This document outlines the technical design for implementing TLS/SSL encryption and user authentication to make Terminal Chat suitable for cloud deployment (AWS).
Goal: Transform the current LAN-only chat into a secure, internet-ready application.
Approach: Layered security with backward compatibility option.
Client Server
| |
|--- Plain TCP Socket ----|
| |
|-- Encrypted Payload --->|
|<-- Encrypted Payload ---|
Client Server
| |
|--- TLS/SSL Socket ------| ← Transport encryption
| |
|-- Auth Challenge ------>| ← Authentication layer
|<-- Auth Response -------|
| |
|-- Session Token ------->| ← Session management
| |
|-- Encrypted Payload --->| ← End-to-end encryption
|<-- Encrypted Payload ---| (existing)
Layered Security:
- TLS transport (encrypts everything including metadata)
- User authentication (proves identity)
- Session management (tracks authenticated sessions)
- End-to-end encryption (existing message encryption)
ssl/
├── server.key - Private key (keep secret!)
├── server.crt - Public certificate
├── ca.crt - Certificate Authority (optional)
└── generate_certs.sh - Helper script
Self-Signed vs CA-Signed:
- Development/Family: Self-signed (free, complex initial setup)
- Production: Let's Encrypt (free, automated, trusted)
# Server TLS setup
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain('ssl/server.crt', 'ssl/server.key')
ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3 # Modern TLS only
# Client TLS setup
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = True
ssl_context.verify_mode = ssl.CERT_REQUIRED
ssl_context.load_verify_locations('ssl/server.crt') # For self-signedSecurity Settings:
- Minimum TLS 1.3 (or 1.2 as fallback)
- Strong cipher suites only
- Certificate verification enforced
- Hostname validation enabled
# users.json (encrypted at rest)
{
"alice": {
"password_hash": "scrypt$...",
"salt": "random_salt",
"created": "2025-11-02T10:00:00Z",
"last_login": "2025-11-02T10:30:00Z",
"is_admin": false,
"is_active": true
},
"admin": {
"password_hash": "scrypt$...",
"salt": "random_salt",
"created": "2025-11-01T00:00:00Z",
"last_login": "2025-11-02T09:00:00Z",
"is_admin": true,
"is_active": true
}
}Password Hashing:
- Algorithm:
scrypt(memory-hard, GPU-resistant) - Fallback:
argon2orbcrypt - Salt: Unique per user, cryptographically random
- Cost factor: High enough to be slow (~100ms)
1. Client connects via TLS
Client → Server: TLS handshake
2. Server sends auth challenge
Server → Client: {"action": "auth_required"}
3. Client sends credentials
Client → Server: {"username": "alice", "password": "secret123"}
4. Server validates
- Check username exists
- Verify password hash
- Check account active
- Generate session token
5. Server responds
Success: {"status": "ok", "token": "abc123...", "expires": 3600}
Failure: {"status": "error", "message": "Invalid credentials"}
6. Client stores token and includes in all requests
Client → Server: {"token": "abc123...", "action": "send_message", ...}
# sessions.py
class SessionManager:
def __init__(self):
self.sessions = {} # token -> session_data
self.cleanup_thread = threading.Thread(target=self.cleanup_expired)
def create_session(self, username):
token = secrets.token_urlsafe(32)
expires = time.time() + 3600 # 1 hour
self.sessions[token] = {
'username': username,
'expires': expires,
'created': time.time(),
'ip': client_ip
}
return token, expires
def validate_session(self, token):
if token not in self.sessions:
return None
session = self.sessions[token]
if time.time() > session['expires']:
del self.sessions[token]
return None
return session['username']
def revoke_session(self, token):
if token in self.sessions:
del self.sessions[token]# rate_limiter.py
class RateLimiter:
def __init__(self):
self.attempts = defaultdict(list) # ip -> [timestamps]
self.blocked = {} # ip -> block_until_timestamp
def check_connection(self, ip, max_per_min=5):
# Check if blocked
if ip in self.blocked:
if time.time() < self.blocked[ip]:
return False, "Blocked: too many attempts"
del self.blocked[ip]
# Clean old attempts
now = time.time()
self.attempts[ip] = [t for t in self.attempts[ip]
if now - t < 60]
# Check limit
if len(self.attempts[ip]) >= max_per_min:
self.blocked[ip] = now + 300 # Block for 5 minutes
return False, "Rate limit exceeded"
self.attempts[ip].append(now)
return True, "OK"
def check_auth_failure(self, ip, max_failures=3):
# Track failed auth attempts separately
# Similar logic but with harsher penalties
pass# user_admin.py
class UserAdmin:
def __init__(self, user_db_path='data/users.json'):
self.db_path = user_db_path
self.users = self.load_users()
def create_user(self, username, password, is_admin=False):
if username in self.users:
raise ValueError("User already exists")
salt = secrets.token_bytes(32)
password_hash = self.hash_password(password, salt)
self.users[username] = {
'password_hash': password_hash,
'salt': base64.b64encode(salt).decode(),
'created': datetime.now().isoformat(),
'is_admin': is_admin,
'is_active': True
}
self.save_users()
def verify_password(self, username, password):
if username not in self.users:
return False
user = self.users[username]
if not user['is_active']:
return False
salt = base64.b64decode(user['salt'])
password_hash = self.hash_password(password, salt)
return password_hash == user['password_hash']
def hash_password(self, password, salt):
# Use scrypt for password hashing
return hashlib.scrypt(
password.encode(),
salt=salt,
n=2**14, # CPU/memory cost
r=8,
p=1,
dklen=32
).hex()# Create admin user
python3 -m terminal_chat.admin create-user --username admin --admin
# Create regular user
python3 -m terminal_chat.admin create-user --username alice
# List users
python3 -m terminal_chat.admin list-users
# Deactivate user
python3 -m terminal_chat.admin deactivate --username bob
# Change password
python3 -m terminal_chat.admin change-password --username alice# security_logger.py
class SecurityLogger:
def __init__(self):
self.setup_logging()
def log_auth_success(self, username, ip):
logging.info(f"AUTH_SUCCESS: {username} from {ip}")
def log_auth_failure(self, username, ip):
logging.warning(f"AUTH_FAILURE: {username} from {ip}")
def log_rate_limit(self, ip, reason):
logging.warning(f"RATE_LIMIT: {ip} - {reason}")
def log_session_created(self, username, token_prefix):
logging.info(f"SESSION_CREATE: {username} - {token_prefix}...")
