Homework #4The purpose of this homework is for you to get aquainted with OpenSSL, an essential tool for IS professionals. Before anything else you need to make sure you have openssl installed on your computer. Depending on the operating system you're running, you may already have it installed. Otherwise you can download the source code from openssl.org, compile it and install it. For Microsoft Windows you can even get compiled bineries from the same place. In any event, make sure you use the latest stable release. Part 1 (35 points)Generate file digests for the file you used in HW-3, as follows:
Send an email to your instructor that contains, in the body, a link to the file you used in HW-3, the commands you run to get the digests with their respective output, and the output of "openssl version -a". Attached to the email there will be a digital certificate request, aka CSR (Certificate Signing Request), which you can generate by running the following command: $ openssl req -newkey rsa:2048 -keyout <firstName>-<lastName>-privateKey.pem -out <firstName>-<lastName>-csr.pem You'll have to enter some information before the CSR is ready. This information will be included in your certificate and will be used to identify you when using the certificate. For purposes of this homework use the following:
Leave the "extra attributes" blank. Make sure you don't forget the password you entered when creating the CSR, it's being used to encrypt the private key that's generated in the process. Without the password you won't be able to really use your private key for anything. Just to be on the safe side, validate the signature on the certificate request and then the information in the CSR:
$ openssl req -in <firstName>-<lastName>-csr.pem -verify -key <firstName>-<lastName>-privateKey.pem -noout Your instructor will act as a Certification Authority and will issue to you a digital certificate based on the request you submit. NOTE: Protect your private key to make sure nobody but you have access to it. Part 2 (40 points)This part is due no mare than 72 hours after you received the certificate from your instructor. In this part you are going to use the certificate issued by your instructor, encrypt a file, and generate a signed hash using OpenSSL First check the certificate you just received in email: $ openssl x509 -text -noout -in <firstName>-<lastName>-cert.pem Second, you'll need to create a digital certificate in the PKCS12 format; there is nothing wrong with PEM, it's just that most browsers, including Internet Explorer, require that client certificates be in the PKCS12 format rather than the X509 PEM format. Additionally, Java KeyStores require certificates to be in PKCS12 format.To convert your PEM formatted certificate to PKCS12 format, you need both the certificate and the private key for that certificate, the one you generated when creating the CSR. Here's how the command looks like in the general case, you have to modify it for your files: $ openssl pkcs12 -export -in cert.pem -inkey key.pem -out <firstName>-<lastName>-cert.p12 Since your private key is encrypted -- that's how you created it when generating the CSR, you will be prompted to enter the pass phrase for that key before entering the export password. The export password is the password used to encrypt your private key that will be bundled into the PKCS12 certificate; it does not have to be the same as the password you used for the PEM formatted private key. Whatever password you choose, you will need to enter that new password when importing the new PKCS12 certificate into a browser, or email client, etc. Ok, so you now have a brand new, shiny, digital certificate in PKCS12 format, what do you do with it? Well, one thing you can do is to import it into your email client -- remember HW-1? -- and try to use it instead of the one you got from Thawte. Unfortunately that's not going to work, and part of what you have to do is to answer the folowing two questions:
Put your answers in a plain text file named <firstName>-<lastName>-HW4-part-ii.txt, then encrypt it using AES. Of course there is an OpenSSL command to do that. Use your Banner CWID as a passphrase. Attach the encrypted file in an email to your instructor. In the body of the email include the SHA-2 digest of the attached file, with a digest length of your choice. Also in the body of the message include the following:
Part 3 (25 points)For this section you'll use openssl to create secure clients for email servers and web sites, and to generate random data. All your results will be sent to your instructor as attachements to signed and encrypted email, using the digital certificate that was issued to you by your instructor. First, use openssl as a client to establish a secure connection to IIT's mail server, mail.iit.edu. Your choice of port to connect to, whether 25 (TLS), 465 (SSL), or 587 (TLS). I hope not all students choose port 25. The file you'll attach to the email to your instructor must include the command you run, the output generated during the session, and the response of the server when you submit the 'HELP' command. NOTE: You may need to specify the line-terminator as -crlf or else the mail server may not be able to respond to you. Second, use openssl to connect to a secure web site of your choice. Keep in mind that some of the smaller web sites don't necessarily support a secure version of their content. The file you'll attach to the email to your instructor must include the command you run, and the output generated during the session and the response of the server when you submit the 'GET /' command. Third, use openssl to generate random data using openssl. You should generate at least 4096 bytes of random data in base-64 encoded form. The file you'll attach to the email to your instructor must include the command you run, the output generated, and a description of how you could test that what openssl generated is indeed random.
$Id: hw4.html,v 1.5 2009/10/20 21:32:12 virgil Exp $ |