Educational Objectives

This lab is designed for students to get hands-on experience using various encryption algorithms, as well as Linux command-line and shell scripting.

Educational Environment

One Oracle VirtualBox VM with Kali Linux 32-bit or 64-bit installed (depending on your operating system).

Lab Overview The notion of cryptography consists of hiding secret information from non-trusted peers by mangling messages into unintelligible text that only trusted peers can rearrange. In this lab, we will use and compare three different techniques commonly employed to secure information: secret key cryptography (DES), public key cryptography (RSA) and message digests (SHA-1).

There is a group of built in functions that will help you complete this assignment. These functions are included in OpenSSL. OpenSSL is an open source toolkit that implements security protocols such as SSL but also includes a general purpose cryptography library which you will use. OpenSSL is usually part of most modern Linux distributions.

Lab 1.1: Testing OpenSSL Encryption/Decryption from the Terminal Start the Kali VM you just created. Use root as the username, and toor as the password (from the previous section). If you get locked out due to timeout, just press your spacebar, then enter the root password (toor) again to resume. Open the Terminal (command line shell) in Kali. NOTE: You may also want to open the IceWeasel browser, surf to UNGs D2L, and open this lab (so that you can copy and paste longer pieces below to and from the command-line shell) if you are having any trouble with cut and paste. In the following exercises, the command you will need to type (or copy/paste) into the Linux terminal is what immediately follows a # sign. Lines separated by a blank space are a sample of the expected output you should see returned in your terminal. For example, for the following you would simply type whoami in the terminal and presumably you would receive the same value of root as I did:

# whoami

root

First we can start by encrypting simple messages. The following command will encrypt a message "Welcome to CSCI 3250 Computer Security" using Base64 Encoding (printable characters):

# echo "Welcome to CSCI 3250 Computer Security" | openssl enc -a

V2VsY29tZSB0byBDU0NJIDMyNTAgQ29tcHV0ZXIgU2VjdXJpdHkK

The output of the above command is an encrypted string containing encoded message "Welcome to CSCI 3250 Computer Security". To decrypt encoded string back to its original message we need to reverse the order and attach -d option for decryption:

# echo "V2VsY29tZSB0byBDU0NJIDMyNTAgQ29tcHV0ZXIgU2VjdXJpdHkK" | openssl enc -a -d

Welcome to CSCI 3250 Computer Security

The above encryption is simple to use, however, it lacks an important feature of a password, which should be used for encryption. For example, try to decrypt the following string with a password "ung":

U2FsdGVkX1/9D0G7e2/R0mixdGqYV7zxBbzptH3uwDo=

To do that use OpenSSL again with -d option and encoding method des-cbc:

# echo "U2FsdGVkX1/9D0G7e2/R0mixdGqYV7zxBbzptH3uwDo=" | openssl enc -des-cbc -d -a -k ung

You can do it!

As you have probably already guessed, to create an encrypted message with a password as the one above you can use the following command:

# echo "You can do it!" | openssl enc -e -des-cbc -k ung -a

U2FsdGVkX1/9D0G7e2/R0mixdGqYV7zxBbzptH3uwDo=

If you wish to store OpenSSL's output to a file instead of STDOUT simply use STDOUT redirection ">". When storing encrypted output to a file you can also omit the Base64 -a option as you no longer need the output to be ASCII text based. You can use the hexdump command hd to display the encoded file contents:

# echo "OpenSSL" | openssl enc -des-cbc -k ung > openssl.dat

# hd openssl.dat

00000000 53 61 6c 74 65 64 5f 5f 19 77 a6 7f fd 11 fe 55 |Salted__.w.....U|

00000010 19 bb 6d 3d 16 2c c3 2a f8 6b 93 8b 56 a8 9f 07 |..m=.,.*.k..V...|

00000020

To decrypt the openssl.dat file back to its original message use:

# openssl enc -des-cbc -d -k ung -in openssl.dat

OpenSSL

Public-key encryption and decryption (RSA)

In this section we will show how to encrypt and decrypt files using public and private keys. First we need to generate private and public keys. This can simply be done by:

# openssl genrsa -out private_key.pem 1024

Generating RSA private key, 1024bit long modulus ............................++++++

..........++++++

e is 65537 (0x10001)

From the private key we can then generate public key:

# openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout

writing RSA key

At this point you should have both private and public key available in your current working directory.