def log_suspicious_activity(self, ip, description):
logging.error(f"SUSPICIOUS: {ip} - {description}")# metrics.py
class Metrics:
def __init__(self):
self.counters = defaultdict(int)
self.gauges = {}
def increment(self, metric):
self.counters[metric] += 1
def gauge(self, metric, value):
self.gauges[metric] = value
def get_stats(self):
return {
'auth_attempts': self.counters['auth_attempts'],
'auth_failures': self.counters['auth_failures'],
'active_sessions': self.gauges['active_sessions'],
'rate_limit_blocks': self.counters['rate_limit_blocks']
}Goal: Setup basic TLS without breaking existing functionality
-
Day 1-2: TLS Layer
- Create certificate generation script
- Add TLS context to server
- Add TLS context to client
- Test basic encrypted connection
- Maintain backward compatibility flag
-
Day 3-4: Testing
- Unit tests for TLS setup
- Integration tests for connections
- Performance benchmarks
- Documentation
Deliverable: TLS-enabled version (optional flag)
Goal: Implement user authentication system
-
Day 1-2: User Database
- Create user database schema
- Implement password hashing
- Create user admin CLI
- Add user management functions
-
Day 3-4: Auth Flow
- Implement auth challenge/response
- Add session management
- Update client to handle auth
- Test auth flow
Deliverable: Fully authenticated system
Goal: Add protection against attacks
-
Day 1-2: Rate Limiting
- Implement connection rate limiter
- Add auth failure tracking
- Add IP blocking logic
- Test rate limiting
-
Day 3-4: Logging & Monitoring
- Setup security event logging
- Add metrics collection
- Create monitoring dashboard
- Test logging system
Deliverable: Production-ready security
Goal: Deploy to AWS and document
-
Day 1-2: AWS Setup
- EC2 instance configuration
- Security group rules
- Let's Encrypt setup
- Domain configuration (optional)
-
Day 3-4: Documentation
- Deployment guide
- Security best practices
- User onboarding docs
- Troubleshooting guide
Deliverable: Running on AWS with docs
Terminal-Chat-Program/
├── src/
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── utils.py
│ │ ├── encryption.py # Existing
│ │ ├── tls_manager.py # NEW: TLS setup
│ │ ├── auth_manager.py # NEW: Authentication
│ │ ├── session_manager.py # NEW: Sessions
│ │ ├── rate_limiter.py # NEW: Rate limiting
│ │ ├── user_admin.py # NEW: User management
│ │ ├── security_logger.py # NEW: Security logging
│ │ ├── metrics.py # NEW: Metrics
│ │ ├── server.py # MODIFIED: Add TLS/Auth
│ │ └── client.py # MODIFIED: Add TLS/Auth
│ ├── secure/ # NEW: Secure version
│ │ └── terminal_chat_tls.py
│ ├── admin/ # NEW: Admin tools
│ │ ├── __init__.py
│ │ └── user_admin_cli.py
│ ├── legacy/
│ │ └── terminal_chat.py # Original
│ └── modular/
│ └── terminal_chat_modular.py
├── ssl/ # NEW: Certificates
│ ├── generate_certs.sh
│ ├── server.key
│ ├── server.crt
│ └── README.md
├── data/
│ ├── users.json # NEW: User database
│ ├── inbox/
│ ├── outbox/
│ └── shared/
├── tests/
│ ├── test_chat.py # Existing
│ ├── test_tls.py # NEW
│ ├── test_auth.py # NEW
│ ├── test_rate_limit.py # NEW
│ └── test_security.py # NEW
└── docs/
├── SECURITY_ASSESSMENT.md
├── SECURITY_ENHANCEMENT_CONCEPT.md # This document
├── TLS_SETUP_GUIDE.md # NEW
├── USER_MANAGEMENT.md # NEW
└── AWS_DEPLOYMENT.md # NEW
Keep both secure and legacy versions:
# Server startup
if args.secure:
# Use TLS + Auth
server = SecureChatServer(...)
