This lab uses the Ubuntu 20 virtual machine (VM).It is available in the CSE repository: http://www.cse.unt.edu/downloads/vm/With the standard credentials: user: vmdownload password: “d0wnloadVMf1les!” (bold are numbers). Use the Ubuntu 20 VM with the following credentials: username: sec-lab password: untccdc The learning objective of this lab is for students to get familiar with the concepts of Read More
Chat with our experts to get the best quote. Make the payment via online banking, debit/credit cards or through paypal. Recieve an order confirmation number.
Sit back and relax. Your well written, properly referenced research paper will be mailed to your inbox, before deadline. Download the paper. Revise and Submit.
This lab uses the Ubuntu 20 virtual machine (VM). It is available in the CSE repository: http://www.cse.unt.edu/downloads/vm/ With the standard credentials:
user: vmdownload
password: “d0wnloadVMf1les!” (bold are numbers).
Use the Ubuntu 20 VM with the following credentials:
username: sec-lab
password: untccdc
Section 1: Symmetric Encryption using OpenSSL
The learning objective of this lab is for students to get familiar with the concepts of secret key encryption. After finishing the lab, students should be able to gain a first-hand experience on encryption algorithms and their modes of operation. We will study tools and libraries to ensure data confidentiality.
OpenSSL (https://www.openssl.org/) is a toolkit for the Transport Layer Security (TLS) protocol and a general-purpose cryptographic library. Its latest full-featured version, OpenSSL 1.1.1 is installed on the VM.
Encryption and decryption is performed using “openssl enc” and “openssl dec” commands, respectively. You may type “man openssl” to learn more.
In your home directory, create a text file txt and write a sentence “This is my secret message” into it (make sure to close the file). To confirm, type:
cat plaintext.txt
Q1: Attach a screenshot of the result.
Let us now encrypt this file using a password. Type:
The first option requests to use the AES-256 cipher in the counter (CTR) mode. The second option defined a password to be used for encryption, and the next option requests to use the PBKDF2 algorithm for generating a key from the password.
In this exercise, for simplicity, use your EUID as a password (for example, if your EUID is “aa0001”, then the respective option will be written as “-pass pass:aa0001”). Note that in practice, such a password should never be used as it is very weak (i.e., too short and too easy to guess). The remaining options define the filenames for input (the plaintext) and output (the ciphertext).
Note: If the “-pass” option was not used, then utility would request the password to be entered manually (two times – the second one for confirmation).
Note: The above method is suitable for encryption of short messages (up to about 1 kilobyte), for longer messages a hybrid encryption (KEM/DEM) should be used.
Note: As of the current version 1.1.1, OpenSSL signs messages directly when using the rsautl or pkeyutl commands. For this reason, it is simpler to deploy the dgst command, in order to hash and sign the message with one command.
Let us now study handling of X.509 public key certificates using OpenSSL.
Suppose that we would like to create a certificate signing request (CSR) to the Certificate Authority for the RSA key that we generated earlier. The following command can be used (do not type it yet):
Then, the utility will request some additional information, which is called a Distinguished Name (DN). An important field in the DN is the Common Name (CN) —it should be the exact domain name of the host for which the certificate will be used. Below is an example of the prompt:
Country Name (2 letter code): The two-letter country code where your company/organization is legally located. Example: US
State or Province Name (full name): Example: Texas
Locality Name (e.g., city): Example: Denton
Organization Name (e.g., company): University of North Texas
Organizational Unit Name (e.g., section): Department of Computer Science and Engineering (this field is optional)
Common Name (e.g. server FQDN): Fully Qualified Domain Name; Example: www.unt.edu
Email Address: Example: webmaster@unt.edu (this field is optional)
It is possible to enter all of the above information from the command line as described below.
Note: The CSR file “euid_domain.csr” will need to be sent to CA that will check the user information. If the check is successful, CA will issue the certificate file. We will omit this step in this lab. Instead, we will obtain and verify the certificate of the Google webserver. For that, we will use the s_client program (of the OpenSSL suite) which implements a generic SSL/TLS client.
Since the output of the previous command takes several screens to be display, making a picture of the last screen may not be very informative. The “more” command will be helpful in this case. Type:
openssl s_client -connect google.com:443 -showcerts </dev/null | more
Note: Scrolling is done by pressing “Space” to advance the whole screen down, or “Enter” to advance one line.
Q10: Attach two screenshots: The first and the last screen displayed as a result of the above command.
Section 4: SSH Authentication Using Public Keys
OpenSSH can use public key cryptography for authentication. We will use a freshly generated RSA key pair. Note that if you already have a generated key, you may use the ssh-keygen command with “-i” option and then specify the key file name.
Important note: In this lab, we will use the earlier generated key pair, only to demonstrate the conversion of key formats.
Type:
ssh-keygen -t rsa
Note: You will see the following prompts—you may just press “Enter” for all of them—and the following messages will be displayed:
Enter file in which to save the key (/home/sec-lab/.ssh/id_rsa):
ke passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sec-lab/.ssh/id_rsa
Your public key has been saved in /home/sec-lab/.ssh/id_rsa.pub
(Note: The above value and the below randomart image will be different each time for each student. The “randomart” image visualizes the SHA256 hash value to make it easier to compare.)
The key’s randomart image is:
+—[RSA 3072]—-+
| … .o . o|
| . oo + =.|
| + . .+ + O|
| o o = o . B+|
| . . .S + + ..E|
| . o.+. o o |
| . = o. . o |
| o =. o . |
| .oB=.+o . |
+—-[SHA256]—–+
Q11: Attach a screenshot of the result.
Let us verify the result:
ls ~/.ssh/
You may expect to see two files: id_rsa and id_rsa.pub, which should contain the private and public keys, respectively.
Let us try to establish an SSH connection (for simplicity, we will connect to our host):
ssh localhost
The SSH server will request a password. Press “Control+Z” to escape. Suppose we want to allow trusted users to access our host without entering a password. Such a user needs to possess a private key corresponding to the public key communicated to the server in a trusted manner. Such a public key is called “authorized keys”.
Designate your public key as the OpenSSH authorized key as follows:
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
This should allow us to establish an SSH connection (to our host) without the use of passwords:
Ssh localhost (if the prompt about adding to the known hosts appears, then accept it)
(If successful, a welcome message will be displayed.)