IT Security

profilekoby8855
Project1.doc

Public Key Cryptography

The learning objective of this problem is for students to get familiar with several public key cryptography concepts, such as public-key encryption, digital signature, public-key certificate, certificate authority, and authentication based on PKI.

Environment setup:

For this problem, you need to first set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under “Special Software Installation Requirements”.

In addition, we will use openssl commands and libraries. Check if your Ubuntu has openssl installed by typing “openssl” in command line (type “exit” to exit the program). If it is not installed, you can install it using the following command:

% sudo apt-get install openssl

1: Become a Certificate Authority (CA)

A Certificate Authority (CA) is a trusted entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. A number of commercial CAs are treated as root CAs; VeriSign is the largest CA at the time of writing. Users who want to get digital certificates issued by the commercial CAs need to pay those CAs.

In this problem, we need to create digital certificates, but we are not going to pay any commercial CA. We will become a root CA ourselves, and then use this CA to issue certificate for others (e.g. servers). In this task, we will make ourselves a root CA, and generate a certificate for this CA. Unlike other certificates, which are usually signed by another CA, the root CA’s certificates are self-signed. Root CA’s certificates are usually pre-loaded into most operating systems, web browsers, and other software that rely on PKI. Root CA’s certificates are unconditionally trusted.

The Configuration File openssl.conf. In order to use OpenSSL to create certificates, you have to have a configuration file. The configuration file usually has an extension .cnf. It is used by three OpenSSL commands: ca, req and x509. The manual page of openssl.conf can be found using Google search. You can also get a copy of the configuration file from /usr/lib/ssl/openssl.cnf. After copying this file into your current directory, you need to create several sub-directories as specified in the configuration file (look at the [default CA] section):

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

new_certs_dir = $dir/newcerts # default place for new certs.

database = $dir/index.txt # database index file.

serial = $dir/serial # The current serial number

For the index.txt file, simply create an empty file. For the serial file, put a single number in string format (e.g. 1000) in the file. Once you have set up the configuration file openssl.cnf, you can create and issue certificates.

Certificate Authority (CA). As we described before, we need to generate a self-signed certificate for our CA. This means that this CA is totally trusted, and its certificate will serve as the root certificate. You can run the following command to generate the self-signed certificate for the CA:

$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

You will be prompted for information and a password. Do not lose this password, because you will have to type the passphrase each time you want to use this CA to sign certificates for others. You will also be asked to fill in some information, such as the Country Name, Organization Name, Common Name, etc. Please use your own name for the Organization Name (if working in a team, use the name of one team member (Use this name Fred Ohene). The output of the command are stored in two files: ca.key and ca.crt. The file ca.key contains the CA’s private key, while ca.crt contains the public-key certificate.

Please include these two files, ca.key and ca.crt in the document you are submitting.

2: Create a Certificate for PKILabServer.com

Now that we have become a root CA, we are ready to sign digital certificates for our customers. Our first customer is a company called PKILabServer.com. For this company to get a digital certificate from a CA, it needs to go through three steps.

Step 1: Generate public/private key pair. The company needs to first create its own public/private key pair. We can run the following command to generate an RSA key pair (both private and public keys). You will also be required to provide a password to protect the keys. The keys will be stored in the file server.key:

$ openssl genrsa -des3 -out server.key 1024

Step 2: Generate a Certificate Signing Request (CSR). Once the company has the key file, it should generate a Certificate Signing Request (CSR). The CSR will be sent to the CA, who will generate a certificate for the key (usually after ensuring that identity information in the CSR matches with the server’s true identity). Please use PKILabServer.com as the Common Name of the certificate request.

$ openssl req -new -key server.key -out server.csr -config openssl.cnf

Step 3: Generating Certificates. The CSR file needs to have the CA’s signature to form a certificate. In the real world, the CSR files are usually sent to a trusted CA for their signature. In this lab, we will use our own trusted CA to generate certificates:

$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

If OpenSSL refuses to generate certificates, it is very likely that the names in your requests do not match with those of CA. The matching rules are specified in the configuration file (look at the [policy match] section). You can change the names of your requests to comply with the policy (so you need to use the same names you used when you created the CA above), or you can change the policy. The configuration file also includes another policy (called policy anything), which is less restrictive. You can choose that policy by changing the following line:

"policy = policy_match" change to "policy = policy_anything".

Please include the files server.key, server.csr, server.crt in the document you are submitting.

3:Use PKI for Web Sites

We will now explore how public-key certificates are used by web sites to secure web browsing. First, we need to get our domain name. Let us use PKILabServer.com as our domain name. To get our computers recognize this domain name, let us add the following entry to /etc/hosts; this entry basically maps the domain name PKILabServer.com to our localhost (i.e., 127.0.0.1):

127.0.0.1 PKILabServer.com

Next, let us launch a simple web server with the certificate generated in the previous task. OpenSSL allows us to start a simple web server using the s_server command:

# Combine the secret key and certificate into one file

% cp server.key server.pem

% cat server.crt >> server.pem

# Launch the web server using server.pem

% openssl s_server -cert server.pem -www

By default, the server will listen on port 4433. You can alter that using the -accept option. Now, you can access the server using the following URL: https://PKILabServer.com:4433/. Most likely, you will get an error message from the browser. In Firefox, you will see a message like the following (under “Technical Details”): “pkilabserver.com:4433 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown”.

Had this certificate been assigned by VeriSign, we will not have such an error message, because VeriSign’s certificate is very likely preloaded into Firefox’s certificate repository already. Unfortunately, the certificate of PKILabServer.com is signed by our own CA (i.e., using ca.crt), and Firefox does not recognize this CA. There are two ways to get Firefox to accept our CA’s self-signed certificate:

· We can request Mozilla to include our CA’s certificate in its Firefox software, so everybody using Firefox can recognize our CA. This is how the real CAs, such as VeriSign, get their certificates into Firefox. Unfortunately, our own CA does not have a large enough market for Mozilla to include our certificate, so we will not pursue this direction.

· Load ca.crt into Firefox: We can manually add our CA’s certificate to the Firefox browser by clicking the following menu sequence: Edit -> Preference -> Advanced -> Encryption -> View Certificates

You will see a list of certificates that are already accepted by Firefox. From here, we can “import” our own certificate. Please import ca.crt, and select the following option: “Trust this CA to identify web sites”. You will see that our CA’s certificate is now in Firefox’s list of the accepted certificates. Now, point the browser to https://PKILabServer.com:4433. Please describe and explain your observations .

Please also do the following tasks:

1. Since PKILabServer.com points to the localhost, if we use https://localhost:4433 instead, we will be connecting to the same web server. Please do so, describe and explain your observations.

2. Modify a single byte of server.pem, and restart the server, and reload the URL. What do you observe? (to edit the file server.pem, you can install a hex editor called GHex using the command “sudo apt-get install ghex”; GHex will be installed as /usr/bin/ghex2).

PAGE

1