Crypto Lab
advertisement
Crypto Lab – Secure mail, Public-Key Cryptography and PKI Compte Rendu RES431 TP1 Botu SUN Tengfei ZHAI Index Task 1: Obtain a personal certificate and send signed mails .................................................... 2 1. E-mail client configuration ........................................................................................ 2 2. Client certificate generation ...................................................................................... 2 Task 2: Become a Certificate Authority (CA) ............................................................................. 3 Task 3: Create a Certificate for PKILabServer.com .................................................................... 3 Task 4: Use PKI for Web Sites .................................................................................................... 3 Task 5: Performance Comparison: RSA versus AES ................................................................... 7 Task 6: Create Digital Signature................................................................................................. 8 Task 1: Obtain a personal certificate and send signed mails 1. E-mail client configuration a) What is the difference between the protocols IMAP and IMAPS, and SMTP and SMTPS? IMAP is short for Internet message access protocol, and SMTP is short for Simple Mail Transfer Protocol. The letter “S” in IMAPS and SMTPS means Secure Sockets Layer (SSL in short), which nowadays has been renamed to Transport Layer Security (TLS in short). IMAPS is IMAP over TLS and SMTPS is SMTP over TLS, which are secured by TLS and therefore provide a more secure mechanism to normal email services. 2. Client certificate generation a) Describe the procedure you’ve followed to generate your certificate. First, browse to http://www.cacert.org/ and click “Join” on the right. Then, enter the fields of the inscription page using our school email address and submit it. In a moment, I received the confirming email, after clicking on the link, the account is ready for use. After logging into the site, click “Client Certificates on the right”, then “New”, choose the email that I’ve just entered and in the next page, click to install the certificate on my browser, then I can export it from the setting page of the browser for future use. b) Why do we have to download and install the certificate of the Certificate Authority (CA) before installing our own certificate? All certificates are certificated by other certificates and there exist some certificate as root certificates which are publicly considered to be secure to ensure the integrity of other certificates. c) Which is the precise identity of the CA? The certificate is valid from which date to which date? E = botu.sun@telecom-bretagne.eu CN = CAcert WoT User Effect time: 12/17/2012 22:03:16 Expire time: 06/15/2013 23:03:16 d) In which field of the certificate you find your e-mail? Your public key? The CA? In the certificate “Subject” area In the “Subject's Public Key” area In the “Issuer” area e) Why do we need to install the certificates in the MUA and the web browser separately? Is there a system repository of certificates? Is it used by all browsers and all MUAs? Because they don’t share the same certificate library in case that we need different certificate policies in different situations. Yes, there is a system repository of certificates and it’s shared with some, but not all the browsers and MUAs. f) Exchange of encrypted and/or signed e-mails Test email: Subject: Hello Content: Hello Non-signed and non-encrypted Only Signed Only encrypted Signed and encrypted 31 lines 90 lines 44 lines 114 lines Task 2: Become a Certificate Authority (CA) Task 3: Create a Certificate for PKILabServer.com Task 4: Use PKI for Web Sites Before import the certificate into the browser, the certificate is invalid so the browser gives a warning message concerning security issues. Import our own root certificate into the browser: After the import, we reload the page and found that the warning message of an invalid certificate has disappeared and the browser opened the test site correctly with a little sign of a lock next to the address area, which means that my browser has now taken the certificate signed for PKILabServer.com as a valid certificate. It's because that I've imported the root certificate in the browser, and set to trust this certificate as root and therefore all certificates signed and certificated by this certificate will be trusted. In this case, it's PKILabServer.com. After modify a single byte in the “server.pem”, we still need to restart the test server in order to effectuate the newly modified certificate. We found that the site wouldn't open with an error. It is because that the certificate is modified illegally and the signature doesn't match. Also we've imported the root certificate who has certificated the server.pem, using this address https://localhost:4433 still gives us a warning message about an untrusted certificate. The cause may be that the certificate is only valid for the domain PKILabServer.com, therefore if we use another domain to accede to the site (localhost in this case), the certificate will be considered to be untrusted. Task 5: Performance Comparison: RSA versus AES First, generate the key by openssl genrsa -des3 -out task5.key 1024 1. Encrypt message.txt using the public key; save the the output in message enc.txt. openssl rsautl -encrypt -in message.txt -inkey task5.key -out message_enc.txt 2. Decrypt message enc.txt using the private key. openssl rsautl -decrypt -in message_enc.txt -inkey task5.key -out message_dec.txt 3. Encrypt message.txt using a 128-bit AES key. openssl enc -aes-128-cbc <message.txt> message_enc_aes.txt 4. Compare the time spent on each of the above operations, and describe your observations. If an operation is too fast, you may want to repeat it for many times, and then take an average. You might want to look at the Linux command ”time” which measures the duration of the execution of a command. The operation are too fast to mesure and even with the command “time”, they have a similar time: 0.008s 5. Try running the tests over a significant number of repetitions, e.g. 1000 or more executions of the command. Hint: use a script that runs the command the required number of times, and then use the command ”time” to calculate the overall time of execution. First, we separate the public key so we won't have to enter the password every time: openssl rsa -in task5.key -pubout -out test_pub.key Then we use the script to encrypt the message.txt for 1000 times with RSA public key We now change the method to 128bit AES: In these results we couldn’t see a significant difference between the speed of RSA and AES, respectively asymmetric and symmetric. This may be caused by the fact that the file is too small, maybe with a larger file, the symmetric encryption would win in the encryption speed. Task 6: Create Digital Signature 1. Sign the SHA256 hash of example.txt; save the output in example.sha256. openssl dgst -sha256 -sign task5.key -out example.sha256 example.txt 2. Verify the digital signature in example.sha256. openssl dgst -sha256 -verify test_pub.pem -signature example.sha256 example.txt 3. Slightly modify example.txt, and verify the digital signature again. This time we see that the verification of the file has failed, it’s reasonable as in hash functions, a minor modification in the source file would cause a significant change in the output, and thus the digest file is illegal after modification. The digital signature permits to verify the integrity of a file or a message in a secure way. The integrity is guaranteed by the hash function and the identification of the sender is guaranteed by the signature process.
