Generate cryptographically unique, less predictable flags per lab

[madebygps]

Goal

Make every lab instance use flags that are effectively unique and harder to predict, while keeping the learner-facing CTF{...} format.

Current observations

• setup/flags.py uses one random secrets.token_hex(4) suffix for most challenge flags. That is 32 bits of randomness shared across challenges.
• Challenge 12 currently uses only the first 4 hex characters, which is 16 bits of randomness.
• Flag bases such as hidden_files, file_search, and log_analysis reveal the challenge identity.
• MASTER_SECRET is hard-coded in the repo and is used for completion-token signing through derive_verification_secret.

Proposed direction

Use a per-instance random secret and derive each challenge flag with HMAC-SHA256 or another standard keyed derivation. For example, derive each flag from instance_secret, challenge number, and purpose string, then encode a sufficiently long prefix into CTF{...}. This gives each challenge its own value and avoids a shared suffix pattern.

Questions to answer

1. Should flags include challenge numbers for supportability, for example CTF{01_<random>}, or should they contain no challenge hint at all?
2. What entropy target should each flag have? A practical target could be at least 96 or 128 bits per flag.
3. Should the completion-token signing secret be generated per lab instead of derived from a hard-coded repository constant?
4. How should test tooling retrieve expected answers without reintroducing predictable flags?

Acceptance criteria

• Every non-example challenge flag has independent cryptographic randomness.
• No challenge uses a very short suffix such as 16 bits.
• Flag values no longer expose challenge names unless we intentionally keep a small challenge number prefix.
• Verify still stores only hashes for flag checking.
• Completion-token signing does not rely on a repository hard-coded production secret.
• The ctf-testing suite still solves flags from the VM artifacts, not from checked-in answer strings.

Links

• HMAC background and secret handling guidance: https://blog.gitguardian.com/hmac-secrets-explained-authentication
• OWASP Juice Shop CTF mode notes using generated flag codes: https://pwning.owasp-juice.shop/companion-guide/latest/part4/ctf.html

[madebygps]

Relationship with #96

This issue (#84 — cryptographically unique flags) and #96 (improve setup and verify code) are closely related and have dependencies.

• Improve setup and verify code #96 focuses on optimizing the Python setup code (parallelism, profiling, I/O pipes)
• Generate cryptographically unique, less predictable flags per lab #84 focuses on changing the flag generation logic to use per-instance HMAC-derived flags

Both touch the Python setup code, particularly setup/flags.py and the verify system. Changes to flag generation (#84) will affect how the setup code runs, and optimizations in #96 could conflict with or need to account for the new flag derivation approach.

Recommendation: We should coordinate these two issues carefully. Consider either:

1. Completing Generate cryptographically unique, less predictable flags per lab #84 (flag generation) first, then optimizing the code in Improve setup and verify code #96, or
2. Working them in the same PR if the scope is manageable

Either way, the contributor(s) should be aware of both issues to avoid merge conflicts and ensure the optimizations work with the new flag scheme.