Enterprise-grade directory integrity monitoring system using RSA digital signatures and cryptographic hashing
Features β’ Installation β’ Usage β’ Security β’ Documentation
- Overview
- Features
- Security Architecture
- Installation
- Usage Guide
- Technical Architecture
- Implementation Details
- Project Structure
- Academic Context
- Security Considerations
- Contributing
- License
- Author
iChecker is a sophisticated file integrity monitoring system that provides enterprise-level security for detecting unauthorized changes to files and directories. It combines multiple cryptographic techniques to ensure data integrity and authenticity:
- RSA 2048-bit public/private key pairs for digital signatures
- X.509 self-signed certificates for public key distribution
- AES encryption for secure private key storage
- MD5/SHA-256 hashing for file integrity verification
- Digital signatures for registry authentication
Use Cases:
- Monitor critical system files for tampering
- Detect unauthorized modifications in sensitive directories
- Maintain audit trail of file changes
- Verify integrity of configuration files
- Ensure compliance with security policies
- β RSA 2048-bit Key Generation - Industry-standard asymmetric encryption
- β X.509 Self-Signed Certificates - PKI infrastructure implementation
- β Digital Signatures - SHA-256 with RSA for registry authentication
- β AES Encryption - Secure private key storage with password protection
- β MD5-Derived Keys - Password-based key derivation for AES
- β Dual Hash Support - MD5 or SHA-256 for file integrity
- β Automated Detection - Identifies created, altered, and deleted files
- β Registry-Based Tracking - Maintains cryptographic hashes of all files
- β Signature Verification - Validates registry file authenticity
- β Timestamped Audit Logs - Complete audit trail of all operations
- β Recursive Directory Scanning - Monitors entire directory trees
- β Password-Protected Operations - Secure access to private keys
- β Command-Line Interface - Easy integration with scripts and automation
- β Java Keytool Integration - Leverages standard Java cryptographic tools
- β Flexible Configuration - Customizable hash algorithms and paths
- β Comprehensive Logging - Detailed operation logs with timestamps
- β Error Handling - Robust validation and error messages
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β iChecker Security Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. KEY GENERATION
User Password β MD5 Hash β AES Key
Java Keytool β RSA 2048-bit Key Pair
Private Key β AES Encrypt β Encrypted File
Public Key β X.509 Certificate (Self-Signed)
2. REGISTRY CREATION
Directory Files β Hash (MD5/SHA-256) β Registry Map
Registry Content β Hash β RSA Sign β Digital Signature
Registry File = [File Paths + Hashes] + [Signature]
3. INTEGRITY VERIFICATION
Registry File β Extract Signature
Public Key (from Certificate) β Verify Signature
If Valid: Compare File Hashes
If Invalid: Log Error & Exit
Changes Detected β Log Results
keytool -genkeypair -alias ichecker-cert -keyalg RSA -keysize 2048
-validity 365 -keystore [privateKeyPath] -storetype PKCS12Password β MD5(password) β AES-128 Key
Private Key + "PRIVATEKEY" marker β AES Encrypt β Encrypted File
Registry Content β SHA-256 Hash β RSA Sign (Private Key) β Signature
Verification: Signature + Public Key β Verify β True/False
- Java 8 or higher
- Java Keytool (included with JDK)
- javax.crypto package (standard Java library)
# Clone repository
git clone https://github.com/memo-13-byte/file-integrity-checker.git
cd file-integrity-checker
# Compile Java source
javac src/ichecker.java
# Verify compilation
java -cp src icheckerGenerate RSA keys and X.509 certificate:
java -cp src ichecker createCert -k private.key -c certificate.crtParameters:
-k- Path for encrypted private key file-c- Path for X.509 certificate file
Interactive Prompt:
Enter password for keystore:
[User enters password - used for AES encryption]
What Happens:
- Generates 2048-bit RSA key pair
- Creates self-signed X.509 certificate (valid 365 days)
- Encrypts private key with AES using MD5(password)
- Saves encrypted private key to
private.key - Exports certificate to
certificate.crt
Monitor a directory by creating a registry:
java -cp src ichecker createReg -r registry.reg -p /path/to/monitor \
-l audit.log -h SHA-256 -k private.keyParameters:
-r- Registry file path-p- Directory to monitor-l- Log file path-h- Hash algorithm (MD5orSHA-256)-k- Encrypted private key file
Interactive Prompt:
Enter password to decrypt private key:
[User enters password - must match key creation password]
Registry File Format:
/path/to/file1.txt dGVzdCBmaWxlIGhhc2g=
/path/to/file2.doc YW5vdGhlciBoYXNo
/path/to/file3.pdf bW9yZSBoYXNoZXM=
#signature#
MEUCIQDXxH8... [Base64 encoded RSA signature]
Log File Output:
31-12-2024 14:30:15: Registry file is created at /path/registry.reg!
