Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Computer Security Laboratory Manual .pdf
1. 1
College of Engineering and Technology
School of Computing and Informatics
Department of Computer Science
Laboratory Manual for Computer
Security
Compiled By: Debebe Kebede (MSc.)
2. Lab 1: Installing and Configuring OpenSSL
Lab 2: Introduction and Commands Used in OpenSSL
Lab 3: Symmetric encryption with OpenSSL:
Lab 4: Encrypting File Using DES Algorithm
Lab 5: Asymmetric Encryption With OpenSSL
Lab 6: Encrypting File Using RSA
Lab 7: Digital Certification With OpenSSL
Lab 8: Digital Signature
2
Lab Sessions
3. ❖ Before installing OpenSSL, it’s worth checking if it is already present
on our ubuntu system from previous installation.
❖ To check if OpenSSL is installed, use this command:
$ openssl version
❖ If OpenSSL is installed, it will print out the version information like:
❖ This indicates OPenSSL is already available and we likely do not need
to install it again.
❖ If the OpenSSL command is not found, we will see an error like:
Bash: openssl: command not found
3
Lab 1: Installing and Configuring OpenSSL on Ubuntu
4. OpenSSL is a toolbox for cryptographic material implementing SSL and TLS. It gives:
1. A library to program in C allowing to construct client/server applications using
SSL/TLS
2. A command line (openssl) allowing
❖ Creation of RSA, DSA keys
❖ Creation of X509 certificates
❖ Digest computation (MD5, SHA, …)
❖ Ciphering and Deciphering (DES, IDEA, RC2, RC4, Blowfish …)
❖ Tests of client/server SSL/TLS
❖ Signature and ciphering of mails (S/MIME) Secure Multi- Purpose Internet Mail
Extension
4
Lab 2: Introduction and Commands Used in OpenSSL
5. ❖ To know everything about OpenSSL: man openssl
❖ The general syntax of openssl is: openssl> <command> <options>
5
Cont’d
6. To encrypt a file with openssl using a DES encryption:
openssl> enc –des3 –in file –out file2
The result is in the file file2
❖ To decrypt the same file:
openssl> enc –des3 –d –in file2 –out
filedecrypted
Here, file and filedecrypted should contain the same
content.
6
Lab 3: Symmetric encryption with OpenSSL: Basic Commands
7. ❖ By default, you have to type a password, to protect the encryption.
❖ This password is a generator for the symmetric key.
Create and Print Keys
❖ To create a symmetric key: openssl> enc –des3 –P
❖ This command asks for the password.
❖ It generates a key, starting from a password and a random “salt”.
– This salt is there to scramble the password.
❖ This command prints the used salt, the generated key and an
initialization vector (iv) to be used with the key for encryption.
7
Cont’d
8. ❖ This command encrypt with DES3, the file file1 to the file file2,
using the key key and the initialization vector vector.
Openssl> enc –des3 –in file1 –out file2 –k key –iv vector
Remarks:
❖ We can use directly openssl des3 (instead of openssl enc
–des3)
❖ We can use base64 instead of des3.
❖ The file is then not ciphered, since base64 is a coding system (clear
text) allowing data to be independent of any architecture (useful when
data are sent between different computers, OSs, networks,…).
8
Cont’d
9. ❖ Step 1: Create a file name abe using
debe@debe-VirtualBox:~$ cat> abe
Welcome to Dilla University
Then, change the command line into openssl using:
debe@debe-VirtualBox:~$ openssl
❖ Step 2: Encrypt the file name abe into kebe using DES:
openssl> enc –des3 -in abe -out kebe
It will then request you to enter password:
enter des-ede3-cbc encryption password: 123456
verifying - enter des-ede3-cbc encryption password: 123456
9
Lab 4: Encrypting a File Using a DES Algorithm
10. ❖ Then it creates the encrypted file named with kebe
❖ Step 3: Now to decrypt the encrypted file named with
kebe into some other file name selam, use the following
command:
openssl>enc –des3 -d -in kebe -out selam
enter des-ede3-cbc decryption password:123456
❖ Now, the decrypted file named with selam has been created.
