This shows you the differences between two versions of the page.
cdci:labs:5 [2020/03/15 22:52] mihai.chiroiu [07. [10p] Digital signing] |
cdci:labs:5 [2021/04/16 16:15] (current) mihai.chiroiu |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Lab05. Practical cryptography ====== | ====== Lab05. Practical cryptography ====== | ||
+ | |||
+ | <note warning> | ||
+ | Important read to be graded! | ||
+ | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
+ | </note> | ||
===== Objectives ===== | ===== Objectives ===== | ||
Line 21: | Line 26: | ||
# (c) Mihai Chiroiu - CDCI | # (c) Mihai Chiroiu - CDCI | ||
- | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | + | git clone https://github.com/mihai-chiroiu/cdci.git |
- | git config user.email "student@upb.ro" | + | |
</code> | </code> | ||
Line 61: | Line 65: | ||
- http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/win64/en-US/ | ||
- http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | - http://releases.mozilla.org/pub/firefox/releases/65.0b9/SHA256SUMS | ||
- | |||
- | <solution> | ||
- | <code> | ||
<solution> | <solution> | ||
Line 158: | Line 159: | ||
<solution> | <solution> | ||
+ | <code> | ||
root@h1:~# openssl genrsa -out RSAKEYPAIR.pem 2048 | root@h1:~# openssl genrsa -out RSAKEYPAIR.pem 2048 | ||
root@h1:~# openssl rsa -in RSAKEYPAIR.pem -pubout | root@h1:~# openssl rsa -in RSAKEYPAIR.pem -pubout | ||
Line 163: | Line 165: | ||
root@h1:~# openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem | root@h1:~# openssl req -out ServerCertificateRequest.csr -new -key RSAKEYPAIR.pem | ||
root@h1:~# openssl req -in ServerCertificateRequest.csr -pubkey | root@h1:~# openssl req -in ServerCertificateRequest.csr -pubkey | ||
+ | </code> | ||
</solution> | </solution> | ||
==== 08. [10p] Digital signing ==== | ==== 08. [10p] Digital signing ==== | ||
- | 8. In this exercise you will be required to analyze an already signed certificate from the cisco.com website. | + | In this exercise you will be required to analyze an already signed certificate from the www.google.com website. |
- | a. Use the s_client suite from openssl and download the certificate locally. Note that there might be a chain of certificates, save each one in a different file. | + | * Use the s_client suite from openssl and download the top chain certificate locally (Hint: signed by GlobalSign Root CA). Note that there might be a chain of certificates, save each one in a different file. |
- | b. What is the public key of the cisco.com server? Compare it to the one viewed in browser (use Firefox for a simplified view). | + | * What is the public key of the certificate? Compare it to the one viewed in browser (use Firefox for a simplified view). |
- | c. The chain downloaded include three certificates, use ‘openssl verify’ to test the correctness of each certificate in the path. Test the first level against the second, the second against the third, and the third against the machine. Does the verification of cisco.com certificate work without the fullchain? | + | * Use ‘openssl verify’ to test the correctness of the certificate. Does the verification of the certificate work? |
<solution> | <solution> | ||
- | openssl s_client -host cisco.com -port 443 -prexit -showcerts | + | <code> |
- | openssl x509 -in cisco.pem -pubkey | + | root@h1:/# openssl s_client -host www.google.com -port 443 -prexit -showcerts |
- | openssl verify -verbose -CAfile avalanche.pem cisco.pem | + | root@h1:/# cat www.google.pem |
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw | ||
+ | HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs | ||
+ | U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy | ||
+ | MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg | ||
+ | U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA | ||
+ | A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv | ||
+ | UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr | ||
+ | mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac | ||
+ | xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK | ||
+ | FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X | ||
+ | rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV | ||
+ | HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud | ||
+ | EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G | ||
+ | A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl | ||
+ | BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp | ||
+ | MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g | ||
+ | BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y | ||
+ | ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H | ||
+ | TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN | ||
+ | FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz | ||
+ | mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW | ||
+ | IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ | ||
+ | USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg== | ||
+ | -----END CERTIFICATE----- | ||
+ | |||
+ | root@h1:/# openssl x509 -in www.google.pem -pubkey | ||
+ | -----BEGIN PUBLIC KEY----- | ||
+ | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0BjPRdSLzdOc5EDvfrTd | ||
+ | aSEbyc88jkx1uQ8xGYQ9njwp71ANEJNvBYCAnyqgvRJLAuE9n1gWJP4wnwt0d1WT | ||
+ | HUv3TeGSghD2UawMw7IilA80a5gQSecLnYM53SDGHC3v0RhhZecjgyCoIxL/0iR/ | ||
+ | 1C/nRGpbTddQZrCvnkJjBfvgHMRjYa+fajP/Ype9SNnTfBRn3HXcLmno+G14adC3 | ||
+ | EAW48THCOyT9GjN0+CPg7GsZihbG482kzQvbs6RZYDiIO60ducaMp1Mb/LzZpKu8 | ||
+ | 3Txh15MVmO6BvY/iZEcgQAZO16yX6LnAWRKhSSUj5O1wNCyltGN8+aM9g9HNbSSs | ||
+ | BwIDAQAB | ||
+ | -----END PUBLIC KEY----- | ||
+ | |||
+ | root@h1:/# openssl verify -verbose www.google.pem | ||
+ | www.google.pem: OK | ||
+ | |||
+ | # if we use the first certificate | ||
+ | root@h1:/# openssl verify -verbose www.google.pem | ||
+ | C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | ||
+ | error 20 at 0 depth lookup: unable to get local issuer certificate | ||
+ | error www.google.pem: verification failed | ||
+ | |||
+ | </code> | ||
</solution> | </solution> | ||