Assignment is to give you handson experience in generating and using symmetric and public/private keys. Additionally, you will configure a web server to use SSL/TLS, and, using tcpdump, verify its effect in encrypting traffic.
The tasks you should perform are
- Either use the same VM you used in Lab Assignment #01, or import a new one.
- In the VM
• generate symmetric keys and demonstrate their use in the encryption and decryption of messages
• generate public/private keys and demonstrate their use in the encryption and decryption of messages
• demonstrate the use of hash tools to test integrity of messages
• use tcpdump to monitor traffic on webserver
• configure the webserver to use SSL
• use tcpdump again to monitor SSL traffic on the webserver
In the description of this lab, I have annotated areas where I expect something from you by highlighting requirements in Red Bold. To complete this assignment, you will (this is repeated at the bottom of the assignment)
- provide thorough explanations of the command line options and other areas that I request
- provide images of the scenarios that I request
If you run into problems that you cannot resolve, you should first utilize the Blackboard Discussion forum for this class and seek help. If you are still unable to resolve the problem, you should provide a very clear explanation of what you have tried, and what has gone wrong.
preparing the Virtual Machine
You may use the same VM that you used in Lab Assignment #01. If you do, it has the advantage that the terminal prompt is already set up with your name in it.
If you choose to download a new one (it's exactly the same as the one you've downloaded before), refer to the Quick Notes on Installation of VirtualBox, and Import/Usage of the Virtual Machine document from Lab Assignment #01 to import it and to set up the terminal command line prompt so that it has your name in it (recall the source .profile method you used before). It is important that your name is visible in at least some of your screen shots your goal should be to show me that this is YOUR work, and not copied from somebody else.
Generation and use of symmetric keys
You should generate a symmetric key and then use it for the encryption and decryption of a file.
You may generate a random, symmetric key, symmkey, as follows
openssl rand -base64 16 > symmkey
You should generate the key, view it (with cat, or an editor. If you use an editor, make sure that you don't modify the key), and provide a complete explanation of this command.
Then, create a simple text file with your name in it to be used as a plaintext file in this lab. Assuming you name it plain.txt, you can use the symmetric key to encrypt it into a file, cipher.txt, as follows
openssl enc -des3 -e -in plain.txt -out cipher.txt -pass file:symmkey
Execute the command, view the encrypted file, and provide a complete explanation of this command.
Then, decryption can be performed as follows. In this example we save the decryption to plainnew.txt (note that this is a single command not two separate ones):
openssl enc -des3 -d -in cipher.txt -out plainnew.txt -pass file:symmkey
Execute the command, verify the decryption, and provide a complete explanation of this command.
Recall that in the real world, two parties would be involved in this transaction, and both would have copies of this symmetric key (and it would need to be transmitted securely, perhaps via public key infrastructure)
Generation and use of Public Key Infrastructure (PKI)
Next, you will generate a public/private key pair, then use the public key to encrypt a file, and the private key to decrypt it. Recall that in the real world, you would provide somebody with your public key, which they would use to encrypt the file, which can only be decrypted with the private key. Since you are the only person in the universe with the private key, you would receive the encrypted message and use your private key to decrypt it.
You may generate the private (e.g. myprivkey1.pem) and public (e.g. mypubkey1.pem) keys with the following commands:
(this is a single command, not two)
openssl genpkey -algorithm RSA -out myprivkey1.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in myprivkey1.pem -out mypubkey1.pem
Execute these commands, view the two keys, and provide a complete explanation of these commands. Also, explain why the public key is much shorter than the private key.
Then, encrypt your plaintext as follows (this is a single command)
cat plain.txt | openssl rsautl -encrypt -pubin -inkey mypubkey1.pem > cipher.txt
Execute this command, view the resulting ciphertext, and provide a complete explanation of this command.
Then, you may decrypt the ciphertext with the private key as follows
cat cipher.txt | openssl rsautl -decrypt -inkey myprivkey1.pem
Execute the command, verify expected output, and provide a complete explanation of this command.
Then, try to decrypt the ciphertext with the public key rather than the private key and explain what happens.
Use of Hashing to Verify Message Integrity
So far, you have experimented with some basic encryption schemes. You know how to do simple symmetric key encryption and decryption and, with the PKI you could encrypt the symmetric key so that both parties would have it, and it would be confidential. However, an imposter might have intercepted the message (the symmetric key that is being transmitted) and, just to be mean, changed a bit in it. Therefore, you also need to worry about integrity of the message and have some assurance that both parties have the same key.
Use the program md5sum, available in your VM, to create a hash of your encrypted data from the previous example.
md5sum cipher.txt
Then, create a copy of your ciphertext file, and edit that so exactly one character is altered, and then create another hash from that new file.
Create a screenshot of the window that shows the hash from both files. Explain how hashing could be used to verify integrity of the message.
Packet Analysis of HTTP Traffic
The VM for this lab has a web server (nginx) running (with PHPCGI services), as well as a commandline web client, curl, and two web browsers, dillo and Opera. Before continuing, you should verify that services are running on Ports 22 (ssh), 23 (telnet), 80 (http) and 9000 (phpcgi). You can use the command
netstat -tna
for this. If you don't see Ports 80 and 9000, then something is wrong and you should look into getting that resolved first. Later, you will configure and start an SSL server on Port 443, and when you issue the above command you will see the additional Port 443 in the list.
To test functionality, you can use one of the browsers, dillo or opera you can type either in a terminal, and you will see that there are also icons for both at the bottom of the screen.
