Public Key Cryptography: The Learning Objective Of This Prob

Public Key Cryptographythe Learning Objective Of This Problem Is For S

The learning objective of this problem is for students to become familiar with key public key cryptography concepts, including public-key encryption, digital signatures, public-key certificates, certificate authorities (CAs), and authentication based on Public Key Infrastructure (PKI).

Students are required to set up an Ubuntu virtual machine environment with OpenSSL installed, create a root CA, generate and sign certificates for entities such as PKILabServer.com, and explore the use of these certificates in securing web communications. The exercise entails generating self-signed CA certificates, creating key pairs and CSRs, signing certificates with the CA, and deploying the certificates on a web server to understand SSL/TLS behavior and trust models.

Paper For Above instruction

Public Key Infrastructure (PKI) forms the backbone of secure electronic communication, providing mechanisms for authenticating identities and encrypting data through the use of digital certificates and certificate authorities (CAs). The process of establishing a PKI involves several steps, including setting up a trusted root CA, issuing certificates to end entities, and deploying these certificates within various communication protocols and applications.

Establishing a Root CA

At the core of a PKI is the root CA, a trusted entity responsible for issuing and managing digital certificates. In this exercise, students simulate a root CA by generating a self-signed certificate using OpenSSL. This involves creating a private key (ca.key) and a corresponding public key certificate (ca.crt) that is self-signed, which is then imported as a trusted root certificate into operating systems and web browsers.

The process begins with configuring OpenSSL by creating or utilizing an openssl.cnf configuration file. Essential directory structures are established as prescribed by the configuration, including directories for certificates, certificate revocation lists, and serial number management. Students generate the CA's private key and self-signed certificate using the command: openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf. This key pair will be used later to sign other entities' certificates, establishing trust relations within the PKI.

Creating Certificates for Entities

Following the root CA setup, the next step involves issuing certificates to entities such as a server named PKILabServer.com. First, the entity generates a public/private key pair with a password protection for security, using openssl genrsa -des3 -out server.key 1024. Then, they generate a Certificate Signing Request (CSR) with the command: openssl req -new -key server.key -out server.csr -config openssl.cnf, specifying the Common Name (CN) as "PKILabServer.com."

Once the CSR is obtained, it is signed by the root CA to produce a certificate for the server with: openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf. This signed certificate allows the server to present proof of identity during SSL/TLS handshakes, provided that clients trust the CA that issued it.

Using Certificates to Secure Web Communications

The final phase involves deploying the generated server certificate on a local web server to simulate HTTPS connections. The server's private key and certificate are combined into a single PEM file (server.pem), which is loaded into OpenSSL's s_server utility to simulate an HTTPS server. The command used is: openssl s_server -cert server.pem -www.

Accessing this server from a browser connected to localhost (127.0.0.1) or the hostname configured in /etc/hosts (PKILabServer.com) demonstrates the SSL/TLS handshake process. Since the certificate is self-signed by a CA not recognized by the browser, a warning appears. To bypass this, users manually import the CA's certificate (ca.crt) into the browser's trust store, allowing the browser to accept certificates issued by the custom CA.

Further experiments include changing the DNS resolution by modifying /etc/hosts to map "PKILabServer.com" to 127.0.0.1, observing that the certificate's mismatch warning may no longer appear if the domain name matches the certificate. Additionally, deliberately corrupting the server.pem file by altering a byte and restarting the server demonstrates how TLS connection warnings or failures inform the user of data integrity issues or potential tampering.

Overall, this exercise illustrates fundamental PKI procedures: certificate creation, signing, deployment, trust establishment, and the importance of certificate integrity. It emphasizes understanding how browsers verify server certificates and the significance of trusted Certificate Authorities in fostering secure online communications.

References

  • Stallings, W. (2017). Cryptography and Network Security: Principles and Practice. Pearson.
  • Rolf Oppliger (2016). SSL and TLS: Theory and Practice. Artech House.
  • Rescorla, E. (2001). The Transport Layer Security (TLS) Protocol Version 1.0. RFC 2246. IETF.
  • Housley, R., & Polk, W. (2009). Interoperable secure email: S/MIME and CMS. Wiley.
  • OpenSSL. (n.d.). OpenSSL Command-Line Utility. https://www.openssl.org/docs/man1.1.1/man1/openssl.html
  • Internet Engineering Task Force (IETF). (2019). X.509 Certificate and Certificate Revocation List (CRL) Profile. RFC 5280.
  • Choudhury, H., & Niyaz, Q. (2018). Understanding PKI and Digital Certificates. Journal of Information Security and Applications, 39, 18–27.
  • Murdoch, S., & Lewis, S. (2014). Mastering OpenSSL. O'Reilly Media.
  • Merkle, R. (2019). Practical Cryptography and Network Security. Springer.
  • Grove, D. (2020). Building a PKI using OpenSSL - A Practical Guide. Tech Publications.

Related Assignments