COMPUTER AND NETWORK

SECURITY
Practical session

1
 Outline
• Encryption using DES
• Encryption using RSA
• Combination of DES and RSA
• Digital Signature
• Digital Certificate

2
DES, RSA and Certificates with openSSL
1. Presentation of OpenSSL
Protocol SSL
• The SSL protocol (Secure Socket Layer) was developed by
Netscape to allow client/server applications to
communicate safely.

• TLS (Transport Layer Security) is an evolution of SSL

proposed by the IETF.

• SSL is a protocol placed between TCP/IP and applications

using the TCP protocol (it is basically at the “session layer”
of the OSI).
3
DES, RSA and Certificates with openSSL
1. Presentation of OpenSSL
Protocol SSL
• An SSL session is done in two steps:
– A handshake phase where client and server authenticate
each other (with X509 certificates), and agree on a ciphering
schema and the corresponding key
– The communication itself where data exchanged are
compressed, encrypted and signed

4
DES, RSA and Certificates with openSSL
1. Presentation of OpenSSL
openSSL
• openSSL is a toolbox for cryptographic material
implementing SSL and TLS. It gives:
1. A library to program in C allowing to construct client/server
applications using SSL/TLS
2. A command line (openssl) allowing
– Creation of RSA, DSA keys
– Creation of X509 certificates
– Digest computation (MD5, SHA, …)
– Ciphering and Deciphering (DES, IDEA, RC2, RC4, Blowfish …)
– Tests of client/server SSL/TLS
– Signature and ciphering of mails (S/MIME) Secure Multi- 5
Purpose Internet Mail Extension
DES, RSA and Certificates with openSSL
1. Presentation of OpenSSL
openSSL
• To know everything about OpenSSL: man openssl
• The general syntax of openssl is:
openssl> <command> <options>

6
 DES, RSA and Certificates with openSSL
2. Symmetric encryption with openSSL
Basic commands
• To encrypt a file with openssl using a DES encryption:
openssl> enc –des3 –in file –out file2
• The result is in the file file2.
• To decrypt the same file:
openssl> enc –des3 –d –in file2 –out filedecrypted

(here, file and filedecrypted should contain the same content)

7
 DES, RSA and Certificates with openSSL
2. Symmetric encryption with openSSL

• By default, you have to type a password, to protect the

encryption.
• This password is a generator for the symmetric key.
• To avoid entering the password, you can use one of the two
following options:
– pass pass: hen (in the case hen is your password)
– pass file:filePassword (in the case the file
filePassword contains your password)

8
 DES, RSA and Certificates with openSSL
2. Symmetric encryption with openSSL
Create and print keys
• To create a symmetric key:
openssl> enc –des3 –P
• This command asks for the password.
• It generates a key, starting from a password and a random
“salt”.
– This salt is there to scramble the password.
• This command prints the used salt, the generated key and an
initialization vector (iv) to be used with the key for
encryption.
9
 DES, RSA and Certificates with openSSL
2. Symmetric encryption with openSSL
Create and print keys
• This command encrypt with DES3, the file file1 to the file
file2, using the key key and the initialization vector
vector.
Openssl> enc –des3 –in file1 –out file2 –k key –
iv vector
Remarks:
• You can use directly openssl des3 (instead of openssl enc
–des3)
• You can use base64 instead of des3.
– The file is then not ciphered, since base64 is a coding system (clear text)
allowing data to be independent of any architecture (useful when data are
10
sent between different computers, OSs, networks,…).
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Generating key pairs
• To create a pair of keys, the genrsa command is used:
openssl> genrsa size
• Here, size is the size of the key.
• To save this key in keyfile.pem, use the option: -out
keyfile.pem
openssl> genrsa -out keyfile.pem size

• The format of the file is PEM (Privacy Enhanced Mail, format

in base64)

11
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Visualizing RSA keys
• The command rsa allows to visualize the content of a file
(PEM format) containing a RSA key pairs.
openssl> rsa –in keyfile.pem –text –noout

• The option –text asks for a decrypted output of the key

pair.
• The option –noout allows to avoid the normal output of the
command rsa.

12
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Visualizing RSA keys

• The different elements of the key (size, modulus, exponents,

primes, …).

