Crypto Lab – Secure mail, Public-Key
Cryptography and PKI
RES431 TP1
Task 1: Obtain a personal certificate and send signed mails
1. E-mail client configuration
a) What is the difference between the protocols IMAP and IMAPS, and SMTP
and SMTPS?
IMAP is short for Internet message access protocol, and SMTP is short for Simple Mail
Transfer Protocol. The letter “S” in IMAPS and SMTPS means Secure Sockets Layer (SSL in
short), which nowadays has been renamed to Transport Layer Security (TLS in short). IMAPS
is IMAP over TLS and SMTPS is SMTP over TLS, which are secured by TLS and therefore
provide a more secure mechanism to normal email services.
2. Client certificate generation
a) Describe the procedure you’ve followed to generate your certificate.
First, browse to http://www.cacert.org/ and click “Join” on the right. Then, enter the fields of
the inscription page using our school email address and submit it. In a moment, I received the
confirming email, after clicking on the link, the account is ready for use. After logging into
the site, click “Client Certificates on the right”, then “New”, choose the email that I’ve just
entered and in the next page, click to install the certificate on my browser, then I can export it
from the setting page of the browser for future use.
b) Why do we have to download and install the certificate of the Certificate
Authority (CA) before installing our own certificate?
All certificates are certificated by other certificates and there exist some certificate as root
certificates which are publicly considered to be secure to ensure the integrity of other
certificates.
c)
Which is the precise identity of the CA? The certificate is valid from which
date to which date?
CAcert WoT User
emailAddress: botu.sun@telecom-bretagne.eu
Effect time: 2012-12-10 21:27:00 GMT
Expire time: 2013-06-08 22:27:00 GMT
d) In which field of the certificate you find your e-mail? Your public key? The
CA?
In the certificate name area.
In the public key area.
e) Why do we need to install the certificates in the MUA and the web
browser separately? Is there a system repository of certificates? Is it used
by all browsers and all MUAs?
Because they don’t share the same certificate library.
Yes, there is a system repository of certificates and it’s shared with some, but not all the
browsers and MUAs.
f) Exchange of encrypted and/or signed e-mails
Test email:
Subject: Hello
Content: Hello
Non-signed and non-encrypted
31 lines
Only Signed
90 lines
Only encrypted
44 lines
Signed and encrypted
114 lines
Task 2: Become a Certificate Authority (CA)
Task 3: Create a Certificate for PKILabServer.com
Task 4: Use PKI for Web Sites
The warning message of a invalid certificate has disappeared and the browser opened the
test site correctly with a little sign of a lock next to the address area, which means that my
browser has now taken the certificate signed for PKILabServer.com as a valid certificate. It's
because that I've imported the root certificate in the browser, and set to trust this certificate
as root and therefore all certificates signed and certificated by this certificate will be trusted.
In this case, it's PKILabServer.com.
Before import the certificate into the browser, the certificate is invalid so the browser gives
a warning message concerning security issues.
Import our own root certificate into the browser:
After the import, we reload the page and found that the content is accessible and the
certificate is located and validated.
After modify a single byte in the server.pem, we still need to restart the test server in order
to effectuate the newly modified certificate. We found that the site wouldn't open with an
error. It is because that the certificate is modified illegally and the signature doesn't match.
Also we've imported the root certificate who has certificated the server.pem, using this
address https://localhost:4433 still gives us a warning message about an untrusted
certificate. The cause may be that the certificate is only valid for the domain
PKILabServer.com, therefore if we use another domain to accede to the site (localhost in this
case), the certificate will be considered to be untrusted.
Task 5: Performance Comparison: RSA versus AES
openssl genrsa -des3 -out task5.key 1024
1. Encrypt message.txt using the public key; save the the output in message enc.txt.
openssl rsautl -encrypt -in message.txt -inkey task5.key -out
message_enc.txt
2. Decrypt message enc.txt using the private key.
openssl rsautl -decrypt -in message_enc.txt -inkey task5.key -out message_dec.txt
3. Encrypt message.txt using a 128-bit AES key.
openssl enc -aes-128-cbc <message.txt> message_enc_aes.txt
4. Compare the time spent on each of the above operations, and describe your observations.
If an operation is too fast, you may want to repeat it for many times, and then take an
average. You might want to look at the Linux command ”time” which measures the duration
of the execution of a command.
The operation are too fast to mesure and even with the command “time”, they have a
similar time.
5. Try running the tests over a significant number of repetitions, e.g. 1000 or more
executions of the command. Hint: use a script that runs the command the required number
of times, and then use the command ”time” to calculate the overall time of execution.
First, we separate the public key so we won't have to enter the password every time:
openssl rsa -in task5.key -pubout -out test_pub.key
Then we use the script to encrypt the message.txt for 1000 times.
# !/bin/sh
x=1
while [ $x -le 1000 ]
do
openssl rsautl -encrypt -in message.txt -inkey test_pub.key -pubin -out message_enc.txt
x=$(($x+1))
done
openssl enc -aes-128-cbc <message.txt> message_enc_aes.txt -k 123456789