Abdul Mohamed

Exploring Secure Communication: Building a Custom VPN

During our CPEN 442 Security class, my classmates Amod, David, Alfredo, and I embarked on an ambitious project to design and implement a custom Virtual Private Network (VPN). The goal was to create a secure communication system capable of withstanding various attacks, including the infamous man-in-the-middle (MITM) attack. This project not only deepened our understanding of cryptographic principles but also challenged us to think critically about real-world security implementations.

The Challenge

The task was to develop a VPN that ensures:

  • Confidentiality: Encrypting all communications so that intercepted messages remain unreadable.
  • Integrity: Detecting any tampering of transmitted data.
  • Authentication: Verifying that both parties in the communication are legitimate.
  • Replay Protection: Preventing attackers from reusing captured packets to compromise the system.

How It Works

Our VPN implementation uses the Elliptic Curve Diffie-Hellman (ECDH) protocol for secure key exchange, establishing a shared secret between the client and server. With this shared secret, we derive two separate session keys—one for encryption using AES in CBC mode and another for authentication via HMAC. This separation of duties enhances security by ensuring that a compromise of one key does not affect the other.

Each message includes:

  • A unique sequence number for replay detection.
  • An HMAC for integrity verification.
  • A new public key for the next session, ensuring forward secrecy.

Facing the Adversary

A crucial aspect of our project was simulating an active MITM attacker. Our system was rigorously tested against scenarios where packets were dropped, modified, or replayed. Any suspicious activity triggered warnings on the server, reinforcing the robustness of our protocol.

Key Takeaways

This project offered invaluable lessons in cryptographic design and implementation. It highlighted the complexity of ensuring secure communication in the presence of active adversaries and the importance of meticulous testing to identify vulnerabilities.

As a team, we successfully built a functioning VPN that met the core security requirements. Working with Amod, David, and Alfredo was a rewarding experience, as we combined our skills and knowledge to tackle this challenging yet highly educational project.

Implementation

https://github.com/hamaney/CPEN442_VPN