Lab 8: TLS

Objective

To experiment with using TLS and HTTPS, and also with symmetric and asymmetric key encryption.

Part 1: Sniffing HTTP vs. HTTPS

For this part you will use TShark to print the data inside of packets sent to your VM via HTTP and HTTPS. To do this, you'll need two SSH windows. In one, start TShark looking for traffic on port 80 (which is used for HTTP):

$ tshark -f "port 80" -x

In the other window, download the home page from a site called http://www.httpvshttps.com/. We're using this site because (unlike most web sites) it supports both HTTP and HTTPS requests:

$ wget http://www.httpvshttps.com/

You should see a flurry of packets come through as the HTTP request is handled.

Next try the same thing but with HTTPS instead. To do this, listen to port 443 instead of 80 (443 is the standard HTTPS port), and change the wget request to use the https protocol instead.

Questions:

Can you read any text inside the packets which used HTTP?
Can you read any text inside the packets which used HTTPS?
Try the experiment again, but remove the -x flag from tshark. This will show just the packet info, but not the contents. Which protocol used more packets? Why do you think that is?

Part 2: Seeing Certificates

Linux machines come with an openssl command which can be used for dealing with TLS keys and certificates. We can use the following command to request the certificate from Wikipedia's HTTPS server:

$ openssl s_client -host wikipedia.org -port 443

This will print some information to the screen. You can hit Ctrl-D to exit. Look through the information and find the following:

Questions:

Which certificate authority does Wikipedia use?
What version of TLS is being used?
How many bits is the public key?

Part 3: Using Keys

The openssl command also allows us to create keys using a variety of ciphers. We can make a private RSA key using this command:

$ openssl genrsa -out private.pem 1024

After doing this look at the private.pem file which contains your key. This is a base 64 encoded number which represents the private RSA key. Base 64 is a compact way of encoding numbers. Base 16 adds the letters A-F to support 16 bases. Likewise base 64 uses upper-case and lower-case letters, digits and '+' and '/' to support 64 different symbols.

We can then use openssl to compute the public key which pairs with this private key using this command:

$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem

You can then look at the public.pem file and see that it is also a base-64 number. Remember that going from the private key to the public key is easy, but going the other way is impossible!

We can encrypt a file using a public key and then decrypt it with the matching private key. For instance, download the file secret.txt which is just a plain text file with a message in it. Then use the following command to encrypt it with the public key you just made:

$ openssl rsautl -encrypt -inkey public.pem -pubin -in secret.txt -out secret.enc

Open up the file secret.enc and see if it is readable or not. It should be an encrypted version of the message from the text file.

This file can then only be decrypted using the private key. Do so like this:

$ openssl rsautl -decrypt -inkey private.pem -in test.enc -out out.txt

You should now see that the file "out.txt" contains the same message as the file "secret.txt". We have used the private key to decrypt the file which was encrypted with the public key.

Part 4: Encrypting and Decrypting Large Files

RSA actually isn't normally used to directly encrypt and decrypt files. It can actually only be used to encrypt files which are smaller than the key itself (which was the case above). If we use it to try to encrypt a big file, we'll get this error:

$ openssl rsautl -encrypt -inkey public.pem -pubin -in large-file.txt -out large-file.enc 
RSA operation error
140011704329280:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:../crypto/rsa/rsa_pk1.c:125:

In order to accomplish this, we combine asymmetric encryption with regular symmetric encryption. The steps basically are this:

Create a random symmetric key (just a big random number).
Use this symmetric key to encrypt the file. Now the recipient will need the symmetric key in order to recover the file.
Use the recipient's public key to encrypt the symmetric key. Because the symmetric key is relatively small, this will work.
Send the recipient the encrypted file, and the key which was encrypted with their public key.
Only the recipient's private key can unlock the symmetric key, which in turn unlocks the file.

Below are the steps for doing this to encrypt a large file with the openssl command:

Generate a random symmetric key:

$ openssl rand -base64 32 > symmetric.key

Use this key to encrypt the large file:

$ openssl enc --aes-256-cbc -salt -in large-file.txt -out large-file.enc -pass file:symmetric.key

Use the public key to encrypt the symmetric key:

openssl rsautl -encrypt -inkey public.pem -pubin -in symmetric.key -out symmetric.key.enc

At this point, we would send "large-file.enc" and "symmetric.key.enc" to whoever we want to pass the message to. They can use the following commands to decrypt the file:

Unlock the symmetric key with our private key:

$ openssl rsautl -decrypt -inkey private.pem -in symmetric.key.enc -out decrypted.key

Use the symmetric key to unlock the file:

$ openssl enc -d --aes-256-cbc -in large-file.enc -out large-decrypted.txt -pass file:decrypted.key

Submitting

For this lab, you will put the answers to the questions in parts 1 and 2 of the lab into a PDF document. You will then encrypt this document using the steps in part 4 of the lab.

You should use this public key file. I have the matching private key. You will then email me two files. The first is the encrypted copy of your answers, and the second is the file called "symmetric.key.enc". I will use my private key to decrypt this file, then use the key to decrypt the PDF file and recover your answers.

Email both files to ifinlay@umw.edu.