Lab 3 - PKI
Lab 3 - PKI
Lab 3 - PKI
©
Science Foundation.
Parts Copyright 2021 Essam Ghadafi (UWE Bristol), All rights reserved.
Contents
1 Aims & Objectives 2
1.1 Optional Additional Reading Resources . . . . . . . . . . . . . . . . . . 2
2 Lab Tasks 2
2.1 Task 1: RSA Key Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Task 2: Creating a Certificate Authority (CA) . . . . . . . . . . . . . . 3
2.2.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Task 3: Using your CA to Issue Certificates . . . . . . . . . . . . . . . . 4
2.3.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Task 4: Deploying Certificates in OpenSSL HTTPS Server . . . . . . . . 6
2.4.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 Task 5: Deploying Certificates in Apache HTTPS Server . . . . . . . . . 8
2.5.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6 Task 6: Impersonating a Website (Man-in-the-Middle) . . . . . . . . . . 10
2.6.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.7 Task 7: Alternative Approaches to (Certificate-Based) PKI (Research
Task) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.7.1 Task Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 What to Submit 11
3.1 Plagiarism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Marking Criteria 13
Page 1 of 14
UFCFVN-30-M Computer & Network Security Lab
2 Lab Tasks
This section contains the specification of the required tasks.
Important Note: In some of the tasks you will be required to create a domain
of the form UWEFirstNameLastName.com. You need to replace FirstName and
LastName with your own first and last names, respectively. For instance, my domain
would be UWEEssamGhadafi.com. No marks will be given for the tasks in question
if your domain does not correspond to your own name.
Page 2 of 14
UFCFVN-30-M Computer & Network Security Lab
What to Submit: You need to submit the value of the private exponent d (in
hexadecimal), the code snippet you used, and a screenshot of the steps you used to
complete the task. Also, you are free to include any interesting observations you have
made/learnt from doing the task.
2.1.2 Guidelines
The lecture slides and lab sheet concerned with Public-Key and Digital Signatures
might come in handy when answering this task.
Important Note: The CA key you generate must be 4096-bit RSA key and the
used hash function to self-sign the CA certificate need to be SHA 512.
What to Submit: You need to include a screenshot of the steps and commands
you used to complete the task. Also, you are free to include any interesting observa-
tions you have made/learnt from doing the task.
2.2.2 Guidelines
To create a self-signed certificate for a CA, we can use the OpenSSL req -x509 to
generate a key and self-signed certificate for the CA. The syntax of the command is
as follows:
o p e n s s l r e q −new −newkey r s a : K e y S i z e −x509 −k e y o u t K e y F i l e −o u t C e r t F i l e \
−c o n f i g C o n f i g F i l e
Where:
KeySize: is the desired size in bits of the key.
KeyFile: is the name of the file to which the key will be stored.
Page 3 of 14
UFCFVN-30-M Computer & Network Security Lab
CertFile: is the name of the file to which the certificate will be stored.
ConfigFile: is the name of the file containing the configuration. In Blackboard
you can find an example configuration file openssl.cnf.
Note that there are other options of the command than the above. For instance, one
can choose the hashing algorithm to be used in the signing by adding, e.g.-sha256,
-sha512, -md5, etc.
Using the configuration file (openssl.cnf) requires creating some directories and
files. After copying the configuration file into your current directory, you need to create
several sub-directories as specified in the configuration file (which can be found under
the [CA default] section in the file):
dir = ./demodir # Where e v e r y t h i n g i s k e p t
certs = $dir / cert # Where t h e i s s u e d c e r t s a r e k e p t
crl dir = $dir / crl # Where t h e i s s u e d c r l a r e k e p t
database = $ d i r / index . txt # database index f i l e
new certs dir = $dir / newcerts # d e f a u l t p l a c e f o r new c e r t s
serial = $dir / s e r i a l # The c u r r e n t s e r i a l number
Towards that end, under your current directory create a directory with the name
specified in dir. Then under the newly created directory create the above 3 directories
(i.e. cert, crl and newcerts). Also, along with those 3 subdirectories, you need
to create 2 files: index.txt and serial. The file index.txt can be left empty,
whereas in the file serial put a single number in string format (e.g. 1000).
You can also specify the default hash function to be used by modifying the following
line in the openssl.cnf file:
default md = md5 # which md t o u s e
Where you can replace md5 with any other supported hash function, e.g. sha256.
When you run the above command, you will be prompted for some information
(e.g. Country, Organisation Name, etc.) and a password. You need to remember
the chosen password as this will be needed every time you need this CA to issue a
certificate. For the other requested details, you can fill them however you want.
To view the content of a certificate, you can use the following command:
o p e n s s l x509 −i n C e r t F i l e −noout −t e x t
Where:
CertFile: is the name of the file containing the certificate.
Page 4 of 14
UFCFVN-30-M Computer & Network Security Lab
Important Note: The server’s key you generate here must be 2048-bit RSA key and
the used hash function to sign the server’s certificate need to be SHA 256. Also, when
generating your CSR, you must use the Common Name UWEFirstNameLastName.com
where you replace FirstName and LastName with your own first and last names,
respectively.
2.3.2 Guidelines
The steps one needs to follow when a server would like to obtain a certificate from a
CA are as follows:
1. The server generates its key pair.
2. The server submits a Certificate Signing Request (CSR) to the CA to request
the certificate.
3. The CA issues the certificate which binds the server’s public-key to its identity.
Step 1 was covered in the Public-Key and Digital Signature lab sheet.
To obtain a CSR, the server uses the following command:
o p e n s s l r e q −new −key K e y F i l e −o u t CSRFile −c o n f i g C o n f i g F i l e
Where:
KeyFile: is the name of the file containing the (private) server’s key.
CSRFile: is the name of the file to which the CSR will be stored.
ConfigFile: is the name of the file containing the configuration. You can use the
file openssl.cnf used earlier.
When you run the above command, you will be prompted for some information
(e.g. Country, Organisation Name, etc.) and the password associated with your server’s
key file. Please remember that for this task the Common Name in the CSR must be in
the form UWEFirstNameLastName.com as detailed above. The rest of the requested
information in the CSR can be filled however you want.
When the CA receives the server’s certificate request (CSR), after verifying its
identity, the CA will generate the certificate for the server. This can be achieved by
the following command:
Where:
Page 5 of 14
UFCFVN-30-M Computer & Network Security Lab
CACertFile: is the name of the file containing the CA’s own certificate.
CAKeyFile: is the name of the file containing the CA’s key which will be used to
sign the server’s certificate.
ConfigFile: is the name of the file containing the configuration. You can use the
openssl.cnf file for this.
To avoid OpenSSL rejecting to sign the server’s certificate if the CA details do not align
with those of the server, e.g. they belong to different countries, change the following
line in the configuration file:
policy = policy match
to
policy = policy anything
Important Note: As stated in Section 2.4.2, you must update the file index.html
to replace FirstName and LastName with your own first and last names, respec-
tively. No marks will be given for this task if you do not do that.
2.4.2 Guidelines
To resolve the IP address of the server (i.e. UWEFirstNameLastName.com) for which
you have issued your server’s certificate, you need to add the following line to the file
(/etc/hosts):
127.0.0.1 UWEFirstNameLastName . com
Page 6 of 14
UFCFVN-30-M Computer & Network Security Lab
Note that to edit /etc/hosts, you need to be a super user, e.g. to edit the file, you
can use the following command from a terminal :
sudo g e d i t / e t c / h o s t s
Of course, you can use any other preferred editor than gedit, e.g. nano, to edit the
file if you wish.
The next step is to launch the OpenSSL web server using your server’s certificate.