31-12-2024 14:30:15: /path/to/file1.txt is added to registry.
31-12-2024 14:30:15: /path/to/file2.doc is added to registry.
31-12-2024 14:30:15: /path/to/file3.pdf is added to registry.
31-12-2024 14:30:16: 3 files are added to the registry and registry creation is finished!
Verify if files have been modified, added, or deleted:
java -cp src ichecker check -r registry.reg -p /path/to/monitor \
-l audit.log -h SHA-256 -c certificate.crtParameters:
-r- Registry file to verify-p- Directory to check-l- Log file path-h- Hash algorithm (must match registry creation)-c- Certificate file (for signature verification)
Verification Process:
- β Verify registry signature using public key from certificate
- β If signature invalid β Log error and exit
- β If signature valid β Compare file hashes
- β Detect changes: created, altered, deleted
- β Log all changes with timestamps
Example Output (Changes Detected):
31-12-2024 15:45:22: /path/to/file1.txt is altered
31-12-2024 15:45:22: /path/to/file4.pdf is created
31-12-2024 15:45:22: /path/to/file2.doc is deleted
Example Output (No Changes):
31-12-2024 15:45:22: The directory is checked and no change is detected!
Example Output (Invalid Signature):
31-12-2024 15:45:22: Registry file verification failed!
[Program terminates]
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β iChecker Components β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Key Generator βββββΆβ Private Key βββββΆβ AES Encryptor β
β (RSA 2048) β β Storage (AES) β β (MD5 + AES) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Certificate βββββΆβ Public Key βββββΆβ Signature β
β Generator β β Distribution β β Verifier β
β (X.509) β β (Certificate) β β (SHA256+RSA) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β
ββββββββββββββββββββββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β File Scanner βββββΆβ Hash Generator βββββΆβ Registry File β
β (Directory) β β (MD5/SHA-256) β β (Signed) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β β
βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Integrity βββββΆβ Change βββββΆβ Audit Log β
β Checker β β Detector β β (Timestamped) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
1. Generate RSA Key Pair (2048-bit)
KeyPairGenerator.getInstance("RSA").generateKeyPair()
2. Create Self-Signed X.509 Certificate
keytool -genkeypair -keyalg RSA -keysize 2048
3. Encrypt Private Key
Password β MD5 β AES Key
PrivateKey + "PRIVATEKEY" β AES Encrypt β File
4. Export Certificate
keytool -exportcert -alias ichecker-cert1. Decrypt Private Key
User Password β MD5 β AES Key
Encrypted File β AES Decrypt β Private Key
2. Hash All Files
For each file:
File Content β Hash Algorithm β Base64 Hash
Store: FilePath β Hash
3. Sign Registry
Registry Content β SHA-256 β Hash
Hash β RSA Sign (Private Key) β Signature
Registry = Content + "#signature#" + Base64(Signature)1. Verify Signature
Extract Signature from Registry
Public Key (Certificate) β Verify Signature
If invalid: Exit with error
2. Compare Hashes
For each current file:
Compute Hash β Compare with Registry
Detect: Created, Altered, Deleted
3. Log Results
Write changes to audit log with timestampsPurpose: Generate RSA key pair and X.509 certificate
// Key generation using Java Keytool
keytool -genkeypair -alias ichecker-cert -keyalg RSA -keysize 2048
-validity 365 -keystore [path] -storetype PKCS12
// Certificate export
keytool -exportcert -alias ichecker-cert -keystore [path]
-file [certificatePath]
// Private key encryption
Password β MD5 β AES Key β Encrypt(PrivateKey + "PRIVATEKEY")Purpose: Create signed registry of directory files
// Password verification and key decryption
MD5(password) β AES Key β Decrypt(PrivateKeyFile)
// File hashing
For each file in directory:
FileContent β Hash(MD5/SHA-256) β Base64Encode
// Registry signing
RegistryContent β SHA256 β RSASign(PrivateKey) β Signature
RegistryFile = Content + "#signature#" + Base64(Signature)Purpose: Verify directory integrity using registry
// Signature verification
Extract Signature from Registry
PublicKey(Certificate) β Verify(Signature, Content)
// Change detection
CurrentFiles = Hash all current files
For each file in Registry:
if not in CurrentFiles: Log "deleted"
if hash different: Log "altered"
For each file in CurrentFiles:
if not in Registry: Log "created"Computes file hash using MD5 or SHA-256
Encrypts data using AES with MD5-derived key
Decrypts AES-encrypted data
Retrieves private key from PKCS12 keystore
