Computer Network Security Lab #2 1 IT@KMUTNB Lab #2 Encryption with OpenSSL 1. The Goal of the Laboratory The main objectives of this laboratory are: 1.1 To experiment with various symmetric investigate the differences encryption techniques 1.2 To among symmetric encryption techniques 2. Symmetric Ciphers Symmetric key algorithms use the same key to encrypt and decrypt data. OpenSSL supports several symmetric key algorithms, some of which you have already studied in class. List 1 stream cipher and 3 block ciphers that you studied in the lecture. Cipher Stream or Block 1. 2. 3. 4. 3. openssl enc Dr.Sirapat Boonkrong Computer Network Security Lab #2 2 IT@KMUTNB The OpenSSL enc command allows you to encrypt and decrypt your data with several symmetric encryption algorithms. To view the available algorithms, execute the command: openssl list-cipher-commands. When issuing the enc command, the syntax of should be as follows: openssl enc [-encryption algorithm] [-e] [-d] [-K key] [-iv vector] [-in file_input] [-out file_output] [-nopad] where: -encryption algorithm, indicates the symmetric encryption algorithm to use to encrypt and/or decrypt (e.g. -aes128, aes-cbc-256, -rc4); -e indicates that the operation to be performed is encryption; -d indicates that the operation to be performed is decryption; -K key, indicates the key to use for the symmetric cryptographic operations; -iv vector, -in indicates the initialization vector to use; file input indicates the file containing the data to be encrypted or decrypted; -out file output indicates the file where to save the result of an encryption or decryption operation; Dr.Sirapat Boonkrong Computer Network Security Lab #2 3 IT@KMUTNB -nopad, indicates that the padding must not be applied (ATTENTION: if you use this option with a symmetric block algorithm, the length of the data to be encrypted must be necessarily a multiple of the length of the algorithm block); -p, is used to print on the standard output the key and the initialization vector. 4. Symmetric Encryption Exercise In this exercise, you’ll use the OpenSSL command named enc to encrypt a block of data. Create a text file named ptext containing the message you want to encrypt, like for example the message: “This message is my great secret!”. After creating ptext, check that its size is exactly 32 bytes. Even though it is not absolutely necessary that the length of the message to encrypt is exactly 32 bytes, it will be required in one of the following exercises. 4.1 AES-128 in CBC mode The data contained in the file ptext can be encrypted using the AES algorithm with the following command, where the key and the IV will be generated by OpenSSL from a password that you provide. The encrypted text will be saved in the file ctext. Execute the following command: openssl enc -e -in ptext -out ctext -aes-128-cbc -nosalt –p Dr.Sirapat Boonkrong Computer Network Security Lab #2 4 IT@KMUTNB 4.1.1 What do you see after executing the above command? 4.1.2 What does ctext look like? 4.2 AES-128 in ECB mode 4.2.1 What command would you execute if you would like to encrypt ptext to get ctext using AES-128 in ECB mode? 4.2.2 What do you see after executing the command in 4.2.1? Dr.Sirapat Boonkrong Computer Network Security Lab #2 5 IT@KMUTNB 4.2.3 What does ctext look like? 4.2.4 Are there any differences from your answers in 4.1.2 and 4.2.3? If so, what are the differences? Why are they different? 4.3 DES and 3DES 4.3.1 Find out the commands used for encrypting the same data (ptext) with DES and 3DES. (For 3DES, you may Dr.Sirapat Boonkrong Computer Network Security Lab #2 6 IT@KMUTNB have to think a little bit, because they commands are a tricky , but it is not difficult.) 4.3.2 What do you see after executing the commands in 4.3.1? 4.3.3 What does ctext look like after DES and 3DES encryption? 4.4 RC4 Dr.Sirapat Boonkrong Computer Network Security Lab #2 7 IT@KMUTNB 4.4.1 What command would you execute if you would like to encrypt your ptext with the RC4 algorithm? (Hint: OpenSSL has several RC4 commands with different key length 4.4.2 What do you see after executing the commands in 4.4.1? 4.3.3 What does ctext look like after the RC4 encryption? 5. The Differences among AES, DES, 3DES and RC4 Dr.Sirapat Boonkrong Computer Network Security Lab #2 8 IT@KMUTNB 5.1 Do you notice anything different when encrypting ptext with AES, DES, 3DES and RC4? Explain your answer. (Hint: Your answer could include the differences in the commands and the outputs. You should also explain why they are different.) 6. openssl speed The OpenSSL command speed can be used to measure the performance of the various algorithms implemented by OpenSSL. To measure the performance of a specific algorithm you can use the following command: openssl speed algorithm_name 7. openssl rand Dr.Sirapat Boonkrong Computer Network Security Lab #2 9 IT@KMUTNB The OpenSSL rand command is used to generate a pseudo- random string of size nbyte and save its value in the file file_name: openssl rand -out file_name nbyte 8. Performance of Symmetric Encryption Algorithms In this exercise, you will evaluate both the time required to perform the cryptographic operations and the additional data overhead. 8.1 Create files of different sizes (e.g. 100 B, 10 kB, 1 MB, 100 MB); for this purpose, you can use the following command: openssl rand -out r.txt size_in_bytes Now fill in the Table 1 with the results obtained when encrypting the files with different algorithms and with different key lengths. To evaluate the time required by the encryption operations, use the time command: time the_openssl_encryption_command Table 1: Time Taken to Encrypt the Data 100B 10kB 1MB 100MB DES-ECB DES-CBC 3DES-ECB 3DES-CBC AES-128- Dr.Sirapat Boonkrong Computer Network Security Lab #2 10 IT@KMUTNB ECB AES-128CBC AES-256ECB AES-256CBC 128 Bit RC4 64 Bit RC4 40 Bit RC4 Analyse the values in Table 1. You should at least attempt to explain why you think the values you have obtained are different. Dr.Sirapat Boonkrong Computer Network Security Lab #2 11 IT@KMUTNB 8.2 Will the time required for decryption (using the same algorithms) be significantly different? Try out! Table 2: Time Taken to Decrypt the Data 100B 10kB 1MB 100MB DES-ECB DES-CBC 3DES-ECB 3DES-CBC AES-128ECB AES-128CBC AES-256ECB AES-256CBC 128 Bit RC4 64 Bit RC4 40 Bit RC4 Dr.Sirapat Boonkrong Computer Network Security Lab #2 12 IT@KMUTNB 8.3 OpenSSL contains a performance of Execute the speed the speed command used to check the supported cryptographic algorithms. command for all the algorithms you ran in Table 1. Show your outputs. Which is the difference between using using speed time and the one command to calculate the performance of an algorithm? Which one (time vs. speed) do you think is better to Dr.Sirapat Boonkrong Computer Network Security Lab #2 13 IT@KMUTNB be used to measure the performance of a cryptographic algorithm? Why? At the end of the lab, you should be familiar with encryption commands in OpenSSL. You should also have seen the differences among the algorithms you have learned in the lecture. I hope that you have enjoyed this laboratory exercise. See you next time. Dr.Sirapat Boonkrong