G-DES Secure Vault // Cyberpunk Edition

A high-contrast, security-focused web application demonstrating a practical implementation of Symmetric Block Cryptography integrated with a Hybrid Access Control Model (RBAC + DAC).

Designed for the 4th-semester Information Security Laboratory project, this system models a secure, sandboxed file repository for protecting sensitive data-at-rest on shared organizational networks.

---

Live Demo

The application is actively hosted on PythonAnywhere and can be evaluated live at: ayan1.pythonanywhere.com

---

Core Security Features

1. Custom G-DES Cryptography (Confidentiality)

• Generalized DES: Implements Ingrid Schaumüller-Bichl's G-DES symmetric block cipher, expanding standard 64-bit DES block boundaries to 128-bit blocks (divided into $a = 4$ subblocks of 32 bits each).
• Key Schedule: Expands a 64-bit master key into 16 distinct 32-bit round subkeys using cyclic shift-rotation schedules.
• Padding: Adheres to PKCS7 padding specifications to handle files of arbitrary byte lengths.

2. Identity & Access Management (Authentication)

• Salted Hashing: User accounts (saved in users.json) are secured using unique, randomly generated salts combined with SHA-256 hashing. No plaintext passphrases are stored.
• Offline Recovery Seeds: Unique 16-character recovery keys are assigned to each account. Users can reset forgotten passphrases locally without relying on an external SMTP email server.

3. Hybrid Access Control (RBAC + DAC)

• Role-Based Access Control (RBAC): Restricts administrative functions (user registration, uploader access, and file/user purges) strictly to authorized Admin accounts. Standard Employee roles operate under least privilege.
• Discretionary Access Control (DAC / Access Control Lists): Admins can dynamically delegate decryption and download clearance of specific files to specific Employee accounts using an inline permission-granting interface.
• Access Revocation: Admins can revoke employee access clearances instantly, completely deprovisioning file access permissions.

4. Cryptographic Payload Inspector & Integrity Verification

• Hex vs. Plaintext Inspector: A split-screen terminal panel allowing users to inspect raw, G-DES encrypted ciphertext (Hex Dump) next to decrypted plaintext.
• SHA-256 Integrity Verification: During decryption, the system hashes the plaintext and verifies it against the stored metadata hash to detect block corruption or unauthorized file-modification attacks.

---

Directory Structure

IS-Lab-Project/
├── static/                      # Static assets folder
│   ├── css/
│   │   └── style.css            # Cyberpunk stylesheet (No-Inline CSS compliant)
│   └── js/
│       └── main.js              # Event delegation & loader logic (No-Inline JS compliant)
├── templates/                   # HTML templates folder
│   ├── dashboard.html           # Dynamic administrative storage dashboard
│   ├── forgot.html              # Key recovery screen
│   └── login.html               # Gateway authentication screen
├── .gitignore                   # Git exclusion configuration
├── app.py                       # Flask server, session routing, & RBAC/DAC controllers
├── gdes.py                      # Pure-Python G-DES Cryptographic implementation
├── requirements.txt             # Project dependencies (Flask 3.1.3, Gunicorn)
├── users.json                   # Salted and hashed user database (auto-generated)
└── vault.json                   # Encrypted files metadata database (auto-generated)

---

Local Installation & Setup

Prerequisites

• Python 3.9 or newer installed on your machine.
• A modern web browser.

1. Clone & Navigate to Project Directory

git clone https://github.com/MuhammadAyanSajid/IS-Lab-Project
cd IS-Lab-Project

2. Set Up a Virtual Environment (Recommended)

# Create environment
python -m venv .venv

# Activate environment
# On Windows (CMD):
.venv\Scripts\activate
# On Mac/Linux:
source .venv/bin/activate

3. Install Dependencies

pip install -r requirements.txt

4. Run the Application

python app.py

Open your browser and navigate to http://127.0.0.1:5000/.

---

Default Demonstration Credentials

To assign default recovery keys, ensure any existing users.json file is deleted before launching the app. The system will automatically generate these test accounts:

• Administrator Profile:
  • User ID: admin_account
  • Passphrase: admin123
  • Recovery Key: GDES-ADMN-RECO-7777
• Employee Profile:
  • User ID: employee_staff
  • Passphrase: employee123
  • Recovery Key: GDES-EMPL-RECO-8888

---

Production Deployment

The G-DES Secure Vault is actively deployed on the cloud and can be accessed live at: ayan1.pythonanywhere.com

Architectural Deployment Choice:

• Platform: PythonAnywhere (Free Tier WSGI Server)
• Persistence Justification: Many free cloud platforms (such as Render or Heroku) utilize ephemeral filesystems that wipe out local files during container restarts. PythonAnywhere was selected because it provides a persistent virtual disk filesystem, ensuring that user accounts (users.json), file metadata (vault.json), and G-DES encrypted ciphertext payloads (.gdes) remain securely preserved across server reboots.

---

Development Team

• Muhammad Ayan Sajid
• Muhammad Husnain
• Shareen Asim
• Fiza Shahid Khan

---

Academic & Defensive Disclaimer

This project is developed strictly for educational, experimental, and laboratory purposes in an isolated, sandboxed environment. Historically, Ingrid Schaumüller-Bichl's G-DES block cipher has been shown to be vulnerable to differential cryptanalysis under certain key-schedule configurations. This implementation must not be used to secure actual production databases or sensitive enterprise workloads.