At URL https://localhost you should see an nginx welcome screen, and at URL https://localhost/secretentry.php you will see a very simple page I created that prompts the user for a "secret" and then echos the secret to the page. This page was created as a way to demonstrate how your secrets are not so secret on a plain HTTP connection, but will be encrypted over an SSL connection. You shouldn't enter a "real" secret in here it's just a demo. Enter your name as the secret.
Once you've verified that you can access both pages, run tcpdump and verify that you are able to see the plaintext from both URLs. In particular, you should find the "secret" that you entered, in plain text.
tcpdump -i lo -A port 80
This should convince you that any passwords used in this scenario are easily "sniffed" from the network. Take a screenshot of the VM showing the tcpdump terminal with your "secret" in it.
If you are interested in looking a little deeper, the HTML and PHP for these simple examples are located in /usr/local/nginx/html/.
Also, if you are interested in accessing this web server from the outside, you should be able to use the ifconfig command to find the IP address associated with eth1, and then point your outside browser (or curl, if you have it!) to the appropriate URL.
I recommend that, before proceeding with the next sections, you go ahead and save all of the work that you have done so far, and save it to another machine. Because you will be doing a little bit of system configuration, there is the possibility that you will mess something up in your VM. Of course, you can always download a new VM and start again, but you would have lost everything that you've done so far.
Configuration of SSL/TLS web server and subsequent packet analysis of HTTP traffic
As you know from previous examples, openssl has been installed on your VM, and it can be used to set up the transport layer security (TLS) for your web server. There are only a few steps necessary to make this happen. The following link may provide some guidance, and it's what I used to figure out how to set it up on this particular configuration. Note that it should not be taken verbatim, but just used to point you in the right direction.
https://www.digitalocean.com/community/tutorials/howtocreateansslcertificateonnginxforu buntu1404
Nevertheless, I will provide you with specific commands here. You will
- Create a directory that stores the certificate and key
- Create a certificate and key for this web server using SSL
- Edit the web server configuration file to listen on port 443 for SSL, and to point to the certificate and key that you created
- Restart the web server so it reads the new configuration information
- Start using your SSL connection!
To create the directory for storing the certificate and key
cd /usr/local/etc/nginx sudo mkdir ssl
To create the certificate and key, you may do the following (this is a single command, not three
commands):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
/usr/local/etc/nginx/ssl/nginx.key -out
/usr/local/etc/nginx/ssl/nginx.crt
As you are creating the certificate it all ask you to enter several pieces of information. This is information that will be stored in the certificate, and for the most part, it doesn't really matter what you put in it, for this demonstration, but enter your name for the Organization Name. You should create the certificate, and provide a complete explanation of this command.
Once completed, verify that you have the certificate and key in the expected directory.
Next, you will edit the web server configuration file, adding in SSL support this file is owned by root, so you will need to use the sudo command when invoking the editor. In the file
/usr/local/etc/nginx/nginx.conf, find the section that looks something like
server {
listen 80;
.
.
.
location / {
root html;
index index.html index.htm index.php;
}
}
In this block (in the area I've annotated with dots), you should enter the following three lines, which tells nginx to listen on Port 443 for SSL, and specifies where the certificate and the certificate key are.
listen 443 ssl;
ssl_certificate /usr/local/etc/nginx/ssl/nginx.crt; ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
Make sure you create the lines exactly as specified above, including the semicolons.
The server is now configured, and you need to restart it. Hopefully, you will be able to restart as follows:
sudo /usr/local/etc/init.d/nginx reload
but if this doesn't work, you may need to reboot your VM. You will know if it worked by issuing the netstat -tna command, and seeing that Port 443 has been added to the list of listening ports.
Now, you can test this by opening the Opera web browser (it will also work with the Dillo web browser, but the following interaction will be a little different) and pointing to
(note the https, not http). You will be presented with the opportunity to approve the certificate. Before you do this, click on the Details tab, click on the certificate (there will probably only be one), and look at some of the fields. You should see that the fields correspond to what you entered when you created the certificate, including your name. Click on the Issuer field and take a snapshot of this.
Once you have approved the certificate, it should show you the nginx welcoming screen.
Note, you can also view your certificate at the command line as follows (if you mess up above and Approve the certificate before you get a chance to display the Details, you can provide a snapshot of the first part of the certificate that you get with the following command).
openssl x509 -in -text -noout
To complete this assignment, you should use tcpdump to monitor the SSL server (remember, it's not running on Port 80, like the plaintext web server, but on Port 443), and use the URL from your browser.
and verify that tcpdump has encrypted your secret so that it is not accessible to someone who has intercepted the traffic you should not see it in plaintext in your tcpdump output.
To complete this assignment, you will
- provide thorough explanations of the command line options and other areas that I request. I have given you almost every command that you need. You should explain EACH flag and argument to demonstrate to me that you understand what I have given you. Many students lose points by not providing enough detail.
- provide images of the scenarios that I request
Please put everything in a single PDF or Word (or OpenOffice) document.
If you run into problems that you cannot resolve, you should first utilize the Blackboard Discussion forum for this class and seek help. If you are still unable to resolve the problem, you should provide a very clear explanation of what you have tried, and what has gone wrong.
Note that if you are trying to get a screenshot of your VM, you can simply use the Host+E command, where "Host" for most of you would be Right CTRL. In other words, RightCTRL+E should allow you to get a screen shot of your current VM. You may also use the screen dump capability of your host operating system.