Reference no: EM133063911
Public-Key Infrastructure (PKI)
Aims & Objectives
The aim of this lab is to give students a hands-on experience of Public-Key Infrastruc- ture (PKI) and help them understand its benefits, some of its inherent shortcomings, and the possible alternatives. This lab is assessed and consists of 7 tasks. All tasks must be answered. By finishing the lab, students will learn how to issue and deploy digital certificates and how PKI can protect against some attacks. Additionally, the students will learn the shortcomings of (certificate-based) PKI and be able to discuss possible alternatives. Special attention should be paid to Section 3 and the What to Submit subsections of each task which list what exactly needs to be submitted for this lab.
Lab Tasks
This section contains the specification of the required tasks.
Important Note: In some of the tasks you will be required to create a domain of the form UWEFirstNameLastName.com. You need to replace FirstName and LastName with your own first and last names, respectively. For instance, my domain would be UWEEssamGhadafi.com. No marks will be given for the tasks in question if your domain does not correspond to your own name.
Task 1: RSA Key Cryptanalysis
This task requires you to recover the private signing key belonging to a server from partially leaked information and the public key.
Task Requirements
In the file Task1.txt in Blackboard you will find an RSA public key (e, N ) (all in hexadecimal). Also, one of the two prime factors (p) of the modulus N is in the same file. Your task is to recover the private exponent d which would allow anyone to sign on behalf of (and hence masquerade as) the server to whom this key belongs.
What to Submit: You need to submit the value of the private exponent d (in hexadecimal), the code snippet you used, and a screenshot of the steps you used to complete the task. Also, you are free to include any interesting observations you have made/learnt from doing the task.
Guidelines
The lecture slides and lab sheet concerned with Public-Key and Digital Signatures might come in handy when answering this task.
Task 2: Creating a Certificate Authority (CA)
In this task you will learn how to use OpenSSL to create a self-signed certificate for a certificate authority (CA).
Task Requirements
You need to create a key and self-signed certificate for a certificate authority. Some related guidelines can be found in Section 2.2.2.
Important Note: The CA key you generate must be 4096-bit RSA key and the used hash function to self-sign the CA certificate need to be SHA 512.
What to Submit: You need to include a screenshot of the steps and commands you used to complete the task. Also, you are free to include any interesting observa- tions you have made/learnt from doing the task.
Guidelines
To create a self-signed certificate for a CA, we can use the OpenSSL req -x509 to generate a key and self-signed certificate for the CA. The syntax of the command is as follows:
Where:
KeySize: is the desired size in bits of the key.
KeyFile: is the name of the file to which the key will be stored.
CertFile: is the name of the file to which the certificate will be stored.
ConfigFile: is the name of the file containing the configuration. In Blackboard you can find an example configuration file openssl.cnf.
Note that there are other options of the command than the above. For instance, one can choose the hashing algorithm to be used in the signing by adding, e.g.-sha256,
-sha512, -md5, etc.
Using the configuration file (openssl.cnf) requires creating some directories and files. After copying the configuration file into your current directory, you need to create several sub-directories as specified in the configuration file (which can be found under the [CA default] section in the file):
Towards that end, under your current directory create a directory with the name specified in dir. Then under the newly created directory create the above 3 directories (i.e. cert, crl and newcerts). Also, along with those 3 subdirectories, you need to create 2 files: index.txt and serial. The file index.txt can be left empty, whereas in the file serial put a single number in string format (e.g. 1000).
You can also specify the default hash function to be used by modifying the following line in the openssl.cnf file:
Where you can replace md5 with any other supported hash function, e.g. sha256.
When you run the above command, you will be prompted for some information (e.g. Country, Organisation Name, etc.) and a password. You need to remember the chosen password as this will be needed every time you need this CA to issue a certificate. For the other requested details, you can fill them however you want.
To view the content of a certificate, you can use the following command:
Where:
CertFile: is the name of the file containing the certificate.
Task 3: Using your CA to Issue Certificates
In this task you will learn how to use a CA to issue certificates to servers.
Task Requirements
Using the CA you created in the previous task, issue a certificate to a sever. Some related guidelines can be found in Section 2.3.2.
Task 4: Deploying Certificates in OpenSSL HTTPS Server
In this task you will explore how PKI and digital certificates can be used to secure the web. In particular, you will learn how to deploy digital certificates in OpenSSL web server.
Task Requirements
You are required to link the server's certificate you created in the previous task to the server's domain and report the behaviour of the web browser before and after trusting the issuing CA. Follow the guidance in Section 2.4.2 and report your findings.
Important Note: As stated in Section 2.4.2, you must update the file index.html to replace FirstName and LastName with your own first and last names, respec- tively. No marks will be given for this task if you do not do that.
What to Submit: You need to submit a screenshot of the commands/steps you used, and your observations and findings.
