Ubuntu 20 virtual machine Sample
This lab uses the Ubuntu 20 virtual machine (VM).
It is available in the CSE repository: http://www.cse.unt.edu/downloads/vm/
with the standard credentials:
user: vmdownload
password: “d0wnloadVMf1les!” (bold are numbers).
Use the Ubuntu 20 VM with the following credentials:
username: sec-lab
password: untccdc
-
Section 1: Symmetric Encryption using OpenSSL
The learning objective of this lab is for students to get familiar with the concepts in the secret key encryption. After finishing the lab, students should be able to gain a first-hand experience on encryption algorithms and their modes of operation. We will study tools and libraries for providing data confidentiality.
OpenSSL (https://www.openssl.org/) is toolkit for the Transport Layer Security (TLS) protocol, and also a general-purpose cryptographic library. Its latest full-featured version OpenSSL 1.1.1 is installed on the VM.
Encryption and decryption is performed using “openssl enc” and “openssl dec” commands, respectively. You may type “man openssl” to learn more.
- In your home directory, create a text file txt and write a sentence “This is my secret message” into it (make sure to close the file). To confirm, type:
cat plaintext.txt
Q1: Attach a screenshot of the result.
- Let us now encrypt this file using a password. Type:
openssl enc -aes-256-ctr -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext.bin
The first option requests to use the AES-256 cipher in the counter (CTR) mode. The second option defined a password to be used for encryption, and the next option requests to use the PBKDF2 algorithm for generating a key from the password.
In this exercise, for simplicity, use your EUID as a password (for example, if your EUID is “aa0001”, then the respective option will be written as “-pass pass:aa0001”). Note that in practice, such a password should never be used as it is very weak (i.e., too short and too easy to guess). The remaining options define the filenames for input (the plaintext) and output (the ciphertext).
Note: If the “-pass” option was not used, then utility would request the password to be entered manually (two times – the second one for confirmation).
- Display the contents of the ciphertext file:
hexdump -C ciphertext.bin
Q2: Attach a screenshot of the result.
- For decryption:
openssl enc -aes-256-ctr -pass pass:euid -pbkdf2 -d -in ciphertext.bin -out plaintext_dec.txt
Note: If the “-pass” option was not used, then utility would request the password to be entered manually.
- To confirm, type:
cat plaintext_dec.txt
Note that the original messages have been decrypted.
Q3: Attach a screenshot of the result.
- It is possible to encode the ciphertext using Base 64, in order to have it in the text format:
openssl enc -aes-256-ctr -a -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext.txt
- Type:
cat ciphertext.txt
- Verify that decryption works correctly:
openssl enc -aes-256-ctr -d -a -pass pass:euid -pbkdf2 -in ciphertext.txt -out
Note: If the option “-out” is omitted, the standard output is used.
Q4: Attach a screenshot of the result.
- Run the encryption again with the same password, but write the output into txt:
openssl enc -aes-256-ctr -a -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext2.txt
- Note that the decryption works correctly again:
openssl enc -aes-256-ctr -d -a -pass pass:euid -pbkdf2 -in ciphertext2.txt
- Now, note that the ciphertexts are different. To verify, type:
cmp ciphertext.txt ciphertext2.txt
cat ciphertext.txt ciphertext2.txt
Q5: Explain why the ciphertexts in ciphertext.txt and ciphertext2.txt are different, even though the same password was used for encryption.
Hint: Run decryption of both files again, no adding the “-p” option.
- Section 2: Public Key Encryption and Digital Signatures Using OpenSSL
Let us focus on the RSA algorithm in this section.
- First, let us generate an RSA private key (effectively, we will generate the public/private key pair). Type:
openssl genrsa -out euid.key 3072
As usual, replace “euid” with your actual EUID.
This command generates the RSA private key and outputs it to the file euid.key.
The key is stored in the PEM format. Display it:
cat euid.key
- Next, we extract and display the public key:
openssl rsa -in euid.key -pubout -out euid_pk.key
cat euid_pk.key
Q6: Attach a screenshot of the result.3
- For encrypting the txt, type:
openssl rsautl -encrypt -pubin -inkey euid_pk.key -in plaintext.txt -out rsa_ciphertext.bin
- For decryption, type:
openssl rsautl -decrypt -inkey euid.key -in rsa_ciphertext.bin -out rsa_plaintext_dec.txt
cat rsa_plaintext_dec.txt
Q7: Attach a screenshot of the result.
Note: The above method is suitable for encryption of short messages (up to about 1 kilobyte),
for longer messages a hybrid encryption (KEM/DEM) should be used.
- To digitally sign the file txt, type:
openssl dgst -sign euid.key -out sig.bin plaintext.txt
Note: As of the current version 1.1.1, OpenSSL signs messages directly when using the rsautl or pkeyutl commands. For this reason, it is simpler to deploy the dgst command, in order to hash and sign the message with one command.
Display the signature:
hexdump sig.bin
- To verify the signature:
openssl dgst -verify euid_pk.key -signature sig.bin plaintext.txt
Q7: Attach a screenshot of the result.
- Any changes in the message will invalidate the signature.
