Work of week #11: Public-Key Infrastructure (PKI) Lab

# Work of week #11: Public-Key Infrastructure (PKI) Lab ###### tags: `feup` ## Task 1 The following command was executed in order to generate the certificates: ```bash openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \ -keyout ca.key -out ca.crt \ -subj "/CN=www.modelCA.com/O=Model CA LTD./C=US" \ -passout pass:dees ``` This resulted in the creation of `ca.crt` and `ca.key`: ```bash [01/20/22]seed@VM:~/.../lab$ ls ca.crt ca.key ``` #### What part of the certificate indicates this is a CA’s certificate? ``` Issuer: CN = www.modelCA.com, O = Model CA LTD., C = US Subject: CN = www.modelCA.com, O = Model CA LTD., C = US ``` #### What part of the certificate indicates this is a self-signed certificate? Subject and Authority key identifiers are the same. ``` X509v3 extensions: X509v3 Subject Key Identifier: A5:0A:84:53:EF:91:FA:13:77:4B:DA:50:94:82:79:88:A2:A9:3B:40 X509v3 Authority Key Identifier: keyid:A5:0A:84:53:EF:91:FA:13:77:4B:DA:50:94:82:79:88:A2:A9:3B:40 ``` #### In the RSA algorithm, we have a public exponent e, a private exponent d, a modulus n, and two secret numbers p and q, such that n = pq. Please identify the values for these elements in your certificate and key files. - public exponent ( e ): ``` 65537 (0x10001) ``` - private exponent ( d ): ``` 7e:ff:48:f4:53:fe:cb:49:f0:72:f0:44:c4:38:98: 9d:6c:b6:5a:91:39:b1:6a:11:df:0d:30:c8:69:79: 8b:d5:b7:6d:8b:f2:ae:21:86:98:23:70:34:53:82: 9d:13:91:62:f1:03:67:c5:1b:01:9c:e5:cf:c6:86: 27:db:ad:ff:68:43:ad:a8:84:dd:f5:8e:cb:a2:74: 7b:e5:a7:0e:e0:2b:4f:5f:a5:cc:77:99:d9:32:26: 25:43:c4:de:1d:90:c8:ce:1c:8f:ca:e4:da:a3:67: 55:6e:dc:20:bb:49:ac:a8:41:fd:28:16:13:af:2b: 51:97:7a:d4:70:88:6c:bc:05:24:a4:28:51:d2:56: 18:84:0b:ce:19:ae:2e:51:83:86:96:7b:46:70:3a: 2b:94:ff:bb:30:1e:e1:10:5c:34:2a:72:a5:75:ea: 0b:a9:41:da:dc:d3:3e:81:c8:d9:3e:21:08:c1:9c: 24:65:4f:a5:e6:08:d7:3a:95:56:ad:b7:73:26:7b: 61:b4:0f:5a:0a:dd:e9:4b:71:c1:91:8a:59:d3:a3: 0d:aa:fe:8b:b2:1e:21:e2:3c:0e:c1:54:8f:ac:23: 8b:48:e1:77:83:21:b3:90:21:bc:5c:1a:90:a9:b0: cd:db:fc:58:2c:d3:6f:1f:38:f3:67:2e:fd:2c:11: 78:d2:38:53:a9:0e:93:16:da:68:c2:6e:07:7f:36: c5:90:a1:55:b0:0f:3f:bd:57:3a:fd:23:f3:00:db: 35:cf:62:a8:3a:32:ec:1a:04:a1:7a:79:da:18:f1: 06:e9:46:c2:c0:6a:fe:09:3d:51:ef:9c:7f:55:ad: 79:bc:3c:c9:47:21:de:ce:94:71:2a:d8:bc:2b:11: c0:65:d0:50:24:05:cd:82:fd:0e:a4:d0:99:e8:35: 47:3a:fc:23:eb:95:e3:1e:e3:54:45:78:f4:65:65: 8b:f5:e6:ef:19:eb:3f:5a:ac:87:ea:9e:17:24:df: 90:d7:c3:da:c0:2b:72:5a:a8:eb:ea:26:df:1e:65: 3e:a6:17:39:de:51:28:4e:a9:a0:f2:2f:ab:94:c1: fe:39:3c:6e:dd:92:31:20:27:3a:dd:74:30:69:62: a6:9a:92:24:55:32:0f:e0:8b:bc:e9:7d:93:4f:b9: 3a:2e:57:26:c9:ac:d6:1a:3c:fd:0d:34:9a:28:9e: 5d:d4:84:dc:dd:11:de:95:8f:85:fd:8f:73:ce:60: 43:de:e7:7b:39:14:ec:26:d1:f1:c1:f5:47:9b:9b: 9c:e6:25:74:f4:4e:9c:be:64:e6:cd:8d:ce:2e:7d: 26:94:6b:37:50:a5:6c:91:99:d6:0a:62:e9:9f:45: a2:09 ``` - modulus ( n ): ``` 00:bb:f5:86:29:d9:aa:48:6b:99:6c:21:8d:7f:ca: 84:40:92:a2:75:f8:4f:fb:4d:e3:04:ed:0d:c9:37: e0:2a:15:54:1e:6d:cf:81:da:a5:4b:bd:90:50:f5: 89:1b:21:eb:dc:6c:a7:af:28:65:ed:82:cf:2b:69: d6:4e:c9:3b:b8:8e:83:ac:6d:5f:77:fe:15:c1:88: f0:ff:ea:00:85:fb:66:31:54:cc:ef:4e:57:fb:dc: 50:72:d9:9b:7f:76:42:c9:8a:38:72:9a:c4:a1:28: ef:db:97:3a:bd:b3:f1:af:6e:94:f7:d7:d3:ce:85: 