Differences
This shows you the differences between two versions of the page.
|
cdci:labs:5 [2020/03/15 22:18] mihai.chiroiu [06. [10p] Digital signing] |
cdci:labs:5 [2021/04/16 16:15] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab05. Practical cryptography ====== | ====== Lab05. Practical cryptography ====== | ||
| + | |||
| + | <note warning> | ||
| + | Important read to be graded! | ||
| + | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
| + | </note> | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| Line 21: | Line 26: | ||
| # (c) Mihai Chiroiu - CDCI | # (c) Mihai Chiroiu - CDCI | ||
| - | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | + | git clone https://github.com/mihai-chiroiu/cdci.git |
| - | git config user.email "student@upb.ro" | + | |
| </code> | </code> | ||
| Line 61: | Line 65: | ||
| - http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | ||
| - http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | ||
| - | |||
| - | <solution> | ||
| - | <code> | ||
| <solution> | <solution> | ||
| Line 129: | Line 130: | ||
| * Create a DSA key pair and use it to sign the image file encrypted before. Use SHA256 for hashing the file. | * Create a DSA key pair and use it to sign the image file encrypted before. Use SHA256 for hashing the file. | ||
| * Send the signed data to the other node and verify the signature. How could you distribute the public part of the DSA key? | * Send the signed data to the other node and verify the signature. How could you distribute the public part of the DSA key? | ||
| + | |||
| + | <note tip> | ||
| + | For file transfer between the two nodes you can use scp via the virtual machine. You can also start the ssh daemon on the nodes if you want. | ||
| + | </note> | ||
| <solution> | <solution> | ||
| Line 136: | Line 141: | ||
| root@h1:~/# openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem | root@h1:~/# openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem | ||
| root@h1:~/# openssl dgst -sha256 -sign dsaprivkey.pem upb_logo_enc.bmp > upb.sig | root@h1:~/# openssl dgst -sha256 -sign dsaprivkey.pem upb_logo_enc.bmp > upb.sig | ||
| - | root@h1:~/# openssl dgst -sha256 -verify dsapubkey.pem -signature upb.sig upb_logo_enc.bmp | + | root@h1:~/# scp upb_logo_enc.bmp upb.sig dsapubkey.pem ubuntu@192.168.16.1:~/. |
| + | |||
| + | root@h2:~# scp ubuntu@192.168.16.1:~/upb.sig ubuntu@192.168.16.1:~/upb_logo_enc.bmp ubuntu@192.168.16.1:~/dsapubkey.pem . | ||
| + | root@h2:~# ls | ||
| + | dsapubkey.pem upb.sig upb_logo_enc.bmp | ||
| + | root@h2:~# openssl dgst -sha256 -verify dsapubkey.pem -signature upb.sig upb_logo_enc.bmp | ||
| + | Verified OK | ||
| </code> | </code> | ||
| </solution> | </solution> | ||
| - | ==== 07. [10p] Digital signing ==== | + | ==== 07. [10p] Certificate Signing Request ==== |
| + | |||
| + | Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used. | ||
| + | * Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don’t. Display the public key part of the generated pair. How about the private one? | ||
| + | * Use the previously generated key and create a new CSR that should be saved to the ‘ServerCertificateRequest.csr’ file. | ||
| + | * Print the public key stored in the CSR certificate and compare it with the one generated in the first step. | ||
| - | 7. Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used. | ||
| - | a. Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don’t. Display the public key part of the generated pair. How about the private one? | ||
| - | b. Use the previously generated key and create a new CSR that should be saved to the ‘ServerCertificateRequest.csr’ file. | ||
| - | c. Print the public key stored in the CSR certificate and compare it with the one generated in the first step. | ||
| <solution> | <solution> | ||
| - | openssl genrsa -out RSAKEYPAIR.pem 2048 | + | <code> |
| - | openssl rsa -in RSAKEYPAIR.pem -pubout | + | root@h1:~# openssl genrsa -out RSAKEYPAIR.pem 2048 |
| - | openssl rsa -in RSAKEYPAIR.pem -text | + | root@h1:~# openssl rsa -in RSAKEYPAIR.pem -pubout |
| - | openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem | + | root@h1:~# openssl rsa -in RSAKEYPAIR.pem -text |
| + | root@h1:~# openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem | ||
| + | root@h1:~# openssl req -in ServerCertificateRequest.csr -pubkey | ||
| + | </code> | ||
| </solution> | </solution> | ||