❖ To see the decrypted file selam, change the command line:
debe@debe-VirtualBox:~$ cat selam
Welcome to Dilla University
10
Cont’d
11. Step 1: To create a symmetric key, use:
openssl> enc –des3 -P
enter des-ede3-cbc encryption password: 123456
Verifying-enter des-ede3-cbc encryption password:
123456
salt=CB832CAA53360439
key=065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB7
F3 iv=5DA7C1A98C9908DB
Step 2: create a new file named debe
debe@debe-VirtualBox:~$ cat> debe
Hello Security World!
11
Creating and printing keys (DES)
12. Then, change the command line into openssl using:
debe@debe-VirtualBox:~$ openssl
Step 3: Use the key(k) and initialization vector(iv) to
encrypt filename debe to the file name kebe with DES3:
openssl>enc –des3 –in debe –out kebe –k
065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB7
F3 –iv 5DA7C1A98C9908DB
❖ Now, the encrypted file name kebe has been created.
12
Creating and printing keys (DES)
13. ❖ To decrypt the encrypted file kebe into other file name abe
openssl>enc –des3 –d –in kebe –out abe –K
065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB7
F3 –iv 5DA7C1A98C9908DB
❖ To see the content of abe
debe@debe-VirtualBox:~$ cat abe
Hello Security World!
13
Creating and printing keys (DES)
14. RSA with OpenSSL
Generating key pairs:
❖ To create a pair of keys, the genrsa command is used:
openssl> genrsa size
❖ Here, size is the size of the key.
❖ To save this key in keyfile.pem, use the option: -out
keyfile.pem
openssl> genrsa -out keyfile.pem size
❖ The format of the file is PEM (Privacy Enhanced Mail, format in base64)
14
Lab 5: Asymmetric Encryption with OpenSSL
15. Visualizing RSA keys:
❖ The command rsa allows to visualize the content of a file
(PEM format) containing a RSA key pairs.
openssl> rsa –in keyfile.pem –text –noout
❖ The option –text asks for a decrypted output of the key pair.
❖ The option –noout allows to avoid the normal output of the
command rsa.
15
Cont’d
16. Visualizing RSA keys:
❖ The different elements of the key (size, modulus, exponents,
primes, …).
❖ By default, we can see that the public exponent is always 65537
(the option -3 is the other option and uses 3 as the public
exponent).
❖ The three last numbers (exponent1, exponent2 and coefficient)
are only used for optimization purpose.
16
Cont’d
17. Ciphering the key file:
❖ In the file, the private key is in clear text and could be
extracted.
❖ It is necessary to encrypt it.
– It can be done at the generation of the key (genrsa
command), or
– at any time with the rsa command.
❖ In both case, the option is –des, -des3 or –idea :
17
Cont’d
18. Ciphering the key file:
openssl> rsa –in keyfile.pem –des3 –out
keyencrypted.pem
❖ The file keyencrypted.pem contains an encrypted version of
the key, encrypted with DES3 algorithm.
❖ Here a password is used to protect the access to the key.
18
cont’d
19. Exporting the public key:
❖ The public key should be extracted from the file (encrypted file
or not), since this public key should be transmitted to anyone.
❖ The command rsa with the option –pubout allows to export
the public part of the key.
openssl> rsa –in keyencrypted.pem –pubout –out
publickey.pem
19
Cont’d
20. Ciphering data with RSA:
❖ To cipher data with RSA key, use the command rsautl (RSA utile
functions):
Openssl> rsautl –encrypt –in inputfile –inkey
keyfile.pem –out outputfile
❖ The inputfile is the file to encrypt (-encrypt).
❖ Caution: The file should not be too large for the key (116 bits for a
1024 bits key).
❖ The keyfile.pem contains the RSA key.
❖ If only the public key is in the file, the option –pubin must be used.
20
Cont’d
21. Ciphering data with RSA:
❖ To decrypt, replace the option -encrypt with -decrypt.
❖ Then the keyfile must contain the private key.
Openssl> rsautl –decrypt –in inputfile – inkey
keyfile.pem –out outputfile
21
Cont’d
22. Step 1: Create a pair of keys:
openssl>genrsa 512
Generating RSA private key, 512 bit long modulus
………..++++++++ ……………
++++++++
e is 65537(0x10001)
------BEGIN RSA PRIVATE KEY------ MIIB0QI….
