This lab uses the Ubuntu 20 virtual machine (VM).
It is available in the CSE repository: http://www.cse.unt.edu/downloads/vm/
with the standard credentials:
password: “d0wnloadVMf1les!” (bold are numbers).
Use the Ubuntu 20 VM with the following credentials:
The learning objective of this lab is for students to get familiar with the concepts in the secret key encryption. After finishing the lab, students should be able to gain a first-hand experience on encryption algorithms and their modes of operation. We will study tools and libraries for providing data confidentiality.
OpenSSL (https://www.openssl.org/) is toolkit for the Transport Layer Security (TLS) protocol, and also a general-purpose cryptographic library. Its latest full-featured version OpenSSL 1.1.1 is installed on the VM.
Encryption and decryption is performed using “openssl enc” and “openssl dec” commands, respectively. You may type “man openssl” to learn more.
openssl enc -aes-256-ctr -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext.bin
The first option requests to use the AES-256 cipher in the counter (CTR) mode. The second option defined a password to be used for encryption, and the next option requests to use the PBKDF2 algorithm for generating a key from the password.
In this exercise, for simplicity, use your EUID as a password (for example, if your EUID is “aa0001”, then the respective option will be written as “-pass pass:aa0001”). Note that in practice, such a password should never be used as it is very weak (i.e., too short and too easy to guess). The remaining options define the filenames for input (the plaintext) and output (the ciphertext).
Note: If the “-pass” option was not used, then utility would request the password to be entered manually (two times – the second one for confirmation).
hexdump -C ciphertext.bin
openssl enc -aes-256-ctr -pass pass:euid -pbkdf2 -d -in ciphertext.bin -out plaintext_dec.txt
Note: If the “-pass” option was not used, then utility would request the password to be entered manually.
Note that the original messages have been decrypted.
openssl enc -aes-256-ctr -a -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext.txt
openssl enc -aes-256-ctr -d -a -pass pass:euid -pbkdf2 -in ciphertext.txt -out
Note: If the option “-out” is omitted, the standard output is used.
Q4: Attach a screenshot of the result.
openssl enc -aes-256-ctr -a -pass pass:euid -pbkdf2 -in plaintext.txt -out ciphertext2.txt
openssl enc -aes-256-ctr -d -a -pass pass:euid -pbkdf2 -in ciphertext2.txt
cmp ciphertext.txt ciphertext2.txt
cat ciphertext.txt ciphertext2.txt
Hint: Run decryption of both files again, no adding the “-p” option.
Let us focus on the RSA algorithm in this section.
openssl genrsa -out euid.key 3072
As usual, replace “euid” with your actual EUID.
This command generates the RSA private key and outputs it to the file euid.key.
The key is stored in the PEM format. Display it:
openssl rsa -in euid.key -pubout -out euid_pk.key
openssl rsautl -encrypt -pubin -inkey euid_pk.key -in plaintext.txt -out rsa_ciphertext.bin
openssl rsautl -decrypt -inkey euid.key -in rsa_ciphertext.bin -out rsa_plaintext_dec.txt
Note: The above method is suitable for encryption of short messages (up to about 1 kilobyte),
for longer messages a hybrid encryption (KEM/DEM) should be used.
openssl dgst -sign euid.key -out sig.bin plaintext.txt
Note: As of the current version 1.1.1, OpenSSL signs messages directly when using the rsautl or pkeyutl commands. For this reason, it is simpler to deploy the dgst command, in order to hash and sign the message with one command.
Display the signature:
openssl dgst -verify euid_pk.key -signature sig.bin plaintext.txt
echo “This is my secret messagd” > plaintext.txt
openssl dgst -verify euid_pk.key -signature sig.bin plaintext.txt
Let us now study handling of X.509 public key certificates using OpenSSL.
Suppose that we would like to create a certificate signing request (CSR) to the Certificate Authority for the RSA key that we generated earlier. The following command can be used (do not type it yet):
openssl req -key euid.key -new -out euid_domain.csr
Then, the utility will request some additional information, which is called a Distinguished Name (DN). An important field in the DN is the Common Name (CN) —it should be the exact domain name of the host for which the certificate will be used. Below is an example of the prompt:
Country Name (2 letter code): The two-letter country code where your company/organization is legally located. Example: US
State or Province Name (full name): Example: Texas
Locality Name (e.g., city): Example: Denton
Organization Name (e.g., company): University of North Texas
Organizational Unit Name (e.g., section): Department of Computer Science and Engineering (this field is optional)
Common Name (e.g. server FQDN): Fully Qualified Domain Name; Example: www.unt.edu
Email Address: Example: email@example.com (this field is optional)
It is possible to enter all of the above information from the command line as described below.
openssl req -key euid.key -new -out euid_domain.csr \
openssl req -text -in euid_domain.csr -noout -verify
Note: The CSR file “euid_domain.csr” will need to be sent to CA that will check the user information. If the check is successful, CA will issue the certificate file. We will omit this step in this lab. Instead, we will obtain and verify the certificate of the Google webserver. For that, we will use the s_client program (of the OpenSSL suite) which implements a generic SSL/TLS client.
openssl s_client -connect google.com:443 </dev/null
Note: The redirection from the null device immediately closes the s_client program, as in general it expects commands to establish the TLS connection.
openssl s_client -connect google.com:443 -showcerts </dev/null
openssl s_client -connect google.com:443 -showcerts </dev/null | more
Note: Scrolling is done by pressing “Space” to advance the whole screen down, or “Enter” to advance one line.
OpenSSH can use public key cryptography for authentication. We will use a freshly generated RSA key pair. Note that if you already have a generated key, you may use the ssh-keygen command with “-i” option and then specify the key file name.
Important note: In this lab, we will use the earlier generated key pair, only to demonstrate the conversion of key formats.
ssh-keygen -t rsa
Note: You will see the following prompts—you may just press “Enter” for all of them—and the following messages will be displayed:
Enter file in which to save the key (/home/sec-lab/.ssh/id_rsa):
ke passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sec-lab/.ssh/id_rsa
Your public key has been saved in /home/sec-lab/.ssh/id_rsa.pub
The key fingerprint is:
(Note: The above value and the below randomart image will be different each time for each student. The “randomart” image is a visualization of the SHA256 hash value to make it easier to compare.)
The key’s randomart image is:
| … .o . o|
| . oo + =.|
| + . .+ + O|
| o o = o . B+|
| . . .S + + ..E|
| . o.+. o o |
| . = o. . o |
| o =. o . |
| .oB=.+o . |
Let us verify the result:
You may expect to see two files: id_rsa and id_rsa.pub, which should contain the private and public keys, respectively.
The SSH server will request a password. Press “Control+Z” to escape. Suppose that we want to allow trusted users to access our host without entering a password. Such a user needs to possess a private key corresponding to the public key communicated to the server in a trusted manner. Such the public key are called “authorized keys”.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
ssh localhost (if the prompt about adding to the known hosts appears, then accept it)
(If successful, a welcome message will be displayed.)
Close the SSH connection:
We offer other articles in computer related articles like network security.
Such a cheap price for your free time and healthy sleep
All online transactions are done using all major Credit Cards or Electronic Check through PayPal. These are safe, secure, and efficient online payment methods.