Recent changes

Lab 07 - TOFU-based Authenticated Key Exchange

For this lab, you will find useful the documentation for openssl, available here. For older versions, such as 1.0.2 you can find it here.

Task 1: Generate a pair of RSA public/private keys

Use these commands to generate a pair of public/private keys: 

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Task 2: Implement DH + RSA signature

Modify your DH key exchange implementation (see lab 4) such that when one of the parties (the server) sends its public DH share, it also sends a signature over this share using its private RSA key (generated in the previous task). The other party (the client) should have access to the server's public key (e.g. just write it on a file).

On reception of the public DH share from the server, the client should verify the signature from the server by using its public key and should also store this public key and associate it with the IP of the server.

Initial files lab_dh_tofu.zip

Note on Makefile. You might need to update the Makefile to suit your openssl version and/or path, e.g.: 

gcc dhe.c -o dhe -L/usr/bin/openssl -lcrypto
gcc dhe_server.c -o dhe_server -L/usr/bin/openssl -lcrypto

or 

gcc dhe.c -lcrypto -L/usr/lib -o dhe 
gcc dhe_server.c -lcrypto -L/usr/lib  -o dhe_server

Notes: make sure you initialize all objects before use (e.g. the RSA object in the client) and check them after initialization. For example with this code: 

CHECK(object!=NULL, "error_on_init_function_x")

You might find these methods useful (some of them are given in the provided files, some are part of OpenSSL): 

EVP_PKEY_set1_RSA
RSASign
my_receive
EVP_PKEY_get1_RSA
RSAVerifySignature

Task 3: Implement DH + RSA + TOFU (bonus)

Perform the RSA-based authenticated DH key exchange between the client and server implemented earlier several times. On the first connection, the client should store the public key of the server and associate it with the IP of the server. Then, on subsequent connections, the client must check that the public key of the server matches the one that is stored (if the client already has a public key for the given IP of the server). If it matches, it will use that key for verification of the signature over the DH share of the server. If it doesn't match, it should print an error message and exit.

This is very similar to what SSH does when connecting to a server using a pair of public/private keys and is known as Trust On First Use (TOFU) authentication.

Cursuri

Laboratoare

Teme

Resurse

Table of Contents

ac/laboratoare/07.txt ยท Last modified: 2023/11/23 16:31 by marios.choudary
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0