M. Rahouti and K. Xiong University of South Florida

Labs: Public Key

Table of Contents

1. Overview…………………………………………………………………………………………………….2

2. Topology and Environment Preparation…………………..…………………………….....2

2.1 . Create Topology and SSH to nodes…………………………………………….2

2.2 . Installing Necessary Tools and Packages……………………………………4

3. Hands-on Exercises…………………………………………………………………………………….5

3.1 . Become A (CA)……………..……………………...... 5

3.2 . Generate A Certificate for your Server……...... ………………………………15

3.3 . Attack on Certificate Signing Request (CSR) using Man-In-Middle Attack

(MiM)…………………………………………………………………………………….………………8

3.4 . Denial of Service (DoS) Attack on CA……………………………………………………9

3.5 . Create ……………………………………..………………………………10 4. Write-Up and Submission…………………………………………..………………………….…11

5. Resource Release.………………………………………………………………………………….…11

M. Rahouti and K. Xiong University of South Florida

1. Overview

The learning objective of this lab is to get familiar with the concepts in the Public-Key cryptography and Public-Key Infrastructure (PKI). After finishing the lab, students should be able to gain some hands-on experiences on public-key encryption, digital signature, public-key certificate, certificate authority. Moreover, students will be able to use tools such as tcpdump and hping3 to capture sensitive/secure traffic and launch attacks on certificate signing request files respectively.

2. Topology and Environment Preparation

2.1 . Create Topology and SSH to nodes

Launch jFed and login by clicking on ‘Login with PEM-certificate.’

Next, go to New. Create a new topology consisting of four VMs and name them NC, NS, NT and NA respectively. These nodes’ notations are:

- NC: Client node - NS: Server node - NT: Trusted node - NA: Attacker node M. Rahouti and K. Xiong University of South Florida

Next step: click on Run, assign a name to your slice, select the GENI project under which you are working and click on Start Experiment.

Once the nodes turn green, ssh to each one of them by double clicking on each node. If you are successfully logged in, you should see an ssh window as depicted below.

M. Rahouti and K. Xiong University of South Florida

2.2 . Installing Necessary Tools

Once you successfully ssh to the reserved nodes, please make sure the following tools and packages are installed.

- OpenSSL library. - FTP - SFTP - Tcpdump - Snort - Vsftpd server - Hping3

M. Rahouti and K. Xiong University of South Florida

3. Hands-on Exercises

3.1 . Become a Certificate Authority (CA)

In this task, you will create a certificate authority in order to demonstrate the importance of public and certificate. This task will serve as the baseline of next tasks of this lab. The NT node will serve as a certificate authority in this lab.

Instructions:

Log in to the NT node and apply the following steps:

Step 1: Edit /usr/lib/ssl/.conf to allow for certificate creation.

The manual page of openssl.conf can be found using Google search. You can also get a copy of the configuration file from /usr/lib/ssl/openssl.cnf. After copying this file into your current directory, you need to create several sub-directories as specified in the configuration file (look at the [CA default] section):

dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept M. Rahouti and K. Xiong University of South Florida

new_certs_dir = $dir/newcerts # default place for new certs. database = $dir/index.txt # database index file. Serial = $dir/serial # The current serial number

For the index.txt file, simply create an empty file. For the serial file, put a single number in string format (e.g. 1000) in the

Step 2: Next, you must generate a self-signed certificate for our CA, which will serve as the .

Run the command: openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

You will be prompted for information and a password. Do not lose this password, as you will have to type it each time you want to use this CA to sign certificates. You will also be asked to fill in some information, such as the Country Name, Common Name, etc. The output of the command are stored in two files: ca.key and ca.crt. The file ca.key contains the CA’s private key, while ca.crt contains the public-key certificate.

Questions:

• Include your configuration file by appending it directly to your report. • Explain the importance of certificate authorities. • Is there any security threat that could affect the CA node? • State and explain any further observations or remarks you might have.

3.2 . Generate A Certificate for your Server

In this task, you will observe and learn how to create a certificate using your CA. Since you became a CA, you are ready to sign a digital certificate for customers. Your customer is going to be the NC (client node). In order for this client node to get a digital certificate from a CA (NT node), it needs to go through the following steps.

Instructions:

Step one (NC node):

Log in to NC node and follow the instructions below: M. Rahouti and K. Xiong University of South Florida

In order to create public key and private key pair, you need to run the following command to generate an RSA key pair (private key and public key), Where you will be required to provide a password to protect the keys. The keys will be stored in server.key file:

Command: openssl genrsa -des3 -out server.key 1024

Once you obtain the key file, you need to generate a certificate-signing request (CSR) for the client node. The CSR will be sent to the CA, which will generate a certificate for the key (usually after ensuring that the identity information in the CSR matches the server’s identity). Please use GeniLab3.com as the common name of the certificate request.