------END RSA PRIVATE KEY------
Note: 512 is the size of the key.
22
Lab 6: Encrypting Files Using RSA
23. Step 2: Save the key in file name privatekey.pem
openssl>genrsa -out privatekey.pem 512
Generating RSA private key, 512 bit long modulus
..+++++++++++++++ ………………….++++++++++
e is 65537 (0x10001)
23
Encrypting Files Using RSA
25. Step 4: Encrypt the private key using the following
command:
openssl>rsa -in privatekey.pem -des3 -out
privatekey_encrypted.pem
writing RSA key
Enter PEM passphrase: 123456
Verifying – Enter PEM pass phrase: 123456
❖ Now the private key privatekey.pem is encrypted as privatekey_encrypted.pem
❖The pass word: 123456 is used to protect access to the key.
25
Encrypting Files Using RSA
26. Step 5: Extract the public key from the encrypted file
privatekey_encrypted.pem,
openssl>rsa -in privatekey_encrypted.pem – pubout
–out publickey.pem
Enter pass phrase for privatekey_encrypted.pem:123456
writing RSA key
26
Encrypting Files Using RSA
27. Step 6: Visualize the public key
openssl>rsa –pubin –in publickey.pem –text – noout or
debe@debe-VirtualBox:~$ cat publickey.pem
---------BEGIN PUBLIC KEY------- MFww …
---------END PUBLIC KEY---------
27
Encrypting Files Using RSA
28. Step 7: Cipher kidus with RSA key into yosef file name,
debe@debe-VirtualBox:~$ cat> kidus
Ciphering file with RSA demo
debe@debe-VirtualBox:~$ openssl>rsautl –encrypt -
in kidus –pubin -inkey publickey.pem -out yosef
28
Encrypting Files Using RSA
29. Step 8: decrypt the encrypted file name yosef into hana,
openssl> rsautl –decrypt -in yosef -inkey
privatekey.pem -out hana
debe@debe-VirtualBox:~$ cat hana
Ciphering file with RSA demo
29
Encrypting Files Using RSA
30. ❖ Certificate Authority (CA) acts as the trusted third party, which serves to
issue digital certificates and validate them in Public Key Infrastructure
(PKI).
❖ The most important part of X.509 is its structure for public-key
certificates.
❖ Each user has a distinct name.
❖ A trusted Certification Authority (CA) assigns a unique name to each
user and issues a signed certificate containing the name and the user’s
public key.
❖ If Alice wants to communicate with Bob, she first gets his certificate from
a database.
30
Lab 7: Digital Certification with OpenSSL
31. ❖ Then she verifies its authenticity.
❖ If both share the same CA, this is easy. Alice simply verifies the
CA’s signature on Bob’s certificate.
❖ If they use different CAs, it’s more complicated.
❖ Think of a tree structure, with different CAs certifying other CAs
and users.
❖ On the top is one master CA.
❖ Each CA has a certificate signed by the CA above it, and by the
CAs below it.
31
Digital Certification with OpenSSL
32. ❖ Suppose we have two certification authorities CA1 and CA2.
❖ CA1 is the root certification authority, and CA2 is certified by
CA1.
❖ Let us create a certificate request and sign it by CA2.
Step1: First we have to generate RSA private key having 4096
bit length for the CA1 to be stored in CA1 file:
Openssl> genrsa –out CA1.key key size
openssl> genrsa -out CEOca.key 4096
32
Digital Certification with OpenSSL
33. Step 2: Create Self-signed certificate for CA RootCA.crt:
openssl> req –new –x509 –days no_of_days –key
RootCA1.key –out RootCA1.crt
openssl> req –new –x509 –days 730 –key CA1.key –out CA1.crt
33
Digital Certification with OpenSSL
34. Where:
-req - Command passed to OpenSSL intended for creating and processing certificate
requests.
-x509 -This multipurpose command allows OpenSSL to sign the certificate somewhat
like a certificate authority.
-X.509 - refers to a digitally signed document according to RFC 5280.
-days - The number of days that the certificate will be valid.( In this case for two
years/730 days/).
-out - The location to output the certificate file itself.