05:63:02:3a:6c:c9:bf:74:2a:5a:51:94:c3:5f:2e: 41:61:21:bc:4a:6c:cb:1b:74:14:be:66:6b:86:73: af:c1:47:b3:75:0a:6f:81:15:da:ce:70:e6:b1:e4: 83:56:12:ba:7e:1a:d3:5e:de:e3:12:1b:55:dc:d4: 9d:e8:cd:6b:85:66:97:be:05:5b:52:82:ae:2b:d8: 3d:54:24:9c:f0:4e:1d:ba:69:bb:d8:44:61:5a:4f: 1a:b3:1a:8d:f7:f7:c7:2e:89:15:bc:cb:8a:ec:78: 1b:60:70:8d:ce:16:8a:d8:c5:ef:4b:85:09:b6:0f: 24:d1:78:a0:8e:df:8f:20:59:96:3a:cb:d3:8e:43: fd:ca:b8:0c:47:06:41:0e:fe:53:18:dd:89:5b:7a: 33:fa:13:39:d3:f0:8c:4c:d4:f9:f5:44:ad:d5:a8: 3a:4e:a1:c0:10:c7:f6:80:7d:be:97:01:9e:c2:7a: 9a:8b:90:63:c8:f1:7f:66:b6:88:f0:9c:dd:81:87: db:89:b4:55:23:c0:cd:e1:64:2a:95:09:7a:eb:f5: e3:a4:c7:13:6e:2e:5c:fa:5a:c3:da:05:fc:79:2f: 22:7f:46:f5:3e:02:5a:9d:6a:46:6c:01:87:96:0b: c0:ad:aa:93:14:f9:d7:37:c6:cf:07:04:91:94:f8: 68:c7:b3:a0:ab:11:fe:4b:15:3e:2c:14:e9:9a:69: 54:25:6e:20:e3:15:7e:6a:3a:10:83:84:de:1b:4f: 8b:2c:d1:36:8d:9e:66:6d:93:cc:0c:7c:ac:d4:1c: d4:a1:f2:36:fe:32:76:8c:cf:4c:37:69:c5:1f:d6: e0:11:cc:d8:cc:be:21:e9:60:38:13:46:05:e3:54: 28:35:c6:77:61:3b:0a:e1:74:9c:cd:80:cc:33:d3: 93:b3:e7:1e:a7:25:6d:c0:1f:a2:14:d7:75:7a:39: af:44:84:ee:e6:d7:3c:65:5e:ae:35:37:5e:43:a0: 9f:c2:0e:ad:65:59:bd:f8:16:da:5f:7b:da:8a:df: 15:a7:2b (Decimal number) 766806139315674118539610570172607512679936519975257880848686721688587488415685370730408199394078987937310395234401875026019523578187769456390455118811277702150205629106855504577172097583316161827837679527493552194110088893603499034039257372916026012834792483998327942208578904040188331207253165595072310491193474096502675868124674514490963984373748815085405020002011684545237196680660226452763028688975137359857968582680440395310186993316923473911717410593381549020042358988017847521604745560711161252388255237459668226826794871922123884221068502354132098787157524721052122705291914038271781776883654152205864637469647993245467309542238974496692459896844823305380115416310526839814376564114198795247882498177143589267345332879482717435471510970370346805243005008214823853280081744194615592355707723384515496066207488670261257493148287826623667160529791877630171428996839000036077104395552603126395229720551469969655303934784875064255615281337561625019986103855557287110237573284665356282226295475464724612398333201322875255528879668427721804966977779551135694149895456406993295569485273427108820879456060832630071709386056166367969905162410032829309152510784279903281471987165917684651888748763685427286292120168849031330949097695019 ``` - secret number ( p ): ``` 00:f4:3d:fe:1f:ed:54:75:17:72:60:7e:bb:08:b2: da:61:c5:93:a4:3f:17:78:8e:ce:64:b4:a9:1e:25: b7:ba:ed:31:4e:6f:94:24:29:f6:5d:76:0d:99:88: ed:7d:c4:aa:9c:61:b0:22:c1:dd:1c:8f:72:be:ff: 07:0b:f7:c4:df:ee:67:ed:9c:85:88:92:ab:cb:f4: 9a:8f:f0:3e:fd:29:b3:92:39:8c:98:da:00:81:a7: 02:e1:86:a8:b2:f8:85:3f:62:15:37:0d:ed:3f:1a: 9d:c4:a5:cd:ea:e6:a9:e1:71:5f:72:f4:94:8c:58: 97:cd:5d:73:75:6c:28:9e:85:66:cc:64:1e:77:af: 3e:7e:32:f3:d3:6c:39:12:16:70:35:f6:35:6f:da: 5a:85:52:22:0f:fc:be:80:78:88:58:1e:5c:9c:fa: c2:55:6b:d7:47:d9:37:49:96:44:11:1e:28:43:ed: e3:10:d2:f5:54:ae:66:51:a6:e1:92:dd:73:a0:f8: cf:34:c4:f4:5c:e7:c4:5b:1c:62:03:71:14:3d:13: 63:5d:ad:29:3d:28:b5:11:53:6c:7e:94:05:66:ee: 94:1d:9c:27:d8:83:dc:ea:64:0a:84:76:65:9d:4f: 8b:91:0a:e1:8a:18:80:1e:bf:44:9c:8e:bd:51:36: 80:ad (Decimal number) 