In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
PKI is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed. The roles of root certificate, intermediate certificate and end-entity certificate as in the chain of trust can be seen in the picture below:
Using your browser's 'View Certificate' functionality, try to find information about the certificate presented by https://ocw.cs.pub.ro. We are interested in:
Export server and issuer certificates, or download them from here: certificates.tar. We will use openssl
command line tool to investigate certificate files.
true | openssl s_client -connect ocw.cs.pub.ro:443 2>/dev/null | openssl x509 > ocwcspubro.crt
openssl s_client -showcerts -connect ocw.cs.pub.ro:443
$ openssl x509 -in ocwcspubro.crt -noout -text $ openssl x509 -in TERENASSLCA3.crt -noout -text
$ openssl x509 -in ocwcspubro.crt -noout -dates $ openssl x509 -in ocwcspubro.crt -noout -issuer $ openssl x509 -in ocwcspubro.crt -noout -subject $ openssl x509 -in ocwcspubro.crt -noout -pubkey
In order to download the lasters version of TERENASSLCA3.crt, you need to check CA Issuers - URI field of ocw's certificate. If you download it, it might be in DER format (binary). You can convert it with the following command:
openssl x509 -inform der -in TERENASSLCA3.crt -out TERENASSLCA3pem.crt
$ openssl verify -CAfile TERENASSLCA3.crt ocwcspubro.crt
The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:
The TLS protocol comprises two layers: the TLS record protocol and the TLS handshake protocol. TLS handshake protocol (both RSA key exchange and Diffie-Hellman key exchange) can be seen in the pictures below:
Use your browser to inspect the TLS version and cryptoparameters of popular websites: google.com, amazon.com, microsoft.com. Report any differences.
Using Wireshark, investigate the two traffic captures (traffic-captures.tar). In both cases try to find: