Add to collection(s) Add to saved
  1. No category
Uploaded by Harle Harle

CSCI301 Lab8

advertisement 
CSCI301 Contemporary Topics in Security
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim
Lab 8
TLS Analysis & Create Certificates
[Analysis & Create Certificates]
1. Running Ubuntu VM on Virtual Box and see UoW’s digital certificates.
a. Access target websites using any browser. (The default browser
installed in Ubuntu is Firefox.)
b. Click left-side of the address bar
c. Select “Connection Secure >” which shows connection details. Select
“More information”
d. Select “Security” tab. This may be selected by default and click “View
certificate” button.
e. Check the following information from the certificates:
i. List Certificate Authorities (CAs).
ii. What cryptographic algorithm is used? What is the value of the
public key?
iii. What algorithm is used as the certificate signature algorithm?
What is the certificate signature value?
2. Root CA certificates
a. Go to Firefox Browser to check the store root CA certificates.
b. Click
on the upper-right corner. Select “Settings” → Select
“Privacy & Security” on the left menu → Scroll down to “Certificates”
under the “Security” section (or Select “Certificates” tab depending on
your Firefox version)→ Select “View Certificates”.
c. Check if the root certificate of UoW is there. Click the root certificate
and check “subject” and “issuer”. (You may check they are the same.
This type of the certificate are called “self-signed certificate”.)
d. Select “Edit Trust…” of the root certificate and disable “This
certificate can identify websites.”.
e. Restart your Firefox browser and try to connect to UoW website again.
Check that the trust chain of the site is not trusted anymore by the
browser. (Sometimes, it is verified by the other root certificate such as
“Baltimore CyberTrust Root”. Then, try to distrust it again.)
f. Fix the connection error by resetting the root certificates in the
browser. Select [Edit Trust…] button and enable “This certificate
can identify websites.” by clicking check box.
1
CSCI301 Contemporary Topics in Security
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim
3. Generate a certificate using OpenSSL.
You can generate a certificate using OpenSSL, which is installed in Ubuntu by
default.
a. Prepare a directory (e.g., “SSL” in your home folder) to store the
certificate:
- cd ~
- mkdir SSL
b. Create RSA key and check the contents:
- cd ~/SSL
- openssl genrsa -out server.key 2048
- openssl rsa –in server.key –text –noout
c. Create Certificate Signing Request (CSR) using the key made above.
Using the information given in the textbox for CSR:
- openssl req –new –key server.key –out
server.csr
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Wollongong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UoW
Organizational Unit Name (eg, section) []:SCIT
Common Name (e.g. server FQDN or YOUR name) []: cybersecurity.uow.edu.au
Email Address []: [your uow address]
*You do not need to set ‘extra’ attributes. Just press enter for those
entries.
d. Check the contents of the created CSR file:
- openssl req –in server.csr –text –noout
e. Compare the contents between your private key (server.key) and
certificate signing request (server.csr).
1) What values are contained commonly?
2) What are their roles?
4. Generate a self-signed certificate (a root certificate) and sign your certificate:
a. Create root CA’s key:
- cd ~/SSL
- openssl genrsa –out CA.key 2048
b. Create root CA’s certificate using the information given in the textbox,
and check the contents
2
CSCI301 Contemporary Topics in Security
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim
-
openssl req –new –x509 –days 365 –key CA.key –
out CA.crt
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Wollongong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UoW
Organizational Unit Name (eg, section) []:SCIT
Common Name (e.g. server FQDN or YOUR name) []:CybersecurityROOT
Email Address []: root@uow.edu.au
c. Sign your certificate using root CA’s certificate you just created.
- openssl x509 –req –days 365 –CA CA.crt –CAkey
CA.key –set_serial 01 –in server.csr –out
server.crt
d. Check your certificate and root CA’s certificate using Ubuntu’s
certificate viewer. (Go to the folder in Ubuntu GUI interface and click
the certificate server.crt.)
5. Inspecting SSL Handshake using Wireshark
a. To install Wireshark on Ubuntu, run
$ sudo apt-get install wireshark
b. After installing it, run it using the following command:
$ sudo wireshark
(Don’t forget to put sudo)
c. Select monitoring enp0s3 interface.
d. Open the Firefox browser and visit www.uow.edu.au.
e. Check the handshake process between the browser and UoW website
(e.g., check the client_hello and server_hello messages and the
following-ups)
Warning: Sometimes it may be difficult to capture all the handshake
messages from the beginning. In that case, you stop the Wireshark
from capturing packets, restart to capture the packets, and visit the
https website again to make FireFox initiate TLS handshake.
6. You can set up a TLS connection using your certificates generated in tasks 3
and 4. Openssl provides s_server and s_client to support this
connection. Also, you can capture the traffic using Wireshark to see the
exchange of certificates and TLS connection.
a. Open Wireshark to capture the local traffic. You can select the
“Loopback:lo” interface and start capturing the local traffic.
b. Start s_server by executing the following in a new terminal
- cd ~/SSL
- openssl s_server -key server.key -cert
server.crt -CAfile CA.crt -accept 44300
c. Connect s_server using s_client by executing
- openssl s_client -connect localhost:44300
3
CSCI301 Contemporary Topics in Security
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim
d. Check the TLS handshake made between s_server and s_client
in Wireshark.
e. Check the certificate information and the certificate chain in the
terminal of s_client.
4
Related documents
White Modern Certificate
White Modern Certificate
Appendix E: Proposal for New Initiatives (Complete for each...
Appendix E: Proposal for New Initiatives (Complete for each...
template-spill 2 text
template-spill 2 text
Semi-formal letter writing task 1
Semi-formal letter writing task 1
Download
advertisement