INFORMATION SECURITY - PRACTICAL ASSESSMENT - TP3 - CRYPTOGRAPHY AND APPLICATIONS. GRENOBLE INP ENSIMAG

Transcription

1 INFORMATION SECURITY - PRACTICAL ASSESSMENT - TP3 - CRYPTOGRAPHY AND APPLICATIONS GRENOBLE INP ENSIMAG COMPUTER SCIENCE 3RD YEAR SIF-LOAD - 1ST SEMESTER, 2011 Lecturers: Fabien Duchene - Karim Hossen firstname.lastname [ at ] imag.fr NOTE: Practical assessment regarding the course we had on Thu. 20th, October 2011 and regarding the chapter 2. cryptography and applications It is due for Tuesday 1st, November pm59. This practical assessment will let you practice with applied cryptography. Goals: discover how signature and encryption do work in asymetric cryptography be aware of how the PKI trust model works within your OS and browsers code a basic bruteforcer understand the importance of randomness in cryptography IMPORTANT NOTES Deliverables: for that assessment, you will submit SEVERAL deliverables: your report (.txt /.pdf) (accepted languages: french FR-FR or english EN-UK / EN-US) (may be inside your report): how you would rate that assessment: how many (efficient) hours you did spend on that assessment? what you enjoyed? what you did not enjoy? what was easy?... hard? in which way? any suggestion? the following files, related to the exercises: gpg pubkey.asc gpg msg.txt gpg msg.sig.asc (for the signed message) gpg msg.enc.asc (for the encrypted message)

2 2 All the exercises have similar importance in terms of notation, so please work on ALL OF THEM. Each time you use a command related to a tool: write the command and the most relevant part of the output... in your report! In case of an error, or a question, please send an to your teachers and write the question at

3 3 1. (Bonus question): From which hacking contest (Capture the Flag) and from which challenge is this picture issued from? 1 Web-Of-Trust: PGP In the open-source and security communities, we prefer a web of trust architecture instead of a PKI one. GnuPG is an open-source implementation of the initial PGP concepts, and in conformance to the OpenPGP format 2. In terms of trust model, what is the difference between a PKI and a web of trust architecture?

4 4 3. (a) Install on your system an implementation of GnuPG. You are free to use your favorite package manager, or to use packages from Which software and version did you choose and for which os? NOTE: for whatever version you choose, you should be able to run the gpg command start your favorite shell (eg: sh, ksh, bash or powershell (Windows Vista)) or a terminal prompt (windows XP) we remind you that will display the gpg executable command line parameters syntax (b) Generate your own PGP keypair with the following parameters: [provide YOUR command and its execution result] kind of key: RSA and RSA RSA private keysize: 4096 bits key lifetime: 3 years We will note K priv and K pub, respectively your GPG private key and the corresponding public key. (c) Export your PGP public key (ASCII printable format!) [provide YOUR command and its execution result] (i) save it as gpg pubkey.asc [and include it in your deliverable!] (ii) note: the normal usage is to publish and transmit this key via another trusted mechanism (eg: over an https website). another solution is one explained on my personal webpage: If you know me personally, then fingerprint the key with... gpg fingerprint Fabien Duchene... and call me on the phone. I will verify to you that the fingerprint you got was: 8C16 9A97 BD01 19DC BA AC 98E9 E77D 3800 Why do I propose to confirm it over the phone? (d) Write a message of your choice and save it as gpg msg.txt [and include it in your deliverable!] 4. (have a look at your lecture slides and eventually on the Internet) (a) What is a hash function? use your own words! (b) Name 3 hash functions ordered from the most secure one to the less secure one. 5. Signature (a) Read the slides in the lecture corresponding to the asymmetric cryptography. What is the main difference between asymmetric cryptography and symmetric one? (b) Antonio de la Vega (A) wants to send a signed message M to Bob Dylan (B). It thus rely on Public Key Cryptography. Write a formula describing the signed resulting message using the following notations: K(i, j) where i {A, B} and j {pub, priv} M hash() encrypt() decrypt() (c) Name at least one signature function. (d) prepare a signed message from gpg msg.txt (ASCII armored, SHA256 as the hash function) and save it into a file named gpg msg.sig.asc [and include it in your deliverable!] (e) propose a formula describing gpg msg.sig.asc as a function of gpg msg.txt, K priv