Verifies registry signature using X.509 certificate
Writes timestamped messages to audit log
file-integrity-checker/
β
βββ src/
β βββ ichecker.java # Main implementation
β
βββ BBM465_Fall_24_Assignment_2.pdf # Assignment specification
βββ report.pdf # Technical documentation
βββ LICENSE # MIT License
βββ .gitignore # Git ignore rules
βββ README.md # This file
Course: BBM 465 - Information Security Laboratory
Institution: Hacettepe University, Computer Engineering Department
Semester: Fall 2024
Group: 28
Team Members:
- Mehmet YiΔit (b2210356159)
- Mehmet OΔuz Kocadere (b2210356021)
Topics Covered:
- Public Key Infrastructure (PKI)
- Digital signatures and certificates
- X.509 certificate standards
- RSA asymmetric encryption
- AES symmetric encryption
- Cryptographic hashing (MD5, SHA-256)
- File integrity monitoring
- Secure key management
-
Strong Cryptography
- RSA 2048-bit keys (industry standard)
- SHA-256 hashing for signatures
- AES encryption for private keys
-
Tamper Detection
- Digital signatures prevent registry modification
- Cryptographic hashes detect file changes
- Signature verification before integrity check
-
Secure Key Storage
- Password-protected private keys
- AES encryption with MD5-derived keys
- Meaningful plaintext for password validation
-
Comprehensive Logging
- Timestamped audit trail
- All operations logged
- Change detection documented
-
MD5 for Password Hashing
- Issue: MD5 is cryptographically broken
- Production Fix: Use bcrypt, scrypt, or Argon2
- Note: Acceptable for educational purposes
-
Self-Signed Certificates
- Issue: No chain of trust
- Production Fix: Use Certificate Authority (CA)
- Note: Suitable for local/internal use
-
Password Storage
- Issue: No salt in key derivation
- Production Fix: Use PBKDF2 with salt
- Note: Educational implementation
-
TOCTOU Attacks
- Issue: Time-of-check-time-of-use vulnerability
- Production Fix: Atomic operations, file locking
- Note: Outside assignment scope
For enterprise deployment:
// Instead of MD5 for passwords:
PBKDF2WithHmacSHA256 + Salt + High iteration count
// Instead of self-signed certs:
Certificate Authority (Let's Encrypt, corporate CA)
// Additional features:
- Real-time monitoring (inotify, FileSystemWatcher)
- Database storage for large deployments
- Role-based access control
- Network-based centralized monitoringBy studying this project, you will master:
- RSA key pair generation
- X.509 certificate creation
- Self-signed vs. CA-signed certificates
- Certificate validation and chains of trust
- Signature creation with RSA
- Signature verification process
- Hash-then-sign paradigm
- Non-repudiation concepts
- AES encryption/decryption
- Key derivation from passwords
- Initialization vectors (IV)
- CBC mode with PKCS5 padding
- MD5 vs. SHA-256 trade-offs
- Hash function properties
- File integrity verification
- Collision resistance
- Java security APIs
- Keytool command-line usage
- Error handling in crypto code
- Secure key management
- Integrity monitoring systems
- Change detection algorithms
- Audit logging best practices
- Recursive directory traversal
Contributions are welcome! Areas for improvement:
- Replace MD5 password hashing with bcrypt/scrypt
- Add GUI interface for easier use
- Implement real-time monitoring with file system watchers
- Add support for CA-signed certificates
- Create database backend for large-scale deployments
- Add email/SMS alerts for detected changes
- Fork the repository
- Create feature branch (
git checkout -b feature/improvement) - Commit changes (
git commit -m 'Add improvement') - Push to branch (
git push origin feature/improvement) - Open Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Mehmet OΔuz Kocadere
- π Computer Engineering Student @ Hacettepe University
- π Focus: Cybersecurity, PKI, Network Security
- πΌ LinkedIn
- π§ Email: [email protected]
- π GitHub: @memo-13-byte
- Classical Cryptography Toolkit - Cipher implementation & cryptanalysis
- Secure Flask Auth Portal - 2FA with hash chain OTP
- Hybrid Kerberos System - Enterprise authentication
- Hacettepe University - Computer Engineering Department
- BBM 465 Course - Information Security Laboratory instructors
- Java Keytool Documentation - Oracle Java security guides
- PKI Standards - X.509 certificate specifications
- Java Keytool Documentation
- javax.crypto Package
- X.509 Certificate Standard
- RSA Cryptography Standard
β Star this repository if you found it helpful!
Made with β€οΈ for enterprise security education