• By default, we can see that the public exponent is always

65537 (the option -3 is the other option and uses 3 as the
public exponent).

• The three last numbers (exponent1, exponent2 and

coefficient) are only used for optimization purpose.

13
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Ciphering the key file
• In the file, the private key is in clear text and could be
extracted.
• It is necessary to encrypt it.
– It can be done at the generation of the key (genrsa command),
or
– at any time with the rsa command.

• In both case, the option is –des, -des3 or –idea :

openssl> rsa –in keyfile.pem –des3 –out

keyencrypted.pem
14
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Ciphering the key file

• The file keyencrypted.pem contains an encrypted version of

the key, encrypted with DES3 algorithm.

• Here a password is used to protect the access to the key.

15
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Exporting the public key
• The public key should be extracted from the file (encrypted
file or not), since this public key should be transmitted to
anyone.

• The command rsa with the option –pubout allows to export

the public part of the key.

openssl> rsa –in keyencrypted.pem –pubout –out

publickey.pem

16
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Visualizing the public part

• Check the content of the file publickey.pem

• It is possible to see this public key, using rsa command and
–pubin option (to precise that the file contains a public key).

openssl> rsa -pubin –in publickey.pem –text -noout

17
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Ciphering data with RSA
• To cipher data with RSA key, use the command rsautl (RSA
utile functions):
Openssl> rsautl –encrypt –in inputfile –inkey
keyfile.pem –out outputfile
• The inputfile is the file to encrypt (-encrypt).
• Caution: The file should not be too large for the key (116 bits
for a 1024 bits key).
• The keyfile.pem contains the RSA key.
• If only the public key is in the file, the option –pubin must
be used.
18
 DES, RSA and Certificates with openSSL
3. RSA with openSSL
Ciphering data with RSA
• To decrypt, replace the option -encrypt with -decrypt.
• Then the keyfile must contain the private key.

Openssl> rsautl –decrypt –in inputfile –

inkey keyfile.pem –out outputfile

19
 Practical session 1
Encrypting a file using a DES

20
 Encrypting a file using a DES algorithm
• Step 1: create a file name abe using:
[hen@localhost ~] cat >abe
Welcome to Jimma
• Then, change the command line into openssl using:
[hen@localhost ~] openssl
• Step 2: encrypt the file name abe into kebe using DES:
openSSL> enc –des3 -in abe -out kebe
• It will then request you to enter password:
enter des-ede3-cbc encryption password: 123456
verifying - enter des-ede3-cbc encryption
password: 123456

• Then it creates the encrypted file named with kebe.

21
 Encrypting a file using a DES…
• Step 3: Now to decrypt the encrypted file named with kebe
into some other file name selam, use the following command:
openSSL>enc –des3 -d -in kebe -out selam
enter des-ede3-cbc decryption password:123456

• Now, the decrypted file named with selam has been created.
• To see the decrypted file selam, change the command line:
[hen@localhost ~] cat selam
Welcome to Jimma

22
 Creating and printing keys (DES)
• Step 1: To create a symmetric key, use:
openssl> enc –des3 -P
enter des-ede3-cbc encryption password: 123456
verifying - enter des-ede3-cbc encryption
password: 123456
salt=CB832CAA53360439
key=065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB
7F3
iv=5DA7C1A98C9908DB
Step 2: create a new file named hen
[hen@localhost ~] cat >hen
Hello Security World
• Then, change the command line into openssl using:
[hen@localhost ~] openssl
23
 Creating and printing keys (DES)
• Step 3: use the key(k) and initialization vector(iv)
to encrypt filename hen to the file name mar with DES3:
openssl>enc –des3 –in hen –out mar –k
065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB7F3
–iv 5DA7C1A98C9908DB

• Now, the encrypted file name mar has been created.

• To decrypt the encrypted file mar into other file name mesr:
openssl> enc –des3 –d –in mar –out mesr –K
065BD1FC9A761790B53F1410B3372176D99F06FBEC3FB7F3
–iv 5DA7C1A98C9908DB
• To see the content of mesr
[hen@localhost ~] cat mesr
Hello Security World
24
 Practical session 2
Encrypting files using RSA

25
 Encrypting file using RSA
• Step 1: Create a pair of keys:
openssl>genrsa 512
Generating RSA private key, 512 bit long modulus
………..++++++++
……………++++++++
e is 65537(0x10001)
------BEGIN RSA PRIVATE KEY------
MIIB0QI….
------END RSA PRIVATE KEY------

• Note: 512 is the size of the key.

