Crypto Lab – Secure mail, Public-Key Cryptography and PKI RES431 TP1 Task 1: Obtain a personal certificate and send signed mails 1. E-mail client configuration a) What is the difference between the protocols IMAP and IMAPS, and SMTP and SMTPS? IMAP is short for Internet message access protocol, and SMTP is short for Simple Mail Transfer Protocol. The letter “S” in IMAPS and SMTPS means Secure Sockets Layer (SSL in short), which nowadays has been renamed to Transport Layer Security (TLS in short). IMAPS is IMAP over TLS and SMTPS is SMTP over TLS, which are secured by TLS and therefore provide a more secure mechanism to normal email services. 2. Client certificate generation a) Describe the procedure you’ve followed to generate your certificate. First, browse to http://www.cacert.org/ and click “Join” on the right. Then, enter the fields of the inscription page using our school email address and submit it. In a moment, I received the confirming email, after clicking on the link, the account is ready for use. After logging into the site, click “Client Certificates on the right”, then “New”, choose the email that I’ve just entered and in the next page, click to install the certificate on my browser, then I can export it from the setting page of the browser for future use. b) Why do we have to download and install the certificate of the Certificate Authority (CA) before installing our own certificate? All certificates are certificated by other certificates and there exist some certificate as root certificates which are publicly considered to be secure to ensure the integrity of other certificates. c) Which is the precise identity of the CA? The certificate is valid from which date to which date? CAcert WoT User emailAddress: botu.sun@telecom-bretagne.eu Effect time: 2012-12-10 21:27:00 GMT Expire time: 2013-06-08 22:27:00 GMT d) In which field of the certificate you find your e-mail? Your public key? The CA? In the certificate name area. In the public key area. e) Why do we need to install the certificates in the MUA and the web browser separately? Is there a system repository of certificates? Is it used by all browsers and all MUAs? Because they don’t share the same certificate library. Yes, there is a system repository of certificates and it’s shared with some, but not all the browsers and MUAs. f) Exchange of encrypted and/or signed e-mails Test email: Subject: Hello Content: Hello Non-signed and non-encrypted 31 lines Only Signed 90 lines Only encrypted 44 lines Signed and encrypted 114 lines Task 2: Become a Certificate Authority (CA) Task 3: Create a Certificate for PKILabServer.com Task 4: Use PKI for Web Sites The warning message of a invalid certificate has disappeared and the browser opened the test site correctly with a little sign of a lock next to the address area, which means that my browser has now taken the certificate signed for PKILabServer.com as a valid certificate. It's because that I've imported the root certificate in the browser, and set to trust this certificate as root and therefore all certificates signed and certificated by this certificate will be trusted. In this case, it's PKILabServer.com. Before import the certificate into the browser, the certificate is invalid so the browser gives a warning message concerning security issues. Import our own root certificate into the browser: After the import, we reload the page and found that the content is accessible and the certificate is located and validated. After modify a single byte in the server.pem, we still need to restart the test server in order to effectuate the newly modified certificate. We found that the site wouldn't open with an error. It is because that the certificate is modified illegally and the signature doesn't match. Also we've imported the root certificate who has certificated the server.pem, using this address https://localhost:4433 still gives us a warning message about an untrusted certificate. The cause may be that the certificate is only valid for the domain PKILabServer.com, therefore if we use another domain to accede to the site (localhost in this case), the certificate will be considered to be untrusted. Task 5: Performance Comparison: RSA versus AES openssl genrsa -des3 -out task5.key 1024 1. Encrypt message.txt using the public key; save the the output in message enc.txt. openssl rsautl -encrypt -in message.txt -inkey task5.key -out message_enc.txt 2. Decrypt message enc.txt using the private key. openssl rsautl -decrypt -in message_enc.txt -inkey task5.key -out message_dec.txt 3. Encrypt message.txt using a 128-bit AES key. openssl enc -aes-128-cbc <message.txt> message_enc_aes.txt 4. Compare the time spent on each of the above operations, and describe your observations. If an operation is too fast, you may want to repeat it for many times, and then take an average. You might want to look at the Linux command ”time” which measures the duration of the execution of a command. The operation are too fast to mesure and even with the command “time”, they have a similar time. 5. Try running the tests over a significant number of repetitions, e.g. 1000 or more executions of the command. Hint: use a script that runs the command the required number of times, and then use the command ”time” to calculate the overall time of execution. First, we separate the public key so we won't have to enter the password every time: openssl rsa -in task5.key -pubout -out test_pub.key Then we use the script to encrypt the message.txt for 1000 times. # !/bin/sh x=1 while [ $x -le 1000 ] do openssl rsautl -encrypt -in message.txt -inkey test_pub.key -pubin -out message_enc.txt x=$(($x+1)) done openssl enc -aes-128-cbc <message.txt> message_enc_aes.txt -k 123456789