34
Digital Certification with OpenSSL
35. Step 3: Generate Intermediate CA2 certificate key CA2, which will
be used for actual signing .then first generate the key:
openssl> genrsa –out IntermediateCA1.key Key size
openssl> genrsa –out CA2.key 4096
35
Digital Certification with OpenSSL
36. Step 4: request a certificate for this intermediate CA2.
openssl >req –new –key CA2.key –out CA2.csr
36
Digital Certification with OpenSSL
37. Step 5: Sign intermediate certificate by root CA1 certificate
means that CA2 certified by CA1.
37
Digital Certification with OpenSSL
38. ❖ Digital signature is a mathematical scheme for presenting the
authenticity of digital messages or documents.
❖ Message/ file to be sent is signed with private key.
❖ Message received by the recipient is authenticated using public key.
38
Lab 8: Digital Signature
40. RSA Sign and Verifyusing OpenSSL
❖ Create sample file, private key and public key:
Step 1: E.g Create a file containing all small letters.
debe@debe-VirtualBox:~$ echo
abcdefghijklmnopqrstuvwxyz > myfil.txt
Step 2: Generate private key( e.g 512 bit key size)
openssl genrsa –out myprivate.pem 512
Step 3: Separate the public part from the private key file
Openssl rsa –in myprivate.pem –pubout> mypublic,pem
40
Digital Signature
41. RSA Sign and Verifyusing OpenSSL
Step 4: Visualize the contents of private key
debe@debe-VirtualBox:~$ cat myprivate.pem
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA77hINBRC/pZI4SW9
qxTuljAWa3lAwFafNb5r3KzouvL6cNf5rlwLcpQEIWcWByXAFs7hy5Uu/PtgdCqv
BQQ8bwIDAQABAkA43hOq3x+he49gce6Ttkx/LnszFbmppyLvwfOejxpKtsHtdQ9A
SWmaOMvYPMDC8yxMa+cscHSXb4yMmySXkmjBAiEA+q3m8fZMf28UVFAnHp6kAD7I
l5Tfa7YHh2vGb+rGuk8CIQD0ztSQnP7vMhM5C89vu0zKPZ4hoqbtHpunso7wqYdz
4QIhAOVzVge1jRG7x9zgvN3vEWhUD2GH1/UMWdnfkXQRbrNLAiEAwLmbqoWORaz8
aSqdEe84UvcTaJNuKrqv++OcmGY+VsECIDl3KuzjCGaIgB/Mq1Vo/dkg91UPy5C5
AaRFb3Mk5ZKX
41
Digital Signature
42. RSA Sign and Verifyusing OpenSSL
Step 5: Sign the file using hash algorithm (e.g sha1)
openssl dgst –sha1 –sign myprivate.pem –out
sha1.sign myfile.txt
Step 6: Verify sign
Note: Here OpenSSL decrypts the signature to generate hash and
compares it to the hash of the input file.
openssl dgst –sha1 –verify mypublic.pem –
signature sha1.sign myfile.txt
Verified OK
42
Digital Signature
43. 1) Yuan Yangtao, Liu Quan, Li Fen (2010). A Design of Certificate Authority
Based on Elliptic Curve Cryptography Retrived on Jun 24 2021 from
https://ieeexplore.ieee.org/document/5571603
2) Adam Bertram (2020). How to Use OpenSSL to Generate Certificates
Retrieved on Jun 24 2021 from https://blog.ipswitch.com/how-to-use-openssl-
to-generate-certificates
3) Remy van Elst (2015). Sign and verify text/files to public keys via the
OpenSSL Command Line Retrieved on Jun 24 2021 from
https://raymii.org/s/tutorials/Sign_and_verify_text_files_to_public_keys_via_th
e_OpenSSL_Command_ Line.html
4) Openssl Documentation
43
References
44. 1. Create three messages. Sign all of them. Slightly modify one or
two of them, and send them to your partner, together with the
signatures. Ask him/her to determine which messages were
modified.
2. 1. Create a text file
2. Compute message digest functions with MD5
3. Change the text
4. Compute message digest functions again with MD5
5. Compute message digest functions with SHA-1
3. Design and implement a Certificate Authority for any company you
prefer (working on the same institution is forbidden)!
44
Mini-Project(20%)