Scribd
Upload
12 views14 pages

Crypto4 Nik

The document discusses SSL/TLS certificates and root certificate authorities. It explains that MacOS devices contain 149 pre-installed root CA certificates that are used to verify identities and enable encryption in SSL/TLS connections. Root CAs act as trust anchors at the top of the certificate authority hierarchy.

Uploaded by

nikhileshmeher24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views14 pages

Crypto4 Nik

The document discusses SSL/TLS certificates and root certificate authorities. It explains that MacOS devices contain 149 pre-installed root CA certificates that are used to verify identities and enable encryption in SSL/TLS connections. Root CAs act as trust anchors at the top of the certificate authority hierarchy.

Uploaded by

nikhileshmeher24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Cryptography & Network Security Lab

NAME: NIKHILESH MEHER


REG. NO.: 21BCE2455
FACULTY-IN- CHARGE: DR. N. BALAJI
COURSE CODE: BCSE309P
• Step 1. Create a private key and public certificate for client & server by openssl tool.

openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client
certificate.pem
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-
certificate.pem

• Step 2. Combine the private key and public certificate into PCKS12(P12) format for client
and server respectively.

openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out client-certificate.p12


openssl pkcs12 -inkey server-key.pem -in server-certificate.pem -export -out server-certificate.p12
• Step 3. Place client-certificate.p12 and server-
certificate.p12 into keystore and trustStore location.

SSL Client code:

package client;

import javax.net.ssl.*;

import java.io.*;

import java.security.*;

import java.security.cert.CertificateException;

/**

* @author garden

* @create 8/11/18

*/

public class SSLClient {

public static void main(String[] args){

try {
System.setProperty("javax.net.debug", "all");

KeyStore keyStore = KeyStore.getInstance("PKCS12");

String password = "aabbcc";

InputStream inputStream =
ClassLoader.getSystemClassLoader().getResourceAsStream("client/certificate-client.p12");

keyStore.load(inputStream, password.toCharArray());

// TrustManagerFactory ()

KeyStore trustStore = KeyStore.getInstance("PKCS12");

String password2 = "abcdefg";

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX",


"SunJSSE");

InputStream inputStream1 =
ClassLoader.getSystemClassLoader().getResourceAsStream("server/certificate-server.p12");

trustStore.load(inputStream1, password2.toCharArray());

trustManagerFactory.init(trustStore);

X509TrustManager x509TrustManager = null;

for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {

if (trustManager instanceof X509TrustManager) {

x509TrustManager = (X509TrustManager) trustManager;

break;

if (x509TrustManager == null) throw new NullPointerException();

// KeyManagerFactory ()

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509",


"SunJSSE");

keyManagerFactory.init(keyStore, password.toCharArray());
X509KeyManager x509KeyManager = null;

for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {

if (keyManager instanceof X509KeyManager) {

x509KeyManager = (X509KeyManager) keyManager;

break;

if (x509KeyManager == null) throw new NullPointerException();

// set up the SSL Context

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager},


null);

SSLSocketFactory socketFactory = sslContext.getSocketFactory();

SSLSocket kkSocket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 8333);

kkSocket.setEnabledProtocols(new String[]{"TLSv1.2"});

PrintWriter out = new PrintWriter(kkSocket.getOutputStream(), true);

BufferedReader in = new BufferedReader(

new InputStreamReader(kkSocket.getInputStream()));

BufferedReader stdIn =

new BufferedReader(new InputStreamReader(System.in));

String fromServer;

String fromUser;

while ((fromServer = in.readLine()) != null) {

System.out.println("Server: " + fromServer);


if (fromServer.equals("Bye."))

break;

fromUser = stdIn.readLine();

if (fromUser != null) {

System.out.println("Client: " + fromUser);

out.println(fromUser);

}catch (IOException e){

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (UnrecoverableKeyException e) {

e.printStackTrace();

} catch (NoSuchProviderException e) {

e.printStackTrace();

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (KeyManagementException e) {

e.printStackTrace();

SSL Server code:


package server;

import protocol.KnockKnockProtocol;

import javax.net.ssl.*;

import java.io.*;

import java.security.*;

import java.security.cert.CertificateException;

/**

* @author garden

* @create 8/11/18

*/

public class SSLServer {

public static void main(String[] args) {

try {

// Get the keystore

System.setProperty("javax.net.debug", "all");

KeyStore keyStore = KeyStore.getInstance("PKCS12");

String password = "abcdefg";

InputStream inputStream =
ClassLoader.getSystemClassLoader().getResourceAsStream("server/certificate-server.p12");

keyStore.load(inputStream, password.toCharArray());

// TrustManagerFactory

String password2 = "aabbcc";

KeyStore trustStore = KeyStore.getInstance("PKCS12");


TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX",
"SunJSSE");

InputStream inputStream1 =
ClassLoader.getSystemClassLoader().getResourceAsStream("client/certificate-client.p12");

trustStore.load(inputStream1, password2.toCharArray());

trustManagerFactory.init(trustStore);

