JRdrMfhw5PKZf9Qv3/eq7KSNyQp4M1VJj4zcZK59vRC+Lz/2ZPefKqk3BcbK0Q8tWEmqR2x+HUrW/VmpP5xB4CtJeDS/lmV7a2hADGxveiYkt1df/G1WM7OXiYURGr5aSkh9cqdULGeZliyaTtttO8ZLcq16S4Wl/rUuoS5v7iRmdPlz0gLvkVu4nUV/+ytqQWIMQoEE2R/n9GC+U2K809ntkzkyWY39DUlEc+j4pxB6JM7CUosmGYksvWfipK2c/VP9Itk+kZdMd2Qn2n6CdSb/dbi/klTirucRw4aJ/okcY08t73VNA=="
Decrypt the message you received from the Sub Rosa administrator.
Include the code you used to decrypt it. What does the message say?
(done in python from the terminal)
>>> private = PrivateKey.load("subrosa_private_key.pem")
>>> public = PublicKey.load("subrosa_public_key.pem")
>>> private.decrypt("cqHvxMiC6Z0+B+1yRMO4EX0fhhjhhI2C4JRdrMfhw5PKZf9Qv3/eq7KSNyQp4M1VJj4zcZK59vRC+Lz/2ZPefKqk3BcbK0Q8tWEmqR2x+HUrW/VmpP5xB4CtJeDS/lmV7a2hADGxveiYkt1df/G1WM7OXiYURGr5aSkh9cqdULGeZliyaTtttO8ZLcq16S4Wl/rUuoS5v7iRmdPlz0gLvkVu4nUV/+ytqQWIMQoEE2R/n9GC+U2K809ntkzkyWY39DUlEc+j4pxB6JM7CUosmGYksvWfipK2c/VP9Itk+kZdMd2Qn2n6CdSb/dbi/klTirucRw4aJ/okcY08t73VNA==")
'Welcome to SubRosa! Please be a good community member.'
## Checkpoint 2
Once you have a fully-working client and server for encrypted chat, let's
analyze potential vulnerabilities of the system. Answer the following
questions:
1. When you interact with the server at `https://subrosa.makingwithcode.org`,
you have no way of knowing what code is running. If the people running
the server are dishonest, is it possible for them to read your encrypted
messages? If so, explain how. If not, explain why not.
2. Is it possible to impersonate another user, sending messages in their name?
If so, explain how--or demonstrate this with code. If not, explain why not.
3. You can use a signature (a message and its encrypted version) to prove you
have a private key, without sharing the key itself. After you send someone
a signature, what stops them from using the same signature to later
impersonate you?
4. On most websites, you can reset your password if you forget it, via a link
sent to your email or a code sent to your phone. If you lose your private
key, would it be possible to recover your messages?
5. Even if you can't read other peoples' messages, you can see the sender and the
recipient for each message. Is this a big deal? Could the server be redesigned
so that the sender and the recipient are also encrypted?
Reference in New Issue View Git Blame Copy Permalink