else:
# Use legacy (LAN only)
server = ChatServer(...)Migration Path:
- Deploy secure version on AWS
- Keep legacy for LAN use
- Gradually migrate users
- Eventually deprecate legacy
# test_tls.py
def test_tls_connection():
# Test TLS handshake succeeds
pass
def test_certificate_validation():
# Test cert validation works
pass
# test_auth.py
def test_user_creation():
# Test creating user works
pass
def test_password_verification():
# Test password hashing/verification
pass
def test_session_management():
# Test session creation/validation
pass
# test_rate_limit.py
def test_connection_rate_limit():
# Test rate limiting works
pass
def test_auth_failure_blocking():
# Test blocking after failed auths
pass# test_security.py
def test_full_auth_flow():
# Test complete auth workflow
pass
def test_tls_encrypted_messages():
# Test messages encrypted over TLS
pass
def test_session_expiry():
# Test expired sessions rejected
pass# test_security_attacks.py
def test_replay_attack_prevention():
# Test replayed tokens fail
pass
def test_brute_force_prevention():
# Test rate limiting blocks brute force
pass
def test_mitm_prevention():
# Test MITM attack fails
pass# config/server_config.yaml
server:
port: 4444
host: "0.0.0.0"
tls:
enabled: true
cert_file: "ssl/server.crt"
key_file: "ssl/server.key"
min_version: "TLSv1.3"
auth:
enabled: true
user_db: "data/users.json"
session_timeout: 3600
max_failed_attempts: 3
rate_limit:
enabled: true
max_connections_per_minute: 5
block_duration: 300
logging:
level: "INFO"
security_log: "logs/security.log"
access_log: "logs/access.log"# config/client_config.yaml
server:
host: "chat.example.com"
port: 4444
tls:
enabled: true
verify_cert: true
ca_bundle: "ssl/server.crt"
auth:
username: null # Prompt on start
save_token: true
token_file: ".chat_token"- Server private key: Keep offline, encrypted at rest
- Client verification: Pin server certificate
- Key rotation: Plan for periodic rotation
- Backup keys: Secure backup strategy
- Minimum 12 characters
- Require uppercase, lowercase, number, symbol
- No common passwords (check against list)
- Password expiry: Optional (90 days)
- Short session timeout (1 hour default)
- Logout invalidates session
- Concurrent session limit per user
- Session cleanup on server restart
- Log all auth attempts
- Log all admin actions
- Retain logs for 90 days
- Regular security audits
- CPU: ~5-10% additional
- Latency: ~10-50ms handshake
- Throughput: Minimal impact after handshake
Mitigation:
- Use TLS 1.3 (faster handshake)
- Enable session resumption
- Use hardware acceleration if available
- Password hashing: ~100ms per auth
- Session lookup: <1ms
- Rate limit check: <1ms
Mitigation:
- Cache session validations
- Use efficient data structures
- Optimize database queries
- TLS Layer: 2 days
- Authentication: 4 days
- Rate Limiting: 2 days
- Testing: 4 days
- Documentation: 2 days
- Total: ~3 weeks
- EC2 t3.micro: $7-10
- Data transfer: $1-5
- Let's Encrypt: $0
- Domain (optional): $12
- Total: $8-15/month (without domain)
- Security updates: 2 hours/month
- User support: 4 hours/month
- Monitoring: 1 hour/month
- Total: ~7 hours/month
- TLS 1.3 connection works
- User authentication works
- Session management works
- Rate limiting works
- All tests pass (100 coverage)
- No plain text transmission
- Passwords properly hashed
- Sessions properly validated
- Rate limiting prevents brute force
- Security events logged
- <100ms auth overhead
- <50ms TLS handshake
- Handles 50 concurrent users
- <1% CPU for security checks
- Simple user creation
- Clear error messages
- Automatic reconnection
- Session persistence works
Mitigation: Use Let's Encrypt auto-renewal
Mitigation: Password reset mechanism (email or admin)
Mitigation: Benchmark and optimize
Mitigation: Maintain legacy version, gradual migration
- Review this concept - Get feedback
- Create detailed specs - For each component
- Setup development environment - AWS test instance
- Begin Phase 1 - TLS implementation
- Iterate and improve - Based on testing
- Self-signed or Let's Encrypt certificates?
- Password reset mechanism needed?
- Email notifications for security events?
- Rate limiting: connection-based or IP-based?
- Session storage: memory or database?
- Multi-factor authentication needed?
- LDAP/OAuth integration in future?
Ready to proceed? This concept provides the foundation for implementing secure, cloud-ready Terminal Chat. Each component is modular and can be developed/tested independently.
Estimated Timeline: 3-4 weeks for full implementation Difficulty: High (requires security expertise) Reward: Production-ready, secure chat application