26
 Encrypting file using RSA
• Step 2: save the key in file name privatekey.pem
openssl>genrsa -out privatekey.pem 512
Generating RSA private key, 512 bit long
modulus
..+++++++++++++++
………………….++++++++++
e is 65537 (0x10001)

27
 Encrypting file using RSA
• Step 3: To visualize the content of privatekey.pem
containing RSA key pairs,
openssl>rsa –in privatekey.pem -text -noout
Private-Key: (512 bit)
Modulus:
00:d9:e0:58: ...
publicExponent: 65537 (0x10001)
privateExponent:
6b:11:72: …
prime1:
00:f5: …
prime2:
00:e2: …
exponent1:
00:cd: …
exponent2: 28
 Encrypting file using RSA
• Step 4: Encrypt the private key using the following command:
openssl>rsa -in privatekey.pem -des3 -out
privatekey_encrypted.pem
writing RSA key
Enter PEM passphrase: 123456
Verifying – Enter PEM pass phrase: 123456

• Now the private key privatekey.pem is encrypted as

privatekey_encrypted.pem
• The pass word: 123456 is used to protect access to the key.

29
 Encrypting file using RSA
• Step 5: Extract the public key from the encrypted file
privatekey_encrypted.pem,
openssl>rsa -in privatekey_encrypted.pem –
pubout –out publickey.pem
Enter pass phrase for
privatekey_encrypted.pem:123456
writing RSA key

• Step 6: visualize the public key

openssl>rsa –pubin –in publickey.pem –text –
noout
or
[hen@localhost ~] cat publickey.pem
---------BEGIN PUBLIC KEY-------
MFww …
30
---------END PUBLIC KEY---------
 Encrypting file using RSA
• Step 7: cipher kidus with RSA key into yosef file name,
[hen@localhost ~] cat >kidus
Ciphering file with RSA demo
[hen@localhost ~] openssl
openssl>rsautl –encrypt -in kidus –pubin -inkey
publickey.pem -out yosef

• Step 8: decrypt the encrypted file name yosef into hana,

openssl> rsautl –decrypt -in yosef -inkey
privatekey.pem -out hana
[hen@localhost ~] cat hana
Ciphering file with RSA demo

31
 DES, RSA and Certificates with openSSL

Exercise 1:
• Cipher a file with a symmetric algorithm of your choice
(DES). Cipher the key with public key of your left/right
neighbor (ask him on USB key if you don’t have it, RSA).
Send him the encrypted file and the encrypted
symmetric key.

32
 Signature of files
• Only small document can be signed. Therefore, we have to
compute the hash of the documents, using the dgst
command:
openssl> dgst hashfunction –out fingerprint
inputfile
• where hashfunction is the hash function to use.
– It can be MD5 (-md5 option) for 128 bits fingerprint, SHA1 (-sha1) for
160 bits fingerprint,
• To sign a document, we sign the fingerprint with the
command rsautl and the option –sign:
openssl> rsautl –sign –in fingerprint –inkey
privatekey.pem –out signature

33
 Signature of files…
• To verify a signature, we use the option –verify:
openssl> rsautl –verify –in signature –pubin –
inkey publickey.pem –out fingerprint
• Note: the –pubin option is used to use the public key.

• Exercise 2: Sign any file of your choice, and verify the

signature.
• Step 1: First create a file name signdemo
[hen@localhost ~] cat >signdemo
Signature of files demo

34
 Signature of files
• Step 2: compute the hash function of the file named as
signdemo using dgst command:
openssl> dgst -md5 -out fingerprint signdemo
• Step 3: write the following command to see the fingerprint
[hen@localhost ~] cat fingerprint
MD5(signdemo) =7b36eeb717bc9b8b19b4c35cbc4ed0d5
• Step 4: To sign the document signdemo, sign the
fingerprint, by using rsautl command and the option –
sign:
openssl> rsautl –sign –in fingerprint –inkey
privatekey.pem –out signature
35
 Signature of files
• Step 5: verify the signature, use the option –verify:
Openssl> rsautl –verify –in signature –pubin –
inkey publickey.pem –out fingerprint

Exercise 1
• Create three messages. Sign all of them. Slightly
modify one or two of them, and send them to your lab
partner, together with the signatures. Ask him/her to
determine which messages were modified.