This can be achieved by performing the following steps:
1. Combining your Server’s Key & Certificate:
The aim here is to combine the server’s certificate (you created in the previous
task) and the corresponding server’s key into one file. This can be achieved by
the following command:
c a t S e r v e r K e y F i l e S e r v e r C e r t F i l e > NewFileName
Where:
ServerKeyFile: is the name of the file containing your server’s key.
ServerCertFile: is the name of the file containing your server’s certificate.
NewFileName: is the name of the file where the combination of key and cer-
tificate of the server will be stored. You can choose whatever name you
wish but it is a good idea to make the extension of the file .pem.
Note that if you are running the above command from a directory different from
that where the first two files are stored, you need to provide the full path to
those two files.
Where NewFileName is the same file name as that you used in the previous
step. Note that the default port on which the server will listen is 4433. This can
be overridden by adding the option -accept PortNo to the above command,
where PortNo is the port number you wish the server to listen on instead of
port 4433. Also, note that you need to the leave the window from which you ran
this command open so that the server is still running.
3. Accessing the Server’s Web Page:
Assuming you have finished the first 2 steps, download the the simple web page
index.html from Blackboard and save it to the same directory from within
which you have executed the command in the previous step. Then using an
editor of your choice, e.g. nano, gedit, etc., edit index.html and replace
Page 7 of 14
UFCFVN-30-M Computer & Network Security Lab
FirstName and LastName with your own first and last names, respectively, and
save the file.
Now using a web browser of your choice, e.g. Firefox, browse the url:
h t t p s : / / UWEFirstNameLastName . com : PortNo / i n d e x . html
where you replace PortNo with the actual port NO you used to launch the web
server in the previous step. Also, FirstName and LastName are your first and
last names, respectively.
If you followed the above steps correctly, the browser should display an error mes-
sage along the lines Potential Security Risk Ahead or The certificate
is not trusted because the issuer certificate is unknown. This is
due to the fact that the CA your created is not among the authorities your browser
trusts.
The next step is for you to add your CA to the list of the trusted authori-
ties by the browser. For instance, in FireFox, you can add your CA as a trusted
certification authority by choosing Preferences → Privacy & Security →
View Certificates → Authorities → Import from the FireFox menu and
then navigating to your CA’s certificate file that you have created in Task 2. Note
that unless your CA certificate file has the extension .pem, you need to select All
Files rather than Certificate Files when navigating to the file. Tick This
certificate can identify web sites when adding the authority as a trusted
one. Note that these steps assume you are using the version of FireFox on the UWE
VM. The latter step might differ if you are using another browser or a different version
of FireFox.
Now if you navigate to the same url, you should not see the error message any
more and instead you should see the simple web page which contains your name.
Page 8 of 14
UFCFVN-30-M Computer & Network Security Lab
2.5.2 Guidelines
Rather than using the simple OpenSSL HTTPS server, here we will use the Apache
web server which is already installed on the UWE VM. We need to configure the
Apache server so that it can link the server’s private key and certificate to its domain.
Also, we need to inform the Apache server where the associated HTML files are stored.
In the folder /etc/apache2/sites-available, you will find the 2 files:
000-default.conf and default-ssl.conf
Carefully edit the file default-ssl.conf (using an editor of your choice) to add
the following entries for your server’s website:
<V i r t u a l H o s t * :443 >
ServerName UWEFirstNameLastName . com
DocumentRoot F o l d e r
D i r e c t o r y I n d e x i n d e x . html
SSLEngine On
SSLCertificateFile ServerCertFile
SSLCertificateKeyFile ServerKeyFile
</ V i r t u a l H o s t >
Where Folder is the path of the folder which contains the HTML files for the server’s
website. Usually such folders are under /var/www/, so create a folder there and copy
the index.html you used in the previous task to the new folder. ServerCertFile
and ServerKeyFile are the files (including the full path) containing the server’s
certificate and key files, respectively. Note that to edit the above file your need to be
a super user. Also, it might be a good idea to backup the file before you edit it just
in case things go wrong and you need to revert to the original version.