| ==== 08. [10p] Digital signing ==== | ==== 08. [10p] Digital signing ==== | ||
| - | 8. In this exercise you will be required to analyze an already signed certificate from the cisco.com website. | + | In this exercise you will be required to analyze an already signed certificate from the www.google.com website. |
| - | a. Use the s_client suite from openssl and download the certificate locally. Note that there might be a chain of certificates, save each one in a different file. | + | * Use the s_client suite from openssl and download the top chain certificate locally (Hint: signed by GlobalSign Root CA). Note that there might be a chain of certificates, save each one in a different file. |
| - | b. What is the public key of the cisco.com server? Compare it to the one viewed in browser (use Firefox for a simplified view). | + | * What is the public key of the certificate? Compare it to the one viewed in browser (use Firefox for a simplified view). |
| - | c. The chain downloaded include three certificates, use ‘openssl verify’ to test the correctness of each certificate in the path. Test the first level against the second, the second against the third, and the third against the machine. Does the verification of cisco.com certificate work without the fullchain? | + | * Use ‘openssl verify’ to test the correctness of the certificate. Does the verification of the certificate work? |
| <solution> | <solution> | ||
| - | openssl s_client -host cisco.com -port 443 -prexit -showcerts | + | <code> |
| - | openssl x509 -in cisco.pem -pubkey | + | root@h1:/# openssl s_client -host www.google.com -port 443 -prexit -showcerts |
| - | openssl verify -verbose -CAfile avalanche.pem cisco.pem | + | root@h1:/# cat www.google.pem |
| + | -----BEGIN CERTIFICATE----- | ||
| + | MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw | ||
| + | HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs | ||
| + | U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy | ||
| + | MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg | ||
| + | U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA | ||
| + | A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv | ||
| + | UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr | ||
| + | mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac | ||
| + | xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK | ||
| + | FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X | ||
| + | rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV | ||
| + | HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud | ||
| + | EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G | ||
| + | A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl | ||
| + | BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp | ||
| + | MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g | ||
| + | BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y | ||
| + | ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H | ||
| + | TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN | ||
| + | FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz | ||
| + | mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW | ||
| + | IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ | ||
| + | USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg== | ||
| + | -----END CERTIFICATE----- | ||
| + | |||
| + | root@h1:/# openssl x509 -in www.google.pem -pubkey | ||
| + | -----BEGIN PUBLIC KEY----- | ||
| + | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0BjPRdSLzdOc5EDvfrTd | ||
| + | aSEbyc88jkx1uQ8xGYQ9njwp71ANEJNvBYCAnyqgvRJLAuE9n1gWJP4wnwt0d1WT | ||
| + | HUv3TeGSghD2UawMw7IilA80a5gQSecLnYM53SDGHC3v0RhhZecjgyCoIxL/0iR/ | ||
| + | 1C/nRGpbTddQZrCvnkJjBfvgHMRjYa+fajP/Ype9SNnTfBRn3HXcLmno+G14adC3 | ||
| + | EAW48THCOyT9GjN0+CPg7GsZihbG482kzQvbs6RZYDiIO60ducaMp1Mb/LzZpKu8 | ||
| + | 3Txh15MVmO6BvY/iZEcgQAZO16yX6LnAWRKhSSUj5O1wNCyltGN8+aM9g9HNbSSs | ||
| + | BwIDAQAB | ||
| + | -----END PUBLIC KEY----- | ||
| + | |||
| + | root@h1:/# openssl verify -verbose www.google.pem | ||
| + | www.google.pem: OK | ||
| + | |||
| + | # if we use the first certificate | ||
| + | root@h1:/# openssl verify -verbose www.google.pem | ||
| + | C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | ||
| + | error 20 at 0 depth lookup: unable to get local issuer certificate | ||
| + | error www.google.pem: verification failed | ||
| + | |||
| + | </code> | ||
| </solution> | </solution> | ||