36
 Signature of files
Exercise 2
1. Create a text file
2. Compute message digest functions with MD5
3. Change the text
4. Compute message digest functions again with
MD5
5. Compute message digest functions with SHA-1

37
 Digital Certificates
• Secure Socket Layer (SSL) protocol was created by Netscape to
ensure secure transactions between web servers and browsers.
• The protocol uses a third party, a Certificate Authority (CA), to
identify one end or both end of the transactions. This is in short
how it works.
1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party
(usually a trusted root CA), that the certificate is still valid and that
the certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric
encryption key and sends it to the server with the encrypted URL
required as well as other encrypted http data.

38
 Digital Certificates
• Secure Socket Layer (SSL) protocol was created by Netscape to
ensure secure transactions between web servers and browsers.
• The protocol uses a third party, a Certificate Authority (CA), to
identify one end or both end of the transactions. This is in short
how it works.
5. The web server decrypts the symmetric encryption key using its
private key and uses the symmetric key to decrypt the URL and http
data.
6. The web server sends back the requested html document and http
data encrypted with the symmetric key.
7. The browser decrypts the http data and html document using the
symmetric key and displays the information.

39
 Certificates
• Preparation: Prepare a key pair (length 1024 bits), protected
by a password.
• In the following, the file name keypair.pem will be supposed
to hold your key pair.

• Creation of a request for a certificate

• In Addition to the public key, a certificate holds a number of
other information, like the country (C), the organization (O), the
name (CN), …
• All these information will be asked at the creation of the
certificate.

40
 Certificates
• The command req allows to build a request for a certificate:
openssl> req –new –key keypair.pem –out
myrequest.pem
• The result is a request, also in the PEM format (check it !).
• The private key is used to build the signature of this request, in
order to authenticate the issuer of the request with its public
key that is in the request.
• It is possible to see the content of the request with the –text
–noout options (like before!):
openssl> req –in myrequest.pem –text –noout
• Note: This request is NOT a certificate.

41
 Certificates
• Request for certificates demo:
• Step 1: Create a keypair.pem using asymmetric RSA.
openssl> genrsa -out keypair.pem 1024
• Step 2 (optional): protect keypair.pem using DES3 into
kpair.pem
openssl> rsa –in keypair.pem –des3 –out
kpair.pem
Writing RSA key
Enter PEM pass phrase: 123456
Verifying - Enter PEM pass phrase: 123456
• Step 3: extract the public key from the encrypted file
kpair.pem
openssl> rsa -in kpair.pem –pubout –out
publickeynew.pem 42
 Certificates
• Request for certificates demo:
• Step 4: create request for certification:
openssl> req –new –key keypair.pem –out
myrequest.pem
Enter pass phrase for keypair.pem: 123456
……
Country Name (2 letter code) [GB]: ET
State or province name (full name): Adddis Ababa
Locality name: Kolfe Keranio
Organization name: AAU
Organizational unit name: AAIT
Common name: Henock
E-mail address: [email protected]
Challenge password: 123456
Optional company name: NGUC 43
 Certificates
• Request for certificates demo:
• Step 5: see the content of the request
openssl> req –in myrequest.pem –text –noout
Certificate request:
Data:
Version: 0 (0x0)
Subject: C=et, ST=Addis Ababa, L=Kolfe Keranio,
O=AAU, OU=AAIT,
CN=Henock, e-mail address:
[email protected]
Subject: public key info:
Public key algorithm = rsaEncryption
RSA public key: (1024 bit):

44
 Certificates
• Request for certificates demo:
Modulus (1024 bit):
00:d2: …
Exponent: 65537 (0x1024)
Attributes:
• unstructuredName: aau
• challengedpassword: 123456
• Signature Algorithm: shalWithRSAEncryption
• 9f:65: …