30832716138946641414280571630223492542712794503893137305207369519282495704848156470948626207516325796605467554683729602524259560668049169734058431739721482315864662078238100996031967651625840999165157838667371901536639362697207684879954348870230595809510029601494611332768607663741319192652409962057759371036064950103587236087854638120632033652526101252379104928699831994134378131268658922294945658059148661422687008756570548238583426306111077881458331954866604540367670562464801341476040548669156295646548584514043842687356094990140704878047702840960075251445458566191759367044441466656577236506354822469703651721389 ``` - secret number ( q ): ``` 00:c5:01:e8:05:5a:8e:33:f0:6e:bf:17:f8:65:e7: d7:3a:81:58:08:9b:f3:4b:8e:07:3e:54:63:cf:31: b4:b0:65:6f:98:ba:46:c4:e9:46:1b:28:97:e9:14: b7:92:76:e7:64:62:c7:7f:67:04:ff:14:65:51:48: 6a:4c:0e:e0:1e:74:3e:76:76:03:10:fe:80:ac:17: f0:8b:16:bb:55:72:fa:24:74:06:0a:40:24:76:90: aa:7a:24:e2:60:39:a0:95:5e:5c:f8:e4:44:3e:71: 0a:43:bd:70:07:ef:c1:40:58:a0:92:97:1c:a6:f8: 5d:3a:79:62:79:46:6d:0d:8f:1d:03:74:35:4b:9d: a5:77:e1:dd:12:a8:a6:c8:60:d8:6a:64:66:13:98: ea:83:48:d5:92:b2:47:eb:20:87:f8:c9:49:3e:fa: ab:af:14:c6:e4:c0:06:e9:36:d8:cf:1a:05:66:ab: 86:48:57:f9:9e:e2:40:d6:81:79:24:be:8f:df:12: cd:cf:c1:3a:96:a7:46:79:3e:95:e2:17:83:e4:cd: 5d:a5:d6:be:7c:8b:ef:fb:d5:e8:27:d0:9e:37:bd: 0c:bb:52:a8:a5:61:36:6b:0a:af:fa:36:cc:e1:a1: 39:aa:cb:1e:43:9a:44:e2:c3:d0:d7:88:3a:87:a6: 4a:37 (Decimal number) 24869886125506652383294619841655060991183839042073746401410054678227632163556786686993615010912990330824978053035928109880365876270774890095994989271429233136148737232107200294960014577745701764492354057858106579049688519218477720303822876020140170556216721139577051908255495724667466658100446891170871092220999455195482417967247203977251349664856493131490432809632184341158807939685480966535331153471665049544428068651090898231505516698370510648582608945689408432026357230030645678015938630839826728292608853285578916833799684779181586217533990407339717487163996126921932032022802506127054981463139396031187786287671 ``` ## Task 2 After running: ``` openssl req -newkey rsa:2048 -sha256\ -keyout server.key\ -out server.csr\ -subj "/CN=www.bank32.com/O=Bank32 Inc./C=US"\ -passout pass:dees\ -addext "subjectAltName = DNS:www.bank32.com,\ DNS:www.bank32A.com,\ DNS:www.bank32B.com" ``` The `server.csr` and `server.key` files were created: ``` [01/20/22]seed@VM:~/.../lab$ ls ca.crt ca.key server.csr server.key ``` ## Task 3 After running: ``` openssl ca -config myCA_openssl.cnf -policy policy_anything\ -md sha256 -days 3650\ -in server.csr -out server.crt -batch\ -cert ca.crt -keyfile ca.key ``` ``` openssl x509 -in server.crt -text -noout ``` We can verify the distinct **Subject Alternative Names** that were defined in the previous task: ``` X509v3 Subject Key Identifier: 66:2C:F2:84:7E:AF:C6:B7:2D:14:56:44:57:67:24:7B:3F:CF:ED:C9 X509v3 Authority Key Identifier: keyid:A5:0A:84:53:EF:91:FA:13:77:4B:DA:50:94:82:79:88:A2:A9:3B:40 X509v3 Subject Alternative Name: DNS:www.bank32.com, DNS:www.bank32A.com, DNS:www.bank32B.com ``` ## Task 4 Steps used to create the HTTP server: ``` root@4ae091d81640:/etc/apache2/sites-available# cat bank32_apache_ssl.conf <VirtualHost *:443> DocumentRoot /var/www/bank32 ServerName www.bank32.com ServerAlias