# ls

private_key.pem public_key.pem

Next, we create some sample file called encrypt.txt with any arbitrary text:

# echo "Welcome to CSCI 3250 Computer Security" > encrypt.txt

# cat encrypt.txt

Welcome to CSCI 3250 Computer Security

Now we are ready to encrypt this file with the public key:

# openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt .dat

# ls

encrypt.dat encrypt.txt private_key.pem public_key.pem

# hd encrypt.dat

00000000 3f 17 3d 0f 32 ba 93 6c 83 2e 29 ad 7c 9b 32 90 |?.=.2..l..).|.2.|

00000010 64 10 e8 00 54 b2 4e cc ad 91 f1 b2 27 8e 6d e8 |d...T.N.....'.m.|

00000020 b9 ee da 70 28 d6 90 9c 3e 85 78 3a fe fc 31 75 |...p(...>.x:..1u|

00000030 21 9e 46 6d 38 ae 3e d2 ba bb f1 16 3c 37 d2 70 |!.Fm8.>.....<7.p|

00000040 71 6e 14 5b 59 e2 8a 64 7a 79 94 1d b7 77 3c af |qn.[Y..dzy...w<.|

00000050 11 8d 08 0b 5d c8 b6 89 34 f0 66 55 b8 b6 9f de |....]...4.fU....|

00000060 74 07 6d 5e 70 59 c5 98 cb 35 fe f5 fa 98 68 d2 |t.m^pY...5....h.|

00000070 a6 a0 5c d5 95 df 1c f8 9a 45 32 15 38 3d b0 be |..\......E2.8=..| 00000080

To decrypt this file, we need to use private key:

# openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out new_encrypt.t xt

# cat new_encrypt.txt

Welcome to CSCI 3250 Computer Security

Lab 1.2: DES encryption/decryption

Open the file attachment named testdes.sh (located in the Lab 1 dropbox), or copy/paste the following into a text editor in Kali (such as LeafPad):

#!/bin/bash

if [ $# -eq 0 ]

then

echo "Three args required - need an infile, outfile, thirdfile"

exit 1

fi

ts=$(date +%s%N)

openssl enc -e -des-cbc -salt -in $1 -out $2 -k nighthawks

te=$(date +%s%N)

tt=$(( (te - ts)/1000000 ))

echo "It took $tt milliseconds to encode with DES-CBC."

This script checks for three command-line arguments. If not present, the script ends. Otherwise, the script encrypts a file specified by the first argument using the password nighthawks and des-cbc encryption. It also times the encryption by getting the system time before and after the encryption, then echoes the result. Save the file as testdes.sh in your user (home) folder. In the terminal, change directories into your user folder, then make the above script executable using the chmod command:

# cd

~ # chmod +x testdes.sh

Now create a simple file and test the shell script:

# echo "Welcome to CSCI 3250 Computer Security" > plaintext.txt

# ./testdes.sh plaintext.txt ciphertext_des.dat decoded_des.txt

Re-run the command three times to get a more accurate picture of the amount of time the algorithm requires. Modify the shell script (by adding a copy-paste of the last five lines of the script above) to DECODE the file in the second command-line argument ($2) and output it to a filename given by the third command-line argument ($3). Echo out the time it took to DECODE the file. Test your script again with

# ./testdes.sh plaintext.txt ciphertext_des.dat decoded_des.txt

Use the more or cat command to display the decoded.txt file to make sure it is correctly decoded, and note the time required for encoding and decoding your message. Examine the ciphertext_des.dat file with hd.

Lab 1.3: RSA encryption/decryption Modify testdes.sh to create testrsa.sh, which substitutes RSA encryption (as used in section 1.1) in place of the des-cbc encryption. Chmod the testrsa.sh script to make it executable, and test it as shown below:

# echo "Welcome to CSCI 3250 Computer Security" > plaintext.txt

# ./testrsa.sh plaintext.txt ciphertext_rsa.dat decoded_rsa.txt

Re-run the command three times to get a more accurate picture of the amount of time the algorithm requires. Examine the ciphertext_rsa.dat file with hd.

Lab 1.4: SHA Message Digest

Use OpenSSL to create a message digest using SHA-1. # echo "Welcome to CSCI 3250 Computer Security" > plaintext.txt

# openssl sha1 plaintext.txt > digest.txt

Use more or cat to display the contents of the digest.txt file.

testdes.sh

#!/bin/bash if [ $# -eq 0 ] then echo "Three args required - need an infile, outfile, thirdfile" exit 1 fi

ts=$(date +%s%N) openssl enc -e -des-cbc -salt -in $1 -out $2 -k nighthawks te=$(date +%s%N) tt=$(( (te - ts)/1000000 )) echo "It took $tt milliseconds to encode with DES-CBC."