To experiment with using TLS and HTTPS, and also with symmetric and asymmetric key encryption.
For this part you will use TShark to print the data inside of packets sent to your VM via HTTP and HTTPS. To do this, you'll need two SSH windows. In one, start TShark looking for traffic on port 80 (which is used for HTTP):
$ tshark -f "port 80" -x
In the other window, download the home page from a site called http://www.httpvshttps.com/. We're using this site because (unlike most web sites) it supports both HTTP and HTTPS requests:
$ wget http://www.httpvshttps.com/
You should see a flurry of packets come through as the HTTP request is handled.
Next try the same thing but with HTTPS instead. To do this, listen to port 443 instead of 80 (443 is the standard HTTPS port), and change the wget request to use the https protocol instead.
Linux machines come with an
openssl command which can be used
for dealing with TLS keys and certificates. We can use the following command
to request the certificate from Wikipedia's HTTPS server:
$ openssl s_client -host wikipedia.org -port 443
This will print some information to the screen. You can hit Ctrl-D to exit. Look through the information and find the following:
The openssl command also allows us to create keys using a variety of ciphers. We can make a private RSA key using this command:
$ openssl genrsa -out private.pem 1024
After doing this look at the private.pem file which contains your key. This is a base 64 encoded number which represents the private RSA key. Base 64 is a compact way of encoding numbers. Base 16 adds the letters A-F to support 16 bases. Likewise base 64 uses upper-case and lower-case letters, digits and '+' and '/' to support 64 different symbols.
We can then use openssl to compute the public key which pairs with this private key using this command:
$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem
You can then look at the public.pem file and see that it is also a base-64 number. Remember that going from the private key to the public key is easy, but going the other way is impossible!
We can encrypt a file using a public key and then decrypt it with the matching private key. For instance, download the file secret.txt which is just a plain text file with a message in it. Then use the following command to encrypt it with the public key you just made:
$ openssl rsautl -encrypt -inkey public.pem -pubin -in secret.txt -out secret.enc
Open up the file secret.enc and see if it is readable or not. It should be an encrypted version of the message from the text file.
This file can then only be decrypted using the private key. Do so like this:
$ openssl rsautl -decrypt -inkey private.pem -in test.enc -out out.txt
You should now see that the file "out.txt" contains the same message as the file "secret.txt". We have used the private key to decrypt the file which was encrypted with the public key.
RSA actually isn't normally used to directly encrypt and decrypt files. It can actually only be used to encrypt files which are smaller than the key itself (which was the case above). If we use it to try to encrypt a big file, we'll get this error:
$ openssl rsautl -encrypt -inkey public.pem -pubin -in large-file.txt -out large-file.enc RSA operation error 140011704329280:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:../crypto/rsa/rsa_pk1.c:125:
In order to accomplish this, we combine asymmetric encryption with regular symmetric encryption. The steps basically are this:
Below are the steps for doing this to encrypt a large file with the openssl command:
$ openssl rand -base64 32 > symmetric.key
$ openssl enc --aes-256-cbc -salt -in large-file.txt -out large-file.enc -pass file:symmetric.key
openssl rsautl -encrypt -inkey public.pem -pubin -in symmetric.key -out symmetric.key.enc
At this point, we would send "large-file.enc" and "symmetric.key.enc" to whoever we want to pass the message to. They can use the following commands to decrypt the file:
$ openssl rsautl -decrypt -inkey private.pem -in symmetric.key.enc -out decrypted.key
$ openssl enc -d --aes-256-cbc -in large-file.enc -out large-decrypted.txt -pass file:decrypted.key
For this lab, you will put the answers to the questions in parts 1 and 2 of the lab into a PDF document. You will then encrypt this document using the steps in part 4 of the lab.
You should use this public key file. I have the matching private key. You will then email me two files. The first is the encrypted copy of your answers, and the second is the file called "symmetric.key.enc". I will use my private key to decrypt this file, then use the key to decrypt the PDF file and recover your answers.
Email both files to firstname.lastname@example.org.
Copyright © 2022 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.