Programming Project: Authenticator

Programming Project: Authenticator
CPSC-298-6 Programming in C++

Introduction
For this assignment you'll develop an authentication mechanism that mimics a system
shown in a major motion picture (a movie that incidentally has an interesting association
with Chapman University). The authentication mechanism in this case is used to prove
the identity of the sender of a message. The movie's depiction is close to the real thing.
Background
You provide a password and username to gain access to nearly every software system
you use, from banking systems to Canvas to your Netflix account. In some cases, these
systems require multi-factor authentication, where the password is supplemented by a
token inserted into a card reader, as might be used at an automated bank teller machine,
or by Microsoft's Authenticator application for your smart phone. With multi-factor
authentication, you authenticate using something you know (a password) and something
you have (a token).
The software systems you'll work on in the future undoubtedly will use some form of
authentication. While such systems use elaborate protocols and complex encryption, they
ultimately distill down to a comparison; for instance, does the password typed in match
the expected password?
The 1995 motion picture Crimson Tide, starring Denzel Washington and Gene Hackman,
centers on the authentication system used aboard United States Navy nuclear ballistic
missile submarines. One part of this system is the Sealed Authenticator System (SAS)
used to authenticate Emergency Action Messages (EAMs) radioed to the submarine. In
the movie, the crew of the submarine uses the SAS code to verify that a received message
is real and not an attempt at spoofing.
2
An SAS code is a series of random letters (and maybe numbers); SAS codes are produced
by the super-secret National Security Agency (NSA).
1 A special NSA machine stamps
the code on two plastic cards which it then seals in a metal foil (or plastic sheath). The
machine does the stamping and sealing automatically; no human eyes ever see the codes
until the foil (or plastic) is broken. Because they look like edible wafer bars, the sealed
plastic cards are nicknamed cookies.
One of the two identical cookies is placed aboard the submarine (the message receiver)
and the other is placed at headquarters (the message sender). When an Emergency Action
Message is to be sent, a staff member at headquarters opens the cookie (an action known
as "cracking the cookie"), and inserts the code into the message to be sent to the
submarine. When the message is received, the submarine crew cracks their
corresponding cookie and compares the code on the plastic card to the code sent from
headquarters. If the two match, the message is authentic.
 1 Waller, Douglas C. "Practicing for Doomsday," Time, March 4th, 2001 online:
http://content.time.com/time/magazine/article/0,9171,101361-3,00.html
3
4
Assignment
In this assignment, you'll build an authenticator that automatically compares the SAS
codes, just as the actors do in the movie. (You'll learn more about the movie's connection
to Chapman University at the end of the assignment.) One code, that of the Authenticator
onboard the submarine, will be "hard-coded" in your program. The second, the code sent
in the Emergency Action Message, will be entered by the user.
Instead of the seven characters in the code depicted in the move, you'll use a three letter
code.
Consider using a single source file and naming it authenticator.cpp. (You don't have to do
this if you'd prefer another approach.)
The assignment is broken into four parts; each part could be a short segment in a C++
main function. In part I, you'll prompt the user to enter the three letter message code and
display the message and Authenticator codes. In part II, you'll perform a character-bycharacter comparison of the codes. In part III, you'll compare the codes using string
comparison. In part IV, you'll characterize the received message code and display
information helpful in defeating spoofing attempts.
Part I: Entering and Displaying the Codes
In the first part of the program, you'll begin by defining the Authenticator code on the
SAS plastic card as three character constants: 'E', 'C', 'A'. (These are the middle three
characters from the movie's code.)
const char k_cAuthenticatorCodeCharacter1    =    'E';
const char k_cAuthenticatorCodeCharacter2    =    'C';
const char k_cAuthenticatorCodeCharacter3    =    'A';
5
You don't need to use the names shown in the example.2
You'll prompt the user to enter the code characters from the Emergency Action Message
(the paper message shown earlier), one at a time. For example, your input might look like
this. (We'll refer to the Emergency Action Message as just the "message" from now on)
The message code characters the user enters will be read in to character variables that
you've declared.
Next, you'll concatenate the characters for the message code into a string variable
(std::string) and display it; you'll do the same for the characters of the Authenticator code.
The output should look similar to the following.
Use the += operator, which the string class supports, to concatenate the characters into
the string variables.
