Tasks

This homework is assessed. You need to use OpenSSL to perform the following steps. I will test using OpenSSL version 1.0.1 14 Mar 2012. Examples of the OpenSSL commands are given below. For further description of the commands and what they do, see here.

1. Create your own 2048-bit RSA key pair.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out privkey-ID.pem

2. Create a Certificate Signing Request.

openssl req -new -key privkey-ID.pem -out req-ID.csr

The CSR must include the following information:

Country: TH
State: Pathumthani
Locality: Bangkadi
Organisation: SIIT
Organisational Unit: ICT
Common Name: your student ID, e.g. 5000000000
Email: empty or your email address
Password: empty (just press Enter)

3. Send the CSR to the CA. The CA will sign and send you a certificate. See below for how to send and receive messages.

4. Verify your certificate. The CAs certificate is cert-CA.pem.

openssl verify -CAfile cert-CA.pem cert-ID.pem

5. You are allocated a partner. The ID of your partner is in the file partner-ID.txt (it is only available after you have successfully created a certificate). Download your partners certificate and verify it.

6. Generate a random secret key to share with your partner. You will use AES-128-CBC and therefore need a 128-bit key. Use an IV of all 0's, e.g. 00000000000000000000000000000000.

openssl rand 16 -hex

7. Save the secret key in a file called key-ID.txt (make sure the only thing inside this file is the exact secret key; do not include any other text, do not include the IV). Encrypt to create the file key-ID.bin and send key-ID.bin to your partner.

openssl pkeyutl -encrypt -in key-ID.txt -certin -inkey cert-X.pem -out key-ID.bin

8. Once your partner successfully receives the shared secret key, they will use it (and AES-128-CBC) to send a message in the file message-ID.bin. Decrypt and read the message, and follow the instructions to complete the homework. To sign a message (using SHA1 as the hash algorithm) you can use:

openssl pkeyutl -sign -in result-ID.txt -inkey privkey-ID.pem -out sign-ID.bin

Although you don't need to verify the signature, if you want to test that it works, verification can be performed with:

openssl pkeyutl -verify -in result-ID.txt -sigfile sign-ID.bin -certin -inkey cert-ID.pem

Sending Messages

In this homework you "send" messages by copying them from your computer to the ICT server. The CA and your partner will "send" you messages by making them available for you to download from the ICT server. For example, to send your Certificate Signing Request to the CA, you upload your req-ID.csr file to the ICT server.

Note that your partner is not real. I am acting as both the CA and your partner.

Normally the response from the CA/partner will be automatic, i.e. after you upload a file, within about 5 minutes a response file will be available for you to download. However if you upload the wrong file, then there will be no response file. See below for diagnosing errors.

How to download from the ICT server?

All files sent by the CA or your partner will be available for download using a web browser from:
http://ict.siit.tu.ac.th/css322/

How to upload to the ICT server?

You need to perform a secure copy of the file from your computer into a shared directory, /var/www/css322 on ict.siit.tu.ac.th. On Windows you can use WinSCP or FileZilla, which are GUI based secure file transfer applications, or use the command line with PuTTY. On Linux and Mac OSX you can use scp in a terminal. Some general help about accessing ICT server is available here. Remember that your username/password is the same as for Moodle.

The destination directory on ict.siit.tu.ac.th is /var/www/css322/. An example of using scp to copy file on your computer to the ICT server is below (the example is for the fake user u5000000000 - replace with your username).

$ scp file u5000000000@ict.siit.tu.ac.th:/var/www/css322/
Are you sure you want to continue connecting (yes/no)? yes
u5000000000@ict.siit.tu.ac.th's password: 
file                             100%   33     0.0KB/s   00:00

You may see some warnings about the host key or similar. You should accept them so that the file copies.

It may take a delay of up to 5 minutes from when you copy the file to the ICT server until when it is available for download via: http://ict.siit.tu.ac.th. If the file you copied to the server is still not available for download after 5 minutes, then try the copy again and make sure there are no error messages.

What if nothing happens? How do you know if there is an error?

There is a log file on at http://ict.siit.tu.ac.th/css322/log.txt that records all the operations performed by the CA/partner. If you see an ERROR message for you, then something has gone wrong. Some of the causes of the errors may be:

Certificate could not be created from CSR: The req-ID.csr file you uploaded to CA was incorrect. The CA could not create a certificate based on your request file. Make sure you use the correct command and that the information entered for the request is correct.
Could not decrypt secret: The key-ID.bin file you uploaded could not be decrypted by your partner. Make sure you use the correct key when encrypting. Hint: you are using public key cryptography to send a confidential message to your partner.
Could not create message correctly. Deleting key-ID.bin: The key-ID.bin was decrypted successfully, but most likely the original key-ID.txt file was in the wrong format. It MUST be a single line containing just the key. Do not include any other text, nor the IV.
Could not decrypt result: The result-ID.bin file you uploaded coult not be decrypted by your partner. Make sure you use the correct key and IV, as well as AES-128-CBC.
Signature is invalid: The sign-ID.bin file you uploaded was not correct for the result-ID.bin file submitted. Note that the signature is of the original plaintext (result-ID.txt), not the ciphertext (result-ID.bin).
Incorrect result submitted: The result was decrypted successfully and the signature is ok, but the value you included in the result file does not match the value your partner sent you. Make sure it is the exact string, it is on the first line of result-ID.txt and no other (special) characters are included.

See below for how to fix your mistakes.

How do you start again if you make a mistake?

If you have copied the wrong files to the ICT server and want to try again, then you can "reset" by copying the file reset-ID.txt to the /var/www/css322 directory on ICT server (it doesn't matter what the contents of the file reset-ID.txt). After about 5 minutes, all your files on ICT server will be deleted and you can start again. Resetting will not result in a penalty.

Submission

You do not need to submit any files on Moodle. The files that you copied to ICT server will be considered your submission. However there are some files (like your private key) that you do not copy to the ICT server. You should make sure you save all files you produce to complete the task, as I may ask for them when marking the homework (especially if you have done something wrong).