Homework #4

The purpose of this homework is for you to get aquainted with OpenSSL, an essential tool for IS professionals.

Before anything else you need to make sure you have openssl installed on your computer. Depending on the operating system you're running, you may already have it installed. Otherwise you can download the source code from openssl.org, compile it and install it. For Microsoft Windows you can even get compiled bineries from the same place. In any event, make sure you use the latest stable release.

Part (i) - 25 points

Download a story from the Gutenberg Project.

Generate file digests for the file you used in HW-3, as follows:

  • MD5
  • SHA1

Send an email to your instructor that contains, in the body, a link to the file you used, the commands you ran to get the digests with their respective output, an explanation of why being able to generate digests is important in Information Security, and the output of "openssl version -a".

Attached to the email there will be a digital certificate request, aka CSR (Certificate Signing Request), which you can generate by running the following command:

$ openssl req -newkey rsa:2048 -keyout <firstName>-<lastName>-privateKey.pem -out <firstName>-<lastName>-csr.pem

You'll have to enter some information before the CSR is ready. This information will be included in your certificate and will be used to identify you when using the certificate. For purposes of this homework use the following:

Country Name US
State or Province Name Illinois
Locality Name Chicago
Organization Name Illinois Institute of Technology
Organizational Unit Name cs458, Fall 2010
Common Name <lastName>, <firstName> <middleInitial>.
Email Address Your IIT email address

Leave the "extra attributes" blank.

Make sure you don't forget the password you entered when creating the CSR, it's being used to encrypt the private key that's generated in the process. Without the password you won't be able to really use your private key for anything.

Just to be on the safe side, validate the signature on the certificate request and then the information in the CSR:

$ openssl req -in <firstName>-<lastName>-csr.pem -verify -key <firstName>-<lastName>-privateKey.pem -noout

$ openssl req -in <firstName>-<lastName>-csr.pem -noout -text

Your instructor will act as a Certification Authority and will issue to you a digital certificate based on the request you submit.

NOTE: Protect your private key to make sure nobody but you have access to it.

Part (ii) - 40 points

This part is due no more than 72 hours after you received the certificate from your instructor.

In this part you are going to use the certificate issued by your instructor, encrypt a file, and generate a signed hash using OpenSSL

First check the certificate you just received in email:

$ openssl x509 -text -noout -in <firstName>-<lastName>-cert.pem

Second, you'll need to create a digital certificate in the PKCS12 format; there is nothing wrong with PEM, it's just that most browsers, including Internet Explorer, require that client certificates be in the PKCS12 format rather than the X509 PEM format. Additionally, Java KeyStores require certificates to be in PKCS12 format.

To convert your PEM formatted certificate to PKCS12 format, you need both the certificate and the private key for that certificate, the one you generated when creating the CSR. Here's how the command looks like in the general case, you have to modify it for your files:

$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out <firstName>-<lastName>-cert.p12

Since your private key is encrypted -- that's how you created it when generating the CSR, you will be prompted to enter the pass phrase for that key before entering the export password. The export password is the password used to encrypt your private key that will be bundled into the PKCS12 certificate; it does not have to be the same as the password you used for the PEM formatted private key. Whatever password you choose, you will need to enter that new password when importing the new PKCS12 certificate into a browser, or email client, etc.

Ok, so you now have a brand new, shiny, digital certificate in PKCS12 format, what do you do with it? Well, one thing you can do is to import it into your email client -- remember HW-1? -- and try to use it instead of the one you got from CACert.

Unfortunately that's not going to work, and part of what you have to do is to answer the folowing two questions:

  • Why does your email client refuse to send signed and/or encrypted email when using the new certificate?
  • What else do you need to make it work?

Put your answers in a plain text file named <firstName>-<lastName>-HW4-part-ii.txt, then encrypt it using AES. Of course there is an OpenSSL command to do that. Use your Banner CWID as a passphrase.

Attach the encrypted file in an email to your instructor. Also, attach to the email a signed SHA-2 digest of the encrypted file, with a digest length of your choice.

In the body of the email include the following information:

  • The command you ran to create the encrypted file
  • The command you ran to create the signed digest
  • The command your instructor needs to run to decrypt the file attached to the email
  • The command your instructor needs to run to validate the signed digest, in addition to any additional information (s)he may need from you

Part (iii) - 35 points

This part is due no more than 72 hours after you received the certificate from your instructor.

For this section you'll use openssl to create secure clients for email servers and web sites, and to generate random data. All your results will be sent to your instructor as attachements to signed and encrypted email, using the digital certificate that was issued to you by your instructor.

First, use openssl as a client to establish a secure connection to IIT's mail server, mail.iit.edu. Your choice of port to connect to, whether 25 (TLS), 465 (SSL), or 587 (TLS).

The file you'll attach to the email to your instructor must include an brief description of similarities and differences between ports 25, 465, and 587, the command you ran to connect to the mail server, the output generated during the session, and the response of the server when you submit the 'HELP' command.

NOTE: You may need to specify the line-terminator as -crlf or else the mail server may not be able to respond to you.

Second, use openssl to connect to a secure web site of your choice. Keep in mind that some of the smaller web sites don't necessarily support a secure version of their content.

The file you'll attach to the email to your instructor must include the command you ran, and the output generated during the session and the response of the server when you submit the 'GET /' command.

Third, use openssl to generate random data using openssl. You should generate at least 4096 bytes of random data in base-64 encoded form.

The file you'll attach to the email to your instructor must include the command you ran, the output generated, and a description of how you could test that what openssl generated is indeed random.

$Id: hw4.html,v 1.1 2011/08/22 13:43:27 virgil Exp $