45
 Creation of a certificate
• This one is done by the CA. You are the CA for this work.
• To create and sign a certificate from a user request, the CA is
invoking the x509 command:
openssl> x509 –days 356 –CAserial Addis.srl –CA
certificatAddis.pem –CAkey pkca.pem –in
userrequest.pem –req –out
CertificateSignedByCA.pem
• The options:
– -days 365: gives the TTL of the certificate
– -CAserial Addis.srl: gives the serial number of the
certificate to create (in a file)
– -CA certificateAddis.pem specifies the CA certificate
– -CAkey specifies the private key of the CA
– -in userrequest.pem: gives the file containing the request
for a certificate, sent by a user to this CA. 46
 Creation of a certificate…
• Exercise 5: Create and sign a certificate from a user request.
• Step 1: create addis.srl
[hen@localhost ~]cat>addis.srl
123456
openssl> x509 -days 1000 -req –signkey
privatekeyCA.pem –in myrequest.pem –out
henockcertificate.pem
Signature ok
Subject=/C=et/ST=Addis Ababa/L=Kolfe
Keranio/O=AAU/OU=AAIT/CN=Henock/emailaddress=heno
[email protected]
Getting Private Key

Note: here publickkeyCA.pem is public key of CA

and privatekeyCA.pem is private key of CA. 47
 Creation of a certificate…
• Alternatively it is also possible to create certificate using my
private key privatekeyCA.pem using the following
commands:
openssl> x509 –days 100 –CAserial addis.srl -CA
henockcertificate.pem –CAkey privatekeyCA.pem –
in myrequest.pem –req –out
CertificateSignedByCAH.pem
Signature ok
Subject=/C=et/ST=Addis Ababa/L=Kolfe
Keranio/O=AAU/OU=AAIT/CN=Henock/emailaddress=heno
[email protected]
Getting CA Private Key
Enter pass phrase for kpair.pem: 123456

• Note: Here privatekeyCA.pem is private key of CA.

48
 Creation of a certificate…
• Step 2: verify the certificate
openssl> verify henockcertificate.pem or

openssl> verify –CAfile henockcertificate.pem

CertificateSignedByCAH.pem

openssl> verify –CAfile –verbose

henockcertificate.pem CertificateSignedByCAH.pem

CertificateSignedByCAH.pem:/C=ET/ST=AddisAbaba/L=K
olfeKeranio/O=AAU/OU=AAIT/CN=Henock/emailaddress=h
[email protected]
Self signed certificate
OK

• To check the content of a certificate use x509 command

openssl> x509 –in henockcertificate.pem –text - 49
noout
 Creation of a certificate…

Exercise

• Create two certification authorities CA1 and CA2. CA1

is the root certification authority, and CA2 is certified
by CA1. Create a certificate request and sign it by CA2.

50
 Self-Signed Certificate: Example 2
//Generate a 2048 bit RSA private key
Openssl> genrsa -out key.pem 2048
//Generate a Certificate Signing Request
openssl> req -new -sha256 -key key.pem -out csr.csr
//visualize the certificate signing request
Openssl> req -in csr.csr -text -noout
//Generate a self-signed x509 certificate
Openssl> req -x509 -sha256 -days 365 -key key.pem -
in csr.csr -out certificate.pem
//visualize the self-signed certificate
Openssl>x509 –in certificate.pem –text -noout
51
 Self-Signed Certificate: Example 3
Step - 1: Generate RSA private key (4096- bit) for root CA and store
it in rootca.key
openssl> genrsa –out rootca.key 4096
Step - 2: Create Self-signed root CA certificate rootCA.crt
openssl> req –new –x509 –days 365 –key rootca.key –
out rootCA.crt
Step – 3: Create intermediate certificate CA, which will be used for
actual signing. First generate the key
openssl> genrsa –out imca.key 2048
Step – 4: Request a certificate for this intermediate CA
openssl> req –new –key imca.key –out imCA.csr

52
 Self-Signed Certificate: Example 3…
Step - 5: Process the request for the intermediate CA certificate and
get it signed by the root CA.
openssl> x509 –req –days 365 –in imCA.csr –CA
rootCA.crt –CAkey rootca.key –set_serial 01 –out
imCA.crt

Step – 6: To use this subordinate CA key for Authenticode

signatures with Microsoft’s signtool, you will have to package the
keys and certs in a PKCS12 file:
openssl> pkcs12 –export –out imCA.p12 –inkey
imca.key –in imCA.crt –chain –CAfile rootCA.crt

53