www.bank32A.com ServerAlias www.bank32B.com ServerAlias www.bank32W.com DirectoryIndex index.html SSLEngine On SSLCertificateFile /certs/bank32.crt SSLCertificateKeyFile /certs/bank32.key </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/bank32 ServerName www.bank32.com DirectoryIndex index_red.html </VirtualHost> # Set the following gloal entry to suppress an annoying warning message ServerName localhost ``` ``` root@4ae091d81640:/lab# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled root@4ae091d81640:/lab# a2ensite bank32_apache_ssl Site bank32_apache_ssl already enabled ``` ``` root@4ae091d81640:/lab# service apache2 start * Starting Apache httpd web server apache2 Enter passphrase for SSL/TLS keys for www.bank32.com:443 (RSA): * ``` After this it was possible to access the website: ![](https://i.imgur.com/1GxwlWl.png) As we can see the access is not secure. After adding the certificate `image_www/certs/modelCA.crt` we can now have a secure access. ![](https://i.imgur.com/EfCBccE.png) Zoomed: ![](https://i.imgur.com/Z6LZESw.png) ## Task 5 ``` [01/20/22]seed@VM:~/.../lab$ cat /etc/hosts ... 10.9.0.80 www.bank32.com 10.9.0.80 www.example.com ``` After adding `www.example.com` as a host and accessing it we obtain the following result: ![](https://i.imgur.com/LoW6m2S.png) As expected the secure communication is lost since the domain `www.example.com` was not taken into consideration when the certificates were created with the option: ``` -addext "subjectAltName = DNS:www.bank32.com,\ DNS:www.bank32A.com,\ DNS:www.bank32B.com" ``` ## Task 6 We simulate the DNS Cache Poisoning attack (attack a DNS server to redirect to a different server) ``` [01/20/22]seed@VM:~/.../lab$ cat /etc/hosts ... 10.9.0.80 www.bank32.com 10.9.0.80 www.example.com 10.9.0.80 www.instagram.com ``` After this we add `www.instagram.com` to the certificate DNS values: ``` openssl req -newkey rsa:2048 -sha256 -keyout server.key -out server.csr -subj "/CN=www.bank32.com/O=Bank32 Inc./C=US" -passout pass:dees -addext "subjectAltName = DNS:www.bank32.com, DNS:www.bank32A.com, DNS:www.bank32B.com, DNS:www.instagram.com" ``` ``` openssl ca -config myCA_openssl.cnf -policy policy_anything -md sha256 -days 3650 -in server.csr -out server.crt -batch -cert ca.crt -keyfile ca.key ``` After this the certifcate is copied to the container volumes and the certificates are added to the apache server configuration: ``` root@4ae091d81640:/volumes# cat /etc/apache2/sites-available/bank32_apache_ssl.conf <VirtualHost *:443> DocumentRoot /var/www/bank32 ServerName www.bank32.com ServerAlias www.bank32A.com ServerAlias www.bank32B.com ServerAlias www.bank32W.com DirectoryIndex index.html SSLEngine On SSLCertificateFile /volumes/server.crt SSLCertificateKeyFile /volumes/server.key </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/bank32 ServerName www.bank32.com DirectoryIndex index_red.html </VirtualHost> # Set the following gloal entry to suppress an annoying warning message ServerName localhost ``` After this and adding the created `ca.crt` to the browser (entity that signed the `server.crt`), when a user tries to access `www.instagram.com` it access our website with a secure connection: ![](https://i.imgur.com/yjpwzQr.png) Zoomed: ![](https://i.imgur.com/oW3crEk.png)