Secure TCP-over-UDP Protocol Suite

1. Overview

This project is a Python-based implementation of a custom reliable transport protocol that operates over UDP. It is designed to mimic core TCP functionalities, including connection establishment, reliable data transfer, flow control, and congestion control.

The key feature of this suite is a robust, modern security layer inspired by TLS 1.3, providing authenticated encryption for all communications. This layer is implemented using a 1-RTT (Round-Trip Time) handshake with Diffie-Hellman key exchange (X25519) and AES-GCM for authenticated encryption, ensuring both confidentiality and integrity.

The project includes two sample applications built on top of this secure protocol: a multi-client chat room and a reliable file transfer application.

2. Key Features

Transport Layer (TCP-like)

• Connection-Oriented: Simulates a connection-based stream using a three-way handshake (SYN, SYN-ACK, ACK).
• Reliable Delivery: Guarantees that all data is delivered in the correct order and without corruption, using sequence numbers and acknowledgements.
• Dynamic Retransmission Timeout (RTO): Implements the Jacobson/Karels algorithm to dynamically adjust the retransmission timeout based on measured Round-Trip Times (RTT), ensuring efficient performance on various network conditions.
• Congestion Control: Features a congestion control mechanism with Slow Start, Congestion Avoidance, and Fast Retransmit to prevent network overload.
• Flow Control: Uses a sliding window protocol to manage data flow and prevent the receiver's buffer from being overwhelmed.

Security Layer (TLS 1.3-inspired)

• Optional TLS: Connections can be established in either plaintext or secure (TLS) mode over the same port, negotiated at the start of the connection.
• 1-RTT Handshake: The TLS handshake is optimized to complete in a single round-trip, significantly reducing initial connection latency.
• Modern Cryptography:
  • Key Exchange: Uses Elliptic Curve Diffie-Hellman (ECDHE) with the X25519 curve for perfect forward secrecy.
  • Authenticated Encryption: Employs AES-256-GCM to provide both confidentiality and data integrity for all application data.
  • Hashing: Uses SHA-256 within the HKDF function for robust session key derivation.
• Server Authentication: Prevents Man-in-the-Middle (MITM) attacks by using X.509 certificates. The server presents a certificate signed by a trusted (self-signed) Certificate Authority (CA), and the client verifies its authenticity.
• Robust Record Layer: Protects against replay attacks by using sequence numbers as Associated Data (AAD) and ensures message framing to handle network fragmentation.

3. Project Structure

The project is organized into a modular structure for clarity and maintainability.

Secure TCP over UDP Socket/
│
├── protocol/                # Core protocol logic
│   ├── __init__.py         
│   ├── packet.py            # Defines the Packet class
│   ├── connection.py        # Implements the base TCP-Over-UDP Connection
│   ├── secure_connection.py # Implements the SecureConnection (TLS) wrapper
│   └── tcp_socket.py        # The main TCP class for connect() and accept()
│
├── apps/                    # Sample Applications
│   ├── chat_room/
│   │   ├── __init__.py         
│   │   ├── client.py
│   │   ├── client2.py
│   │   └── server.py
│   │
│   └── file_transfer/
│       ├── __init__.py         
│       ├── secure_client.py
│       ├── unsecure_client.py
│       └── secure_server.py
│       └── unsecure_server.py
│
├── certs/                   # Stores generated certificates and keys
│   ├── ca-cert.pem
│   ├── ca-key.pem
│   ├── server-cert.pem
│   └── server-key.pem   
|
├── files/                   # Files you can save and read from file_transfer clients 
│   └── ...
│
├── docs/                    # Documents 
│   └── ...
│
├── generate_certs.py        # Script to generate the self-signed certificates
└── README.md               

4. Setup and Usage

Follow these steps to set up and run the applications.

4.1. Prerequisites

• Python 3.8+
• The cryptography library. Install it via pip:

  pip install cryptography

4.2. Step 1: Generate Certificates

Before running any server, you must generate the required self-signed certificates for the TLS layer. Run the generation script from the root directory of the project:

python generate_certs.py

This will create the certs/ directory and populate it with four files: ca-key.pem, ca-cert.pem, server-key.pem, and server-cert.pem.

4.3. Step 2: Run an Application

You can run either the chat or the file transfer application.

To run the Secure Chat Room:

1. Start the server:

   python -m apps.chat_room.server

   The server will start and listen for secure connections.

2. Start one or more clients: Open new terminal windows and run the client script.

   python -m apps.chat_room.client

   Each client will prompt you for a nickname and then connect securely to the chat room.

To run the Secure File Transfer:

1. Start the server:

   python -m apps.file_transfer.secure_server

   The server will start and wait for one or more clients to send a file even simultaneously.

2. Start one or more clients:

   python -m apps.file_transfer.secure_client

   The client will prompt you for the path to a file you wish to send. Upon successful transfer, the server will save the file as received_<original_filename>.

5. Future Improvements

This implementation provides a strong foundation. Potential future enhancements include:

• 0-RTT Handshake: Implement session resumption using tickets to achieve zero round-trip time for subsequent connections.
• Certificate Revocation: Add support for checking certificate revocation status (e.g., via OCSP).
• More Robust Error Handling: Implement the full TLS Alert Protocol for more granular error reporting between client and server.
• Performance Optimization: Profile the code to identify and optimize potential bottlenecks in the packet processing and cryptographic loops.