X509TrustManager x509TrustManager = null;

for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {

if (trustManager instanceof X509TrustManager) {

x509TrustManager = (X509TrustManager) trustManager;

break;

if (x509TrustManager == null) throw new NullPointerException();

// KeyManagerFactory ()

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509",


"SunJSSE");

keyManagerFactory.init(keyStore, password.toCharArray());

X509KeyManager x509KeyManager = null;

for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {

if (keyManager instanceof X509KeyManager) {

x509KeyManager = (X509KeyManager) keyManager;

break;

if (x509KeyManager == null) throw new NullPointerException();


// set up the SSL Context

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager},


null);

SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();

SSLServerSocket serverSocket = (SSLServerSocket)


serverSocketFactory.createServerSocket(8333);

serverSocket.setNeedClientAuth(true);

serverSocket.setEnabledProtocols(new String[]{"TLSv1.2"});

SSLSocket socket = (SSLSocket) serverSocket.accept();

// InputStream and OutputStream Stuff

PrintWriter out =

new PrintWriter(socket.getOutputStream(), true);

BufferedReader in = new BufferedReader(

new InputStreamReader(socket.getInputStream()));

String inputLine, outputLine;

// Initiate conversation with client

KnockKnockProtocol kkp = new KnockKnockProtocol();

outputLine = kkp.processInput(null);

out.println(outputLine);

while ((inputLine = in.readLine()) != null) {

outputLine = kkp.processInput(inputLine);

out.println(outputLine);
if (outputLine.equals("Bye."))

break;

}catch (IOException e){

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (UnrecoverableKeyException e) {

e.printStackTrace();

} catch (NoSuchProviderException e) {

e.printStackTrace();

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (KeyManagementException e) {

e.printStackTrace();

}
Output:
1. In Total MacOS has 149 System root Certificates ( Search Keychain Access on spotlight)

2. 2. Root Certificate Authorities (CAs) play a critical role in the secure transmission of data
over the internet, particularly in the context of SSL/TLS connections. SSL (Secure Sockets
Layer) and its successor, TLS (Transport Layer Security), are cryptographic protocols that
provide secure communication over a computer network. These protocols encrypt the data
transmitted between a client (such as a web browser) and a server, ensuring confidentiality,
integrity, and authenticity of the exchanged information. The trust model in SSL/TLS relies
heavily on Certificate Authorities. A Certificate Authority is a trusted entity that issues digital
certificates, which serve as electronic documents verifying the identities of parties involved
in a communication and facilitating the encryption process. Root CAs are the highest level
in the hierarchical structure of CAs. Here's how it works: 1. Root CA Certificates: Root CAs
are entities that are implicitly trusted by devices and software applications. They are
typically pre installed on operating systems, web browsers, and other network devices.
These root CA certificates act as anchors of trust. They are used to verify the authenticity of
other certificates in the chain. 2. Certificate Chain: When a client (e.g., a web browser)
connects to a server over HTTPS (HTTP Secure), the server presents its digital certificate,
which includes information such as the server's identity, its public key, the CA that issued
the certificate (known as the intermediate CA), and a digital signature from the issuing CA.
The client then verifies the server's certificate by checking its signature against the public
key of the issuing CA. If the signature is valid and the certificate is issued by a trusted CA
(i.e., the CA's root certificate is present in the client's trust store), the client trusts the
server's identity. 3. Trust Hierarchy: The trust in the SSL/TLS ecosystem is based on the
principle of delegation. Root CAs delegate authority to intermediate CAs, which in turn
issue certificates to end entities (such as websites). The trust is established by the inclusion
of the root CA certificates in the trust store of devices and software applications. This trust
hierarchy ensures that certificates issued by trusted CAs are accepted as authentic,
thereby enabling secure communication between clients and servers. 4. Security and
Assurance: The use of root CA certificates provides assurance that the entities involved in
the communication are who they claim to be. It also helps prevent various security threats,
such as man in-the-middle attacks, where an attacker intercepts and alters communication
between the client and server. By verifying the authenticity of certificates, root CAs help
maintain the integrity and confidentiality of data transmitted over the internet. In summary,
root CA certificates are foundational elements in the SSL/ TLS infrastructure, establishing
trust and enabling secure communication by verifying the authenticity of digital certificates
presented by servers. They form the basis of the trust model that underpins the security of
the internet.
3. . To view the certificates for a website in your browser: - Navigate to the website (e.g.,
google.com). - Click on the padlock icon next to the URL in the address bar. - Select
"Certificate" or "View Certificate" option (may vary depending on the browser). -This will
open a window displaying the certificate details.
4. Possible risks of trusting a CA include: * Misissuance: CAs could mistakenly issue
certificates to malicious entities, compromising security. * Compromise: If a CA's private
key is compromised, attackers could issue fraudulent certificates, leading to man-in-the-
middle attacks. * Lack of transparency: Some CAs may not adhere to strict security
practices or may have opaque policies, leading to potential security vulnerabilities.

You might also like