 ====== Lab05. Practical cryptography ​ ====== ====== Lab05. Practical cryptography ​ ======
 +<note warning>
 +Important read to be graded!
 ===== Objectives ===== ===== Objectives =====
Line 21: Line 26:
 # (c) Mihai Chiroiu - CDCI # (c) Mihai Chiroiu - CDCI
-git clone -b labs --single-branch ​https://​github.com/​mihai-chiroiu/​cdci.git +git clone https://​github.com/​mihai-chiroiu/​cdci.git
-git config user.email "​student@upb.ro"​+
 </​code>​ </​code>​
Line 61: Line 65:
     - http://​releases.mozilla.org/​pub/​firefox/​releases/​65.0b9/​win64/​en-US/ ​     - http://​releases.mozilla.org/​pub/​firefox/​releases/​65.0b9/​win64/​en-US/ ​
     - http://​releases.mozilla.org/​pub/​firefox/​releases/​65.0b9/​SHA256SUMS     - http://​releases.mozilla.org/​pub/​firefox/​releases/​65.0b9/​SHA256SUMS
 <​solution>​ <​solution>​
Line 140: Line 141:
 root@h1:~/# openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem root@h1:~/# openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem
 root@h1:~/# openssl dgst -sha256 -sign dsaprivkey.pem upb_logo_enc.bmp > upb.sig root@h1:~/# openssl dgst -sha256 -sign dsaprivkey.pem upb_logo_enc.bmp > upb.sig
-root@h1:~/# openssl dgst -sha256 -verify dsapubkey.pem -signature upb.sig upb_logo_enc.bmp+root@h1:~/# scp upb_logo_enc.bmp upb.sig dsapubkey.pem ubuntu@​~/​. 
 +root@h2:~# scp ubuntu@​~/​upb.sig ubuntu@​~/​upb_logo_enc.bmp ubuntu@​~/​dsapubkey.pem . 
 +root@h2:~# ls 
 +dsapubkey.pem ​ upb.sig ​ upb_logo_enc.bmp 
 +root@h2:~# openssl dgst -sha256 -verify dsapubkey.pem -signature upb.sig upb_logo_enc.bmp 
 +Verified OK
 </​code>​ </​code>​
 </​solution>​ </​solution>​
==== 07. [10p] Certificate Signing Request ====  
 Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used.  
 * Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don't. Display the public key part of the generated pair. How about the private one? 
 * Use the previously generated key and create a new CSR that should be saved to the 'ServerCertificateRequest.csr' file.  
 * Print the public key stored in the CSR certificate and compare it with the one generated in the first step. 
-7. Asymmetric encryption schemes are used in certificates to authenticate and encrypt data in transit. In this exercise we are going to create a CSR (Certificate Signing Request), which includes the public key of your server. Note that this CSR must be signed by a Certificate Authority before being used.  
-a. Generate a 2048 bits private-public RSA key. Note, that while in practice the private key should be protected using a symmetric key, in this lab we assume that you don’t. Display the public key part of the generated pair. How about the private one? 
-b. Use the previously generated key and create a new CSR that should be saved to the ‘ServerCertificateRequest.csr’ file.  
-c. Print the public key stored in the CSR certificate and compare it with the one generated in the first step.  
 <​solution>​ <​solution>​
-openssl genrsa -out RSAKEYPAIR.pem 2048 +<​code>​ 
-openssl rsa -in RSAKEYPAIR.pem -pubout +root@h1:​~# ​openssl genrsa -out RSAKEYPAIR.pem 2048 
-openssl rsa -in RSAKEYPAIR.pem -text +root@h1:​~# ​openssl rsa -in RSAKEYPAIR.pem -pubout 
-openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem+root@h1:​~# ​openssl rsa -in RSAKEYPAIR.pem -text 
 +root@h1:​~# ​openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem 
 +root@h1:~# openssl req -in ServerCertificateRequest.csr -pubkey 
 </​solution>​ </​solution>​
 ==== 08. [10p] Digital signing ====  ==== 08. [10p] Digital signing ==== 
In this exercise you will be required to analyze an already signed certificate from the www.google.com website. 
* Use the s_client suite from openssl and download the top chain certificate locally (Hint: signed by GlobalSign Root CA). Note that there might be a chain of certificates, save each one in a different file. 
* What is the public key of the certificate? Compare it to the one viewed in browser (use Firefox for a simplified view). 
* Use 'openssl verify' to test the correctness of the certificate. Does the verification of the certificate work? 
 <​solution>​ <​solution>​
-openssl s_client -host cisco.com -port 443 -prexit -showcerts +<​code>​ 
-openssl x509 -in cisco.pem -pubkey +root@h1:/# ​openssl s_client -host www.google.com -port 443 -prexit -showcerts 
-openssl verify -verbose -CAfile avalanche.pem cisco.pem+root@h1:/# cat www.google.pem  
 +-----END CERTIFICATE----- 
 +root@h1:/# ​openssl x509 -in www.google.pem -pubkey 
 +-----BEGIN PUBLIC KEY----- 
 +-----END PUBLIC KEY----- 
 +root@h1:/# ​openssl verify -verbose ​www.google.pem ​                 
 +www.google.pem:​ OK 
 +# if we use the first certificate 
 +root@h1:/# openssl verify ​-verbose www.google.pem  
 +C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com 
 +error 20 at 0 depth lookup: unable to get local issuer certificate 
 +error www.google.pem: verification failed 
 </​solution>​ </​solution>​