In order for these entries to be recognised by the Apache server, you need to execute
the following steps from the command-line:
1. Testing the Apache configuration file:
This can be done by executing the following command:
sudo a p a c h e c t l configtest
Page 9 of 14
UFCFVN-30-M Computer & Network Security Lab
sudo a 2 e n s i t e d e f a u l t − s s l
If you followed all the above steps correctly, now launch the web browser of your
choice and browse the following 2 urls and report your findings:
http://UWEFirstNameLastName.com
https://UWEFirstNameLastName.com
Again, FirstName and LastName are replaced with those of your own.
2.6.2 Guidelines
Here you will attempt to impersonate the UWE website www.uwe.ac.uk so that
instead of the visitor being redirected to the genuine IP address, they will be redirected
to our fake server. In particular, we will redirect the visitor to the server’s web page
you used in the previous task. Please follow the below steps and report your findings:
1. Add the following line to the file (/etc/hosts):
127.0.0.1 www. uwe . ac . uk
Remember that to edit the above file you need to be a super user.
2. As in the previous task, add the 2 entries for www.uwe.ac.uk to default-ssl.conf.
The entries you need to add are identical to those you added for your server in
the previous task. The only difference is that instead of the server name being
UWEFirstNameLastName.com as it was for your sever, it will be www.uwe.ac.uk.
The rest of the details will remain the same as they were for your server in the
previous task. More precisely, add the following entries to the file:
<V i r t u a l H o s t * :443 >
ServerName www. uwe . ac . uk
DocumentRoot F o l d e r
D i r e c t o r y I n d e x i n d e x . html
Page 10 of 14
UFCFVN-30-M Computer & Network Security Lab
SSLEngine On
SSLCertificateFile ServerCertFile
SSLCertificateKeyFile ServerKeyFile
</ V i r t u a l H o s t >
3 What to Submit
You need to submit a detailed report, with screenshots, to describe what you have
done, what you have observed, and how you reached your conclusion/answer for each
task. The format of the report is up to you but you must adhere to the requirements
mentioned in What to Submit at the end of the tasks. The report should be of a
Page 11 of 14
UFCFVN-30-M Computer & Network Security Lab
professional standard. You need to provide explanation to the observations that are
interesting or surprising. Please also list any important code snippets you have written
followed by explanation. Simply attaching code or screenshots without any explanation
will not receive credits. The report must demonstrate your understanding of the
subject and material and not just be a log of your actions. All screenshots in the
report must have your student number and date stamp in the user prompt. Failure to
include these details in the screenshots will invalidate the report and receive a mark of
zero.
3.1 Plagiarism
This is an assessed lab sheet and while it is acceptable to discuss your assignment with
your peers as per the university rules, this assignment is intended as an individual
assignment. Submissions that are substantially similar will be subject to investigation
according to university regulations and any proven cases will be dealt with according
to the regulations. More details can be found here http://www1.uwe.ac.uk/
students/academicadvice/assessments/assessmentoffences.aspx
Page 12 of 14
4 Marking Criteria
tle or no insight sis is lacking in works but lacks but could be works; demon- evant works;
into the problem most aspects depth; demon- more critical; strates excellent demonstrates
strates some demonstrates insight into the outstanding in-
insight into the good insight into problem. Good sight into the
problem the problem. use of sources problem and fully
Good use of and all sources covers all aspects.
sources are appropriately Excellent use
referenced of sources and
all sources are
appropriately
referenced
Report Very poor Weak presenta- Has not followed Partially follows Follows required Excellent presen- Excellent presen-
Presen- presentation tion required conven- required prac- presentational tation: typos/er- tation
tation tions; poor proof- tices; some issues practices; a few rors in punctua-
(10%) reading to be addressed typos/errors in tion etc. are rare
e.g., typos, punctuation or
punctuation grammar
UFCFVN-30-M Computer & Network Security Lab
Page 14 of 14