5 5 6. Update your PGP trust store with the public key. First download the files from (a) Copy that ASCII armored PGP public key (including the BEGIN PGP PUBLIC KEY... and the END PGP... ) and paste it into a text file on your profile -my public key.asc (or whatever name you may want to use) (b) Import the key in your PGP trusting store [provide YOUR command and its execution result] (c) Check the fingerprint of the imported PGP key. And compare it to CB16 3B57 68FB 3FE8 4BD7 B00E 6F9B 1620 : What do we learn from that comparison?.. under which hypotheses? 7. Signature verification. (a) Check that GPG-msg 1.txt.asc and GPG-msg 2.txt.asc are valid GPG messages. [provide YOUR command and its execution result] (b) What do we learn from those results? In case of a failure when performing the verification of a message, what are your hypotheses why this may happen? 8. Encrypted message (a) prepare an encrypted message from gpg msg.txt to fabien.duchene@imag.fr (ASCII armored) (note: you will NOT send me an , but save it into a file named gpg msg.enc.asc [and include it in your deliverable!]) (b) propose a formula describing gpg msg.enc.asc as a function of gpg msg.txt, K priv, and GPG-public key.asc and justify why it is in that order. 2 Public Key Infrastructure: it takes great courage to have dinner with an alien! 9. Have a look at the slides 3 to 26 of the following document: (accessible from Ensiwiki > Associations > Securimag > Introduction to the Microsoft PKI ) (a) What does X.509 stand for? (b) What is a certification authority? What does it do regarding which systems, actors? (c) In that lecture it is mentionned that SSL relies on PKI. Provide one example of a web application that you use daily and where we can see that SSL/TLS is used [provide a screenshot of YOUR work].

6 6 10. Certificate trust store (a) What is a certificate trust store? Windows NT 5+ (XP, 2003) and NT6+ (Vista,7,2008,2008 R2) and Internet Explorer 6.0+ Mac OS X and Safari Firefox (b) Display a list of the certificates present in the trust store. [provide a screenshot of YOUR work] Windows key + R or Startup > Run mmc.exe File > add a snap-pin Certificates > Add > My user account In Mac OS X, the trust store is named the KeyChain, it also does contain your passwords. open a Terminal.app and use certtool to list all the certificates and CRL in the loggedon user keychain. Using Keychain Access (FR- FR: Trousseau de clés ), display all the Root Certificate from System and System Roots 1 open / A p p l i c a t i o n s / U t i l i t i e s / Keychain \ Access. app/ go to Preferences > Advanced > Encryption > View Certificates (c) Observe the Access Control List on the trust store files: [provide YOUR command and its execution result] NT5 (XP,2003) %\userprofile%\application Data\Microsoft\CryptnetUrlCache regedit.exe > HKLM > Software > Microsoft > System- Certificates ; same with HKLU >... > My Starting from NT6+ (Vista, 7, 2008, 2008 R2): %userprofile%\appdata\locallow\microsoft\cryptneturlcache User private: %appdata%\microsoft\crypto\keys Local System Private: %allusersprofile%\application Data\Microsoft\Crypto\SystemKeys Shared private %allusersprofile%\application Data\Microsoft\Crypto\Keys /System/Library/Keychains/ /Library/Keychains/ first go to: Mac: /Library/Application Support/ Windows: %userprofile%\application data\mozilla\ Linux: /mozilla/ then: firefox > Profiles > xxxxxxxx.default > cert8.db

7 7 11. Certificate validation: (a) navigate to (b) what is the certification chain? [provide a screenshot of YOUR work] (c) till when is that certificate valid? (d) which encryption algorithm is used? (e) which signature algorithm is used? (f) what are the private and public keys length related to that certificate? (g) what are the factors regarding how you do trust that website and the connection to that website?

8 8 12. (a) navigate to Do not add an exception for this website! (i) What do you remark regarding the connection and website trust? [provide a screenshot of YOUR work] (ii) Why is this happening? (b) download the files from using 1 java CERT1 indicate who is the certificate issuer, and the entity to which that certificate has been issued (c) import the.crt certificate in your PKI-Root CA trust store ([provide YOUR command and its execution result]or [provide a screenshot of YOUR work]) (d) navigate again to What can you notice? Why? (e) What would be the impact if such a Root CA certificate (or a children into that hierarchy) would be put into the trusted CA store of browsers / OS? DO NOT FORGET TO REMOVE THE PREVIOUS ROOT CERTIFI- CATE FROM YOUR TRUST STORE! 13. Certificate revocation (a) What are the two most used protocols for checking if a certificate has been revoked? (according to (b) Regarding the Diginotar episode it took Apple about 40 days (fraudulous certificates issued on July 10th 2011, made public on September 3rd 2011, and an update was published on Oct. 12th 2011) to push a trivial CRL update within its mobile operating system: ios. Why were many security professional so angry regarding that fact?

9 9 3 Symmetric cryptography Will be updated this very week-end. 4 Randonmess of encryption keys Will be updated this very week-end.