Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:09 [2016/05/10 17:03] sergiu.costea [Exercise 3] |
sasc:laboratoare:09 [2017/05/02 11:00] (current) dan.dragan |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 09 - OpenSSL MACs and Hashes ===== | + | ===== Lab 09 - OpenSSL AEAD ===== |
| - | ==== Exercise 1 ==== | + | Before you start solving the exercises below, download the {{:ic:laboratoare:ic_lab10.zip|lab archive from here}}. |
| - | In this first exercise we'll see how to compute hashes using the OpenSSL command line interface. | ||
| - | You can interact with the OpenSSL utilities in two ways: | + | ==== Exercise 1 ==== |
| - | * directly from bash, by using the ''openssl'' command followed by the desired command and parameters | + | |
| - | * from the OpenSSL console, by using the ''openssl'' command without additional arguments. You can close the console by calling ''quit'' or ''exit''. | + | |
| - | If the manual pages are correctly installed, you can consult the documentation via ''man <command_name>'' (e.g. ''man md5''). | + | The archive contains the source code for Exercise 2, but sadly it is encrypted. Luckily, we forgot to remove the password file from the archive. |
| + | Use ''openssl'' commands to decrypt the source file. | ||
| - | Hashes are often used to check the integrity of downloaded files. We will now use OpenSSL to compute the MD5 and SHA-1 hashes of this page. | + | <note hint> |
| + | The file is encrypted using AES-256 in CBC mode. | ||
| + | </note> | ||
| - | Download this page by running: | ||
| - | |||
| - | <code> | ||
| - | linux$ wget http://ocw.cs.pub.ro/courses/sasc/laboratoare/09 -O sasc.html | ||
| - | </code> | ||
| - | |||
| - | |||
| - | Use OpenSSL to compute the MD5 and SHA-1 hashes of the newly downloaded file; print the output in hexadecimal. | ||
| - | |||
| - | To check your results, you can use ''md5sum'' or ''sha1sum'' as an alternative way of computing the same hashes. | ||
| ==== Exercise 2 ==== | ==== Exercise 2 ==== | ||
| - | In this second exercise we'll use the command line to compute an HMAC, with SHA-1 as the hashing algorithm. | + | In this exercise we'll use OpenSSL to encrypt and decrypt with AES-128-GCM. Unfortunately, AES-GCM is not supported by the command line utilities of OpenSSL so we'll have to implement it ourselves. |
| - | Recall from the lecture that for HMAC to be secure, we need to sample a random key $k \gets \mathcal{K}$. | + | Open the file you decrypted in the previous exercise and inspect the code. There are two functions that need to be implemented: ''aes_gcm_encrypt'' and ''aes_gcm_decrypt''. We have included hints to guide you through the code. |
| - | We can generate random bytes using ''openssl rand''. To compute HMACs, check the documentation for ''openssl dgst''. | + | The main program initializes a dummy key and a dummy IV; a long message is then encrypted and decrypted. The encryption should automatically include the authentication tag at the end, and the decryption should return an error if the verification of the tag fails. |
| - | For this exercise, use OpenSSL commands to: | + | If you do not change keys and the implementation is ok, the ciphertext you obtain should be equal to our own. Otherwise, some of the tests will fail. |
| - | - generate a 16 byte random key | + | |
| - | - use the key to compute the SHA-1 HMAC of the page downloaded in the previous exercise | + | |
| - | ==== Exercise 3 ==== | ||
| - | In this exercise you will implement the Birthday attack on SHA-1 from the previous lab using OpenSSL. The goal is to obtain a collision in the first four bytes of the hash. | + | Below we have included an example of encryption with RC2 (taken from the OpenSSL man pages). The AES-GCM encryption implementation is quite similar - the authentication tag is automatically appended when finalizing the encryption context. |
| - | In contrast to previous labs, this time we'll use C. You can implement the attack from scratch, or start from our {{:sasc:laboratoare:birthday.tar.gz|archive here}}. | + | <code C> |
| + | int do_crypt(FILE *in, FILE *out, int do_encrypt) { | ||
| + | /* Allow enough space in output buffer for additional block */ | ||
| + | inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; | ||
| + | int inlen, outlen; | ||
| + | /* Bogus key and IV: we'd normally set these from | ||
| + | * another source. | ||
| + | */ | ||
| + | unsigned char key[] = "0123456789"; | ||
| + | unsigned char iv[] = "12345678"; | ||
| + | /* Don't set key or IV because we will modify the parameters */ | ||
| + | EVP_CIPHER_CTX_init(&ctx); | ||
| + | EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt); | ||
| + | EVP_CIPHER_CTX_set_key_length(&ctx, 10); | ||
| + | /* We finished modifying parameters so now we can set key and IV */ | ||
| + | EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt); | ||
| - | To compute a digest, you might find the code below useful: | + | for(;;) { |
| - | + | inlen = fread(inbuf, 1, 1024, in); | |
| - | <code C> | + | if(inlen <= 0) break; |
| - | SHA_CTX context; | + | if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) { |
| - | SHA1_Init(&context); | + | /* Error */ |
| - | SHA1_Update(&context, buffer, length); | + | EVP_CIPHER_CTX_cleanup(&ctx); |
| - | SHA1_Final(md, &context); /* md must point to at least 20 bytes of valid memory */ | + | return 0; |
| + | } | ||
| + | fwrite(outbuf, 1, outlen, out); | ||
| + | } | ||
| + | if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) { | ||
| + | /* Error */ | ||
| + | EVP_CIPHER_CTX_cleanup(&ctx); | ||
| + | return 0; | ||
| + | } | ||
| + | fwrite(outbuf, 1, outlen, out); | ||
| + | EVP_CIPHER_CTX_cleanup(&ctx); | ||
| + | return 1; | ||
| + | } | ||
| </code> | </code> | ||
| - | <note important> | + | <note hint> |
| - | To compile using OpenSSL you will need to install the development version of the library which includes the header files. | + | You may need to change the the LDFLAGS in Makefile: |
| + | LDFLAGS=-lcrypto -ldl | ||
| + | </note> | ||
| - | Download the library from https://www.openssl.org/source/old/1.0.1/openssl-1.0.1f.tar.gz, and unpack it. | + | <note tip> |
| - | + | See the open ssl manual [[https://www.openssl.org/docs/man1.1.0/crypto/EVP_aes_256_gcm.html|here]] page for EVP encrypt to see the usage of the EVP functions and an example similar to the one above. | |
| - | Open the unpacked folder from bash, and run the following commands: | + | |
| - | <code bash> | + | |
| - | linux$ ./config --prefix=/home/student/local --openssldir=/home/student/local/openssl | + | |
| - | linux$ make | + | |
| - | linux$ make install_sw | + | |
| - | </code> | + | |
| - | + | ||
| - | To fix the makefile using the new paths, change the variables at the start with the ones below: | + | |
| - | <code makefile> | + | |
| - | LDFLAGS=-L/home/student/local/lib -lcrypto | + | |
| - | CFLAGS=-Wall -g -I/home/student/local/include | + | |
| - | </code> | + | |
| </note> | </note> | ||