Part II: Reporting the Authenticity of the Code Using Character
by Character Comparison
If the characters in the message code match the corresponding characters in the
Authenticator code, report the message as authentic.
If any one of the characters in the message code does not match the corresponding
character in the Authenticator code, report the message as invalid.
Compare each character to its corresponding character; you must use the == and &&
operators. In the next section, you'll compare the strings.
 2 The k_ in these names gives a hint the programmer reading the code that this is a constant. The c in k_c
hints that this is a character constant; the remainder is the descriptive name of the identifier,
AuthenticatorCodeCharacter1. The k_c prefix serves as a crude form of what is known as Hungarian
Notation. Some people love it; most hate it. A simpler notation, called Application Hungarian, has greater
appeal. The style shown here is called System Hungarian. The notation was invented by Microsoft engineer
Charles Simonyi, who is of Hungarian descent. (It served as his Ph.D. thesis.)
6
Part III: Reporting the Authenticity of the Code Using String
Comparison
This part of your program simulates the crew double checking the message. (Denzel
Washington, who plays the submarine's executive officer, compares the codes at this
point and says "I concur sir.")
Compare the strings you created earlier that contain the concatenations of the characters
of the message code and the Authenticator code.
If the strings compare, indicate the concurrence as: "Concurrence: message is authentic."
If the strings do not compare, report: "Concurrence: message is invalid."
Part IV: Characterizing the Received Message Code
If an attempt is made to spoof the system, you need to characterize the attack (to help you
improve your defenses against future attacks). Some codes sent to spoof the system might
be valid, though older, previously used codes. It would be useful to know this - it tells
you if the attacker has access to your older codes.
A checksum can be used to distinguish a potentially valid code from a completely invalid
one. Credit cards, for example, use the Luhn algorithm (Luhn algorithm - Wikipedia,
https://en.wikipedia.org/wiki/Luhn_algorithm) to determine if the user entered the card
number correctly when conducting an online transaction. With the Luhn algorithm, a
website can tell you, in most cases, if you entered the credit card number incorrectly right
away; you don't need to wait while it checks it against a database.
For this part of the assignment, you'll use a very simple check. Valid SAS codes have a
checksum of 5 when computed as follows:
checksum = (int(character1) + int(character2) + int(character3)) % 7
Characters have integer values called ASCII (American Standard Code for Information
Interchange) values. Code such as int(character1) gives the integer value of the code. The
% character is the modulo operator.
You'll create a constant checksum integer value, 5, for the valid code.
const int k_iValidCodeChecksum    =    5;
You'll compute the checksum of the message code and compare it to the valid checksum.
If the checksums match, you'll report as follows:
7
If the checksum is invalid, you'll report as follows:
You'll also report the ASCII value of each character as well as the sum of the ASCII
values.
Next, you'll report which particular pairs of corresponding characters in the message and
Authenticator codes did not match. For example, if all three characters do not match, the
output may appear as follows:
For this portion of the assignment, you must use the != operator.
Finally, if the message code and Authenticator code strings do not match, report their
lexicographical relationship. If the message code is lexicographically less than the
Authenticator code, write text output to the console to so indicate.
If the message code is lexicographically greater than the Authenticator code, write text
output to the console to so indicate.
You must use the < and > operators for this part of the assignment and will use the string
variables for the message code and the authenticator code.
Here's an example of the characterization of a valid message code.
Here's an example of the characterization of an invalid message code that has a correct
checksum and has all three characters differing.
8
Here's an example of the characterization of an invalid message code that has an incorrect
checksum and has two characters differing.
Running the Program
For this assignment, run the program three times.
The first run should use a valid message code: E, C, A. The output should look similar to
this:
In the second run, enter a code such as C, K, B, where the message is invalid yet has a
correct checksum value (5).
9
In the final run, enter an invalid message code such as N, S, A, where only two characters
are different from the Authenticator code and the message code has an invalid checksum.
When you submit the assignment, provide a screen shot of the second case shown above
and a link to your GitHub repository where your source file, authenticator.cpp, resides.
The Chapman Connection
Now, regarding the movie's connection to Chapman University...
A scene in the movie depicts actors Denzel Washington and Gene Hackman leaving
"U.S. Naval Headquarters, Pearl Harbor, Hawaii." The images below show a few stills
from that scene.
10
11
The building, though, may look familiar to you.
It's Memorial Hall on the main campus of Chapman University!