Let us replace the last letter in our message:
echo “This is my secret messagd” > plaintext.txt
cat plaintext.txt
- Now, verification will fail:
openssl dgst -verify euid_pk.key -signature sig.bin plaintext.txt
Q8: Attach a screenshot of the result.
- Section 3: Public Key Certificates Using OpenSSL
Let us now study handling of X.509 public key certificates using OpenSSL.
Suppose that we would like to create a certificate signing request (CSR) to the Certificate Authority for the RSA key that we generated earlier. The following command can be used (do not type it yet):
openssl req -key euid.key -new -out euid_domain.csr
Then, the utility will request some additional information, which is called a Distinguished Name (DN). An important field in the DN is the Common Name (CN) —it should be the exact domain name of the host for which the certificate will be used. Below is an example of the prompt:
Country Name (2 letter code): The two-letter country code where your company/organization is legally located. Example: US
State or Province Name (full name): Example: Texas
Locality Name (e.g., city): Example: Denton
Organization Name (e.g., company): University of North Texas
Organizational Unit Name (e.g., section): Department of Computer Science and Engineering (this field is optional)
Common Name (e.g. server FQDN): Fully Qualified Domain Name; Example: www.unt.edu
Email Address: Example: webmaster@unt.edu (this field is optional)
It is possible to enter all of the above information from the command line as described below.
- Type:
openssl req -key euid.key -new -out euid_domain.csr \
-subj “/C=US/ST=Texas/L=Denton/O=UNT/OU=CSE/CN=www.euid.edu”
- Let us verify the result:
openssl req -text -in euid_domain.csr -noout -verify
Q9: Attach a screenshot of the result.
Note: The CSR file “euid_domain.csr” will need to be sent to CA that will check the user information. If the check is successful, CA will issue the certificate file. We will omit this step in this lab. Instead, we will obtain and verify the certificate of the Google webserver. For that, we will use the s_client program (of the OpenSSL suite) which implements a generic SSL/TLS client.
- Type:
openssl s_client -connect google.com:443 </dev/null
Note: The redirection from the null device immediately closes the s_client program, as in general it expects commands to establish the TLS connection.
- In order to display the whole certificate chain, type:
openssl s_client -connect google.com:443 -showcerts </dev/null
- Since the output of the previous command takes several screens to be display, making a picture of the last screen may not be very informative. The “more” command will be helpful in this case. Type:
openssl s_client -connect google.com:443 -showcerts </dev/null | more
Note: Scrolling is done by pressing “Space” to advance the whole screen down, or “Enter” to advance one line.
Q10: Attach two screenshots: The first and the last screen displayed as a result of the above command.
- Section 4: SSH Authentication Using Public Keys
OpenSSH can use public key cryptography for authentication. We will use a freshly generated RSA key pair. Note that if you already have a generated key, you may use the ssh-keygen command with “-i” option and then specify the key file name.
Important note: In this lab, we will use the earlier generated key pair, only to demonstrate the conversion of key formats.
- Type:
ssh-keygen -t rsa
Note: You will see the following prompts—you may just press “Enter” for all of them—and the following messages will be displayed:
Enter file in which to save the key (/home/sec-lab/.ssh/id_rsa):
ke passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sec-lab/.ssh/id_rsa
Your public key has been saved in /home/sec-lab/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:lsfwRd7HQmfPZ+rjQOGjLkyr+M67/xImKZRtVD31T9s sec-lab@vm1
(Note: The above value and the below randomart image will be different each time for each student. The “randomart” image is a visualization of the SHA256 hash value to make it easier to compare.)
The key’s randomart image is:
+—[RSA 3072]—-+
| … .o . o|
| . oo + =.|
| + . .+ + O|
| o o = o . B+|
| . . .S + + ..E|
| . o.+. o o |
| . = o. . o |
| o =. o . |
| .oB=.+o . |
+—-[SHA256]—–+
Q11: Attach a screenshot of the result.
Let us verify the result:
ls ~/.ssh/
You may expect to see two files: id_rsa and id_rsa.pub, which should contain the private and public keys, respectively.
- Let us try to establish an SSH connection (for simplicity, we will connect to our own host):
ssh localhost
The SSH server will request a password. Press “Control+Z” to escape. Suppose that we want to allow trusted users to access our host without entering a password. Such a user needs to possess a private key corresponding to the public key communicated to the server in a trusted manner. Such the public key are called “authorized keys”.
- Designate your public key as the OpenSSH authorized key as follows:
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
- This should allow us to establish an SSH connection (to our own host) without the use of passwords:
ssh localhost (if the prompt about adding to the known hosts appears, then accept it)
(If successful, a welcome message will be displayed.)
Close the SSH connection:
exit
Q12: Attach a screenshot of the result.
- OpenSSL version 1.1.1 manual: https://www.openssl.org/docs/man1.1.1/
- OpenSSL Cookbook, 3ed online: https://www.feistyduck.com/library/openssl-cookbook/online/
- OpenSSL Quick Reference Guide:
https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
- Anicas: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
- Wikibook on OpenSSH/Cookbook/Public Key Authentication: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
We offer other articles in computer related articles like network security.