Guidelines
To resolve the IP address of the server (i.e. UWEFirstNameLastName.com) for which you have issued your server's certificate, you need to add the following line to the file (/etc/hosts):
Of course, you can use any other preferred editor than gedit, e.g. nano, to edit the file if you wish.
The next step is to launch the OpenSSL web server using your server's certificate.
This can be achieved by performing the following steps:
1. Combining your Server's Key & Certificate:
The aim here is to combine the server's certificate (you created in the previous task) and the corresponding server's key into one file. This can be achieved by the following command:
c a t S e r v e r K e y F i l e S e r v e r C e r t F i l e > NewFileName
Where:
ServerKeyFile: is the name of the file containing your server's key. ServerCertFile: is the name of the file containing your server's certificate. NewFileName: is the name of the file where the combination of key and cer-
tificate of the server will be stored. You can choose whatever name you
wish but it is a good idea to make the extension of the file .pem.
Note that if you are running the above command from a directory different from that where the first two files are stored, you need to provide the full path to those two files.
2. Launching the OpenSSL Web Server:
The aim here is to launch the OpenSSL web server using the combined key and certificate file from the previous step. This can be achieved by the following command:
Where NewFileName is the same file name as that you used in the previous step. Note that the default port on which the server will listen is 4433. This can be overridden by adding the option -accept PortNo to the above command, where PortNo is the port number you wish the server to listen on instead of port 4433. Also, note that you need to the leave the window from which you ran this command open so that the server is still running.
3. Accessing the Server's Web Page:
Assuming you have finished the first 2 steps, download the the simple web page index.html from Blackboard and save it to the same directory from within which you have executed the command in the previous step. Then using an editor of your choice, e.g. nano, gedit, etc., edit index.html and replace
Task 5: Deploying Certificates in Apache HTTPS Server
In this task you will explore how PKI and digital certificates can be used to secure the web. In particular, you will learn how to deploy digital certificates in the Apache web server.
Task Requirements
Similarly to the previous task, you are required to deploy your server's certificate you created in Task 3 in the Apache web server (installed on the UWE VM) and report the behaviour of the web browser. Follow the guidance in Section 2.5.2 and report your findings.
What to Submit: You need to submit a screenshot of the commands/steps you used, and your observations.
and key files, respectively. Note that to edit the above file your need to be a super user. Also, it might be a good idea to backup the file before you edit it just in case things go wrong and you need to revert to the original version.
In order for these entries to be recognised by the Apache server, you need to execute the following steps from the command-line:
1. Testing the Apache configuration file:
This can be done by executing the following command:
sudo a p a c h e c t l c o n f i g t e s t
2. Enabling the SSL module:
This can be done by executing the following command:
sudo a2enmod s s l
3. Configuring Apache for HTTPS:
This can be done by executing the following command:
sudo a 2 e n s i t e d e f a u l t = s s l
4. Restarting the Apache Server:
This can be done by executing the following command:
sudo s e r v i c e apache 2 r e s t a r t
Again, FirstName and LastName are replaced with those of your own.
Task 6: Impersonating a Website (Man-in-the-Middle)
In this task you will explore how PKI could help prevent man-in-the-middle attacks.
Task Requirements
Follow the steps in the guidelines in Section 2.6.2 and report your findings.
What to Submit: You need to submit a screenshot of the commands/steps you used and your observations/findings.
Guidelines
Here you will attempt to impersonate the UWE website www.uwe.ac.uk so that instead of the visitor being redirected to the genuine IP address, they will be redirected to our fake server. In particular, we will redirect the visitor to the server's web page you used in the previous task. Please follow the below steps and report your findings: 1.Add the following line to the file ( /etc/hosts):
Remember that to edit the above file you need to be a super user.
2. As in the previous task, add the 2 entries for www.uwe.ac.uk to default-ssl.conf.
The entries you need to add are identical to those you added for your server in the previous task. The only difference is that instead of the server name being
UWEFirstNameLastName.com as it was for your sever, it will be www.uwe.ac.uk. The rest of the details will remain the same as they were for your server in the previous task. More precisely, add the following entries to the file:
Task 7: Alternative Approaches to (Certificate-Based) PKI (Research Task)
It is well-known that (certificate-based) public-key infrastructure, which relies on using certificates form trusted authorities to ensure authenticity of entities' public keys, has some inherent limitations, such as the high trust placed in the certificate authorities and the overhead associated with revoking certificates. This task requires you to undertake some research regarding alternative approaches to (certificate-based) PKI for managing and distributing public keys.
Task Requirements
Write a short report (750 words max) discussing alternative approaches to (certificate- based) PKI and how they might overcome some of the inherent PKI limitations. Your report should include relevant references from the literature and your discussion should cover advantages and disadvantages of the alternative approaches.
Attachment:- Public-Key Infrastructure.rar