Command: openssl req -new -key server.key -out server.csr -config openssl.cnf

Step two (NT node):

In this task, you will utilize FTP to send the ‘server.csr’ csr file to the CA through public internet. FTP is a file transfer protocol (like HTTP) used to send the stream of bits stored as a single unit in a file system including file name, file size, timestamp and other metadata from one host to another host over a TCP-based network such as the Internet. .

Hands-on steps:

1- First, make sure FTP client and vsftpd server have been installed and configured in client NC and NT nodes respectively. 2- Log in to client node: a. Establish a connection session to the remote server. Use either the hostname or IP address of the NT node that you can get by running $ifconfig command (for the IP address, you may use either the control plane or data plane address). 3- Send the csr file to the NT node using $ftp commands a. ://docs.oracle.com/cd/E19120-01/open.solaris/819- 1634/remotehowtoaccess-60496/index.html 4- Log in to the CA node and locate the server.csr file you sent from NC node using FTP. 5- The CSR file needs to have the CA’s signature to form a certificate. In a real world scenario, the CSR files are usually sent to a trusted CA for their signature. In this lab, you will use your own trusted CA to generate certificates. Use the following command to do so. openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key \ -config openssl.cnf 6- Next, send the server.crt file back to NC node using FTP service (steps 1-3).

M. Rahouti and K. Xiong University of South Florida

NOTE: If OpenSSL refuses to generate certificates, it is very likely that the names in your requests do not match those of CA. The matching rules are specified in the configuration file (look at the [policy match] section). You can change the names of your requests to comply with the policy, or you can change the policy itself. The configuration file also includes another policy (called policy anything), which is less restrictive. You can choose that policy by changing the following line: "policy = policy_match" change to "policy = policy_anything".

Questions:

• Provide a copy of the key file. Include it in your report. • Is there any security risk/vulnerability of using this type of communication between NT as CA and the client NC? • As an attacker, is it feasible to intercept the certificate signing request that is sent from NC to NT using FTP? Why?

3.3 . Attack on Certificate Signing Request using Man-In-Middle Attack (MiM)

In this task, you will learn about some of the security threats when sending a sensitive information through an insecure public channel. In our case, this sensitive information is the certificate signing request (server.csr) file that is sent from a client to CA in order to get a digital certificate. Therefore, you are going to make use of the attacker node (NA) to intercept the message (.csr) using tcpdump tool. This node is going to play the role of the Man-In-Midle (MiM) attack. MiM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

To do so, you may either repeat the steps of task 1 to generate the csr file and send to CA node in order to get a certificate for your client node (NC), or just use the same csr file you generated in task 1 to request a certificate through FTP service.

Next, packet capture. You are going to use tcpdump tool to do accomplish this task as follows:

a. Log in to attacker node (NA) a. Run tcpdump tool on the appropriate interface of NA. You may filter just the FTP traffic in your tcpdump command in order to capture only the FTP traffic.

Take away questions: M. Rahouti and K. Xiong University of South Florida

- Is using FTP for official file transfer such as csr files can leave your data transmission disclosed and hence exposed to security attacks? Why? - Can you think of a better solution to communicate such secret information through a public communication channel?

3.4 . Denial of Service (DoS) Attack on CA

In this task, we will deploy a popular tool called hping3 to attack the CA node (NT). The purpose behind this exercise is to observe and learn about the effect of Denial of Service (DoS) attack on the CA. Therefore, you are going to flood the CA and try to request a certificate for your client node (NC), whereas the CA is being under attack from NA node.

To do so, please follow the instructions below.

1. Make sure hping3 package is successfully installed in NA. 2. Launch a DoS attack from NA to target CA by using the following hping3 command: a. $hping3 -c 10000 -d 120 -S -w 64 --flood -V Destination_IP_Address b. Replace the destination address with the corresponding IP address of the CA node. 3. While the CA is under attack, try to request a certificate from it by following the steps described in Task 1 (step 1-3).

Questions:

- Are you able to get a certificate for your NC node? - Why? - Can you think of any solution to prevent or mitigate such a security vulnerability?

3.5. Create Digital Signature

Task: To experiment with the creation of digital signatures and to understand their significance

Instructions:

Log in to the server node (NS) and do the following.

M. Rahouti and K. Xiong University of South Florida

Step 1: Create a text file of any size and name it as you wish. Then create

Step 2: Sign the hash of your file and save the output in a file named YOURFILENAME.sha256

Step 3: Verify the signature

Step 4: Modify the original file and verify the signature again

Questions:

• Explain how you verified the signatures and provide the commands used.

• Show the results of both verification tests and explain the findings.

• Explain why digital signatures are useful.

4. Write-Up and Submission

Please write a report like the following:

• A summary of your actions, noting difficulties and your solutions to them • Any questions in bold, italics in the procedure • Answer the designated multiple choice questions

Put all of your answers, screenshots, and external files within one document. Please submit as a single document (.doc, .docx, .pdf). There should be no archive file submitted.

The Report is due on Month, Day, Year at 11:59 PM.

5. Resources Release

After you are done with this lab, please release your resources. In the jFed platform, select the slice and click on the "Terminate" button.