Differences
This shows you the differences between two versions of the page.
|
cdci:labs:5 [2020/03/15 22:13] mihai.chiroiu [04. [15p] ECB-mode encryption] |
cdci:labs:5 [2021/04/16 16:15] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab05. Practical cryptography ====== | ====== Lab05. Practical cryptography ====== | ||
| + | |||
| + | <note warning> | ||
| + | Important read to be graded! | ||
| + | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
| + | </note> | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| Line 21: | Line 26: | ||
| # (c) Mihai Chiroiu - CDCI | # (c) Mihai Chiroiu - CDCI | ||
| - | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | + | git clone https://github.com/mihai-chiroiu/cdci.git |
| - | git config user.email "student@upb.ro" | + | |
| </code> | </code> | ||
| Line 61: | Line 65: | ||
| - http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | ||
| - http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | ||
| - | |||
| - | <solution> | ||
| - | <code> | ||
| <solution> | <solution> | ||
| Line 124: | Line 125: | ||
| - | ==== 04. [10p] Digital signing ==== | + | ==== 06. [10p] Digital signing ==== |
| - | 6. Symmetric encryption is typically used for encrypting data, hashing is used for data integrity and asymmetric encryption is used for authentication. We can use ‘openssl dgst’ tool for signing files. | + | Symmetric encryption is typically used for encrypting data, hashing is used for data integrity and asymmetric encryption is used for authentication. We can use ‘openssl dgst’ tool for signing files using DSA. |
| - | a. Create a DSA key pair and use it to sign the image file encrypted before. Use SHA256 for hashing the file. | + | * Create a DSA key pair and use it to sign the image file encrypted before. Use SHA256 for hashing the file. |
| - | b. Send the signed data to your colleague and ask him to verify the signature. How could you distribute the public part of the DSA key? | + | * Send the signed data to the other node and verify the signature. How could you distribute the public part of the DSA key? |
| + | <note tip> | ||
| + | For file transfer between the two nodes you can use scp via the virtual machine. You can also start the ssh daemon on the nodes if you want. | ||
| + | </note> | ||
| <solution> | <solution> | ||
| - | openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt dsa_paramgen_q_bits:256 -pkeyopt dsa_paramgen_md:sha256 -out dsaparams.pem | + | <code> |
| - | openssl genpkey -paramfile dsaparams.pem -out dsaprivkey.pem | + | root@h1:~/# openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt dsa_paramgen_q_bits:256 -pkeyopt dsa_paramgen_md:sha256 -out dsaparams.pem |
| - | openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem | + | root@h1:~/# openssl genpkey -paramfile dsaparams.pem -out dsaprivkey.pem |
| + | root@h1:~/# openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem | ||
| + | root@h1:~/# openssl dgst -sha256 -sign dsaprivkey.pem upb_logo_enc.bmp > upb.sig | ||
| + | root@h1:~/# scp upb_logo_enc.bmp upb.sig dsapubkey.pem ubuntu@192.168.16.1:~/. | ||
| - | openssl dgst -sha256 -sign dsaprivkey.pem myfile > Firefox.sig | + | root@h2:~# scp ubuntu@192.168.16.1:~/upb.sig ubuntu@192.168.16.1:~/upb_logo_enc.bmp ubuntu@192.168.16.1:~/dsapubkey.pem . |
| + | root@h2:~# ls | ||
| + | dsapubkey.pem upb.sig upb_logo_enc.bmp | ||
| + | root@h2:~# openssl dgst -sha256 -verify dsapubkey.pem -signature upb.sig upb_logo_enc.bmp | ||
| + | Verified OK | ||
| + | </code> | ||
| + | </solution> | ||
| - | openssl dgst -sha256 -verify dsapubkey.pem -signature myfile.sig Firefox\ Setup\ 65.0b9.exe | + | ==== 07. [10p] Certificate Signing Request ==== |
| - | 7. Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used. | + | |
| - | a. Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don’t. Display the public key part of the generated pair. How about the private one? | + | Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used. |
| - | b. Use the previously generated key and create a new CSR that should be saved to the ‘ServerCertificateRequest.csr’ file. | + | * Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don’t. Display the public key part of the generated pair. How about the private one? |
| - | c. Print the public key stored in the CSR certificate and compare it with the one generated in the first step. | + | * Use the previously generated key and create a new CSR that should be saved to the ‘ServerCertificateRequest.csr’ file. |
| - | openssl genrsa -out RSAKEYPAIR.pem 2048 | + | * Print the public key stored in the CSR certificate and compare it with the one generated in the first step. |
| - | openssl rsa -in RSAKEYPAIR.pem -pubout | + | |
| - | openssl rsa -in RSAKEYPAIR.pem -text | + | <solution> |
| - | openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem | + | <code> |
| - | 8. In this exercise you will be required to analyze an already signed certificate from the cisco.com website. | + | root@h1:~# openssl genrsa -out RSAKEYPAIR.pem 2048 |
| - | a. Use the s_client suite from openssl and download the certificate locally. Note that there might be a chain of certificates, save each one in a different file. | + | root@h1:~# openssl rsa -in RSAKEYPAIR.pem -pubout |
| - | b. What is the public key of the cisco.com server? Compare it to the one viewed in browser (use Firefox for a simplified view). | + | root@h1:~# openssl rsa -in RSAKEYPAIR.pem -text |
| - | c. The chain downloaded include three certificates, use ‘openssl verify’ to test the correctness of each certificate in the path. Test the first level against the second, the second against the third, and the third against the machine. Does the verification of cisco.com certificate work without the fullchain? | + | root@h1:~# openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem |
| - | openssl s_client -host cisco.com -port 443 -prexit -showcerts | + | root@h1:~# openssl req -in ServerCertificateRequest.csr -pubkey |
| - | openssl x509 -in cisco.pem -pubkey | + | </code> |
| - | openssl verify -verbose -CAfile avalanche.pem cisco.pem | + | </solution> |
| + | |||
| + | ==== 08. [10p] Digital signing ==== | ||
| + | |||
| + | In this exercise you will be required to analyze an already signed certificate from the www.google.com website. | ||
| + | * Use the s_client suite from openssl and download the top chain certificate locally (Hint: signed by GlobalSign Root CA). Note that there might be a chain of certificates, save each one in a different file. | ||
| + | * What is the public key of the certificate? Compare it to the one viewed in browser (use Firefox for a simplified view). | ||
| + | * Use ‘openssl verify’ to test the correctness of the certificate. Does the verification of the certificate work? | ||
| + | |||
| + | <solution> | ||
| + | <code> | ||
| + | root@h1:/# openssl s_client -host www.google.com -port 443 -prexit -showcerts | ||
| + | root@h1:/# cat www.google.pem | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw | ||
| + | HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs | ||
| + | U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy | ||
| + | MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg | ||
| + | U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA | ||
| + | A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv | ||
| + | UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr | ||
| + | mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac | ||
| + | xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK | ||
| + | FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X | ||
| + | rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV | ||
| + | HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud | ||
| + | EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G | ||
| + | A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl | ||
| + | BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp | ||
| + | MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g | ||
| + | BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y | ||
| + | ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H | ||
| + | TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN | ||
| + | FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz | ||
| + | mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW | ||
| + | IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ | ||
| + | USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg== | ||
| + | -----END CERTIFICATE----- | ||
| + | |||
| + | root@h1:/# openssl x509 -in www.google.pem -pubkey | ||
| + | -----BEGIN PUBLIC KEY----- | ||
| + | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0BjPRdSLzdOc5EDvfrTd | ||
| + | aSEbyc88jkx1uQ8xGYQ9njwp71ANEJNvBYCAnyqgvRJLAuE9n1gWJP4wnwt0d1WT | ||
| + | HUv3TeGSghD2UawMw7IilA80a5gQSecLnYM53SDGHC3v0RhhZecjgyCoIxL/0iR/ | ||
| + | 1C/nRGpbTddQZrCvnkJjBfvgHMRjYa+fajP/Ype9SNnTfBRn3HXcLmno+G14adC3 | ||
| + | EAW48THCOyT9GjN0+CPg7GsZihbG482kzQvbs6RZYDiIO60ducaMp1Mb/LzZpKu8 | ||
| + | 3Txh15MVmO6BvY/iZEcgQAZO16yX6LnAWRKhSSUj5O1wNCyltGN8+aM9g9HNbSSs | ||
| + | BwIDAQAB | ||
| + | -----END PUBLIC KEY----- | ||
| + | |||
| + | root@h1:/# openssl verify -verbose www.google.pem | ||
| + | www.google.pem: OK | ||
| + | |||
| + | # if we use the first certificate | ||
| + | root@h1:/# openssl verify -verbose www.google.pem | ||
| + | C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | ||
| + | error 20 at 0 depth lookup: unable to get local issuer certificate | ||
| + | error www.google.pem: verification failed | ||
| + | |||
| + | </code> | ||
| </solution> | </solution> | ||
