Differences
This shows you the differences between two versions of the page.
|
ac:laboratoare:05 [2019/10/24 16:07] marios.choudary Modified some exercises |
ac:laboratoare:05 [2022/11/03 17:05] (current) marios.choudary |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== Lab 05 - PKI and TLS ===== | ===== Lab 05 - PKI and TLS ===== | ||
| - | ==== Task 1: Implement DH + AES-GCM encryption === | + | <hidden> |
| + | ==== Task 0: Implement DH + AES-GCM encryption === | ||
| Implement DH + AES-GCM encryption starting from the code from previous lab (see bonus 2). | Implement DH + AES-GCM encryption starting from the code from previous lab (see bonus 2). | ||
| Line 7: | Line 8: | ||
| Use the secret key to encrypt some data and check that the other party can decrypt it. You can use | Use the secret key to encrypt some data and check that the other party can decrypt it. You can use | ||
| the code available [[https://paste.ubuntu.com/p/4XZpMtt9ZZ/ | here]] for AES-GCM. | the code available [[https://paste.ubuntu.com/p/4XZpMtt9ZZ/ | here]] for AES-GCM. | ||
| + | </hidden> | ||
| Line 17: | Line 19: | ||
| {{ :ac:laboratoare:chain-of-trust.png?500 |Chain of trust}} | {{ :ac:laboratoare:chain-of-trust.png?500 |Chain of trust}} | ||
| - | === Task 2: Investigate certficates for ocw.cs.pub.ro === | + | === Task 1: Investigate certficates for ocw.cs.pub.ro === |
| Using your browser's 'View Certificate' functionality, try to find information about the certificate presented by https://ocw.cs.pub.ro. We are interested in: | Using your browser's 'View Certificate' functionality, try to find information about the certificate presented by https://ocw.cs.pub.ro. We are interested in: | ||
| Line 26: | Line 28: | ||
| Export server and issuer certificates, or download them from here: {{:ac:laboratoare:certificates.tar}}. We will use ''openssl'' command line tool to investigate certificate files. | Export server and issuer certificates, or download them from here: {{:ac:laboratoare:certificates.tar}}. We will use ''openssl'' command line tool to investigate certificate files. | ||
| + | <note tip> | ||
| + | You can download a website certificate with this command: | ||
| + | <code> | ||
| + | true | openssl s_client -connect ocw.cs.pub.ro:443 2>/dev/null | openssl x509 > ocwcspubro.crt | ||
| + | </code> | ||
| + | </note> | ||
| <note tip> | <note tip> | ||
| You can connect to a HTTPS website using: | You can connect to a HTTPS website using: | ||
| Line 45: | Line 53: | ||
| $ openssl x509 -in ocwcspubro.crt -noout -subject | $ openssl x509 -in ocwcspubro.crt -noout -subject | ||
| $ openssl x509 -in ocwcspubro.crt -noout -pubkey | $ openssl x509 -in ocwcspubro.crt -noout -pubkey | ||
| + | </code> | ||
| + | |||
| + | In order to download the lasters version of TERENASSLCA3.crt, you need to check CA Issuers - URI field of ocw's certificate. | ||
| + | If you download it, it might be in DER format (binary). You can convert it with the following command: | ||
| + | <code> | ||
| + | openssl x509 -inform der -in TERENASSLCA3.crt -out TERENASSLCA3pem.crt | ||
| </code> | </code> | ||
| Line 61: | Line 75: | ||
| The TLS protocol comprises two layers: the TLS record protocol and the TLS handshake protocol. TLS handshake protocol (both RSA key exchange and Diffie-Hellman key exchange) can be seen in the pictures below: | The TLS protocol comprises two layers: the TLS record protocol and the TLS handshake protocol. TLS handshake protocol (both RSA key exchange and Diffie-Hellman key exchange) can be seen in the pictures below: | ||
| - | {{:ac:laboratoare:ssl-rsa-handshake.jpeg?500 }} | + | * {{:ac:laboratoare:ssl-rsa-handshake.jpeg?500}} |
| - | {{ :ac:laboratoare:ssl-dh-handshake.jpeg?500}} | + | * {{:ac:laboratoare:ssl-dh-handshake.jpeg?500}} |
| + | |||
| + | |||
| + | === Task 2: Investigate the TLS cryptographic parameters === | ||
| + | |||
| + | Use your browser to inspect the TLS version and cryptoparameters of popular websites: google.com, amazon.com, microsoft.com. Report any differences. | ||
| + | |||
| + | * Can you tell what is the root certificate, the intermediate certificate and the target/server certificate ? | ||
| + | * How do you differentiate a root certificate from an intermediate certificate ? | ||
| === Task 3: Investigate the TLS handshake protocol === | === Task 3: Investigate the TLS handshake protocol === | ||
| Line 75: | Line 97: | ||
| <hidden> | <hidden> | ||
| - | ==== Task 3-4: Create your own CA ==== | + | ==== Task 3-5: Create your own CA ==== |
| - Create directories for CA and for server files <code>mkdir ca-files server-files</code> | - Create directories for CA and for server files <code>mkdir ca-files server-files</code> | ||
