Security and Cryptography (S2, 2014)

Homework 5 - Secure Web Server

Overview

Create a certificate for a website, configure a web server to use HTTPS and study SSL by capturing packets.

Updates

New information/hints added since the original instructions:

Tasks

  1. Using virtnet, create a virtual network with client (browser), router and server
  2. Setup a demo website on the server
  3. Create a Certificate Signing Request and send to the Certificate Authority (CA)
  4. Setup the web server to support HTTPS
  5. Test the website and study SSL

Detailed instructions for most of the tasks are here. Note that the instructions refer to an ID - you should replace it with your actual student ID. You do not need to setup the CA - I will act as the CA. See below for how to get a certificate from the CA. The instructions refer to www.myuni.edu - you will use a different domain name.

Obtaining a Certificate

To obtain a certificate you need to first create a Certificate Signing Request. See the OpenSSL commands in the instructions - they can be run either on ICT server or on node3 in your virtual network. It is important to set the correct values in your CSR:

The Common Name is important: it must exactly match the domain you will use for the website. Since your web site is in a virtual network, you may choose any domain you wish, as long as it is unique amongst all IT and CS students. (Since you don't know what other students choose, I suggest using your name in the domain, e.g. www.steve.com. Please do not use someone else's name).

To send to the CA, but the CSR file in your directory on ICT server. For example, if your ID is 5012345678:

/home/students/u5012345678/public_html/private/cert-myuni-5012345678.csr

After several minutes, the CA will copy your CSR and generate a certificate. If successful, the certificate will be created in the file:

/home/students/u5012345678/public_html/private/cert-myuni-5012345678.pem

If unsuccessful, then there will be an error message placed in:

/home/students/u5012345678/public_html/private/error-5012345678.txt

or a similar named file.

Once you have the certificate you can copy-and-paste the contents to a file on your nodes in the virtual network. This is easy as it is stored as a simple text file.

Configuring the Web Server for HTTPS

See the instructions for deploying the fake www.myuni.edu website. You should use this website, however you must change the domain. The instructions refer to www.myuni.edu - replace this with your chosen domain. You only need to make changes to the domain in the /etc/hosts file in all nodes and in the /etc/apache2/sites-available/default-ssl file on node3.

To setup HTTPS you will need the CA's certificate: download (right click and "Save link as", otherwise the certificate may be loaded into your browser)

Testing your Website

You must capture packets on the router (node2) and then using the browser (e.g. lynx) on node1, visit the website using HTTPS. You should "login" to the website (e.g. using "5000000000" and "student" as username and password). Copy the capture file to your host computer and view the captured packets in Wireshark. You can filter for ssl to see the HTTPS packets. Study how SSL works. Can you see the username/password sent by the browser?

Submission

Your Certificate Signing Request and Certificate will be automatically copied you when put them on the ICT server. You must also submit the following:

  1. answers-ID.txt, based on this template, and including answers to the questions/values in the file. Some notes on the answers:
  2. https-ID.cap, a tcpdump capture on the router of at least one HTTPS exchange (i.e. HTTP request and response plus all SSL messages). The capture file you submit should be the file that you used to obtain answers.

Return to: Course Home | Course List | Steven Gordon's Home | SIIT