Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical work with PKI

Published bySybil Potter Modified over 6 years ago

Similar presentations

Presentation on theme: "Practical work with PKI"— Presentation transcript:

1 Practical work with PKI
Digital recordkeeping and preservation II 2016 Thomas Sødring P48-R407

2 But first .... You must create a password on the bibin machine
This must not be the password you use on Fronter. Do not use an existing password. Choose a new password!

3 PKI gives us Confidentiality No one can see the content of the message
Integrity The message is not altered Authentication The message comes from whom it is supposed to come from Non-repudiation The sender can not later deny having sent the message This is what you need to learn about theoretical and practical PKI

4 What we are going to do now
We will use some open source tool for Linux to explore PKI Create your own public/private PKI keys Sign an XML file with the private key Verify the signature with the public key Ensure non-repudiation Encrypt/decrypt an XML file with PKI keys Confidentiality and integrity

5 Find a suitable program
At HiOA Install putty via the add more software option on your desktop At home You can download this at home too To upload/download files between home and bibin you can use filezilla

6 When running putty you will see this
1 2 3 1. Host name : 2. Port : 22 3. Connection type : SSH

7 We type bibin.hioa.no in «Host Name» and click Open

8 A new window will show up
First you get a question whether you trust the server and if you want to accept the SSH key. You should always verify this before clicking Accept

9 Type your student number.
Username Type your student number. For example s123456

10 Username (2) Press ENTER

11 Type the password you made earlier and press ENTER

12 This is a Linux terminal window
And now we are inside This is a Linux terminal window

13 Explorer map network drive
This will only work from a HiOA computer

14 Explorer map network drive
This will only work from a HiOA computer

15 Download resources All files from:
Should be downloaded to your bibin area

16 First we are going to make a checksum
en_fil.txt This is a file We use a command called md5sum

17 Checksum generated by md5sum

18 Two files that are the same will always generate the same checksum
Another md5 checksum en_fil.txt This is a file kopi_av_en_fil.txt This is a file Two files that are the same will always generate the same checksum

19 Another md5 checksum (2) This is a file This is a file This is a file
en_fil.txt This is a file kopi_av_en_fil.txt This is a file en_annen_fil.txt This is a file

20 sha256sum You can also find sha256sum on bibin
sha256sum can be used in the same way as md5sum

21 sha256 checksum

22 Checksums can be used to
hide passwords 'password1' = 7c6a180b36896a0a8c02787eeafb0e4c There are databases that have made a mapping from words to checksums, which gives you the opportunity to search for checksums* Checksum is a one way mechanism = 74b82ad8fefce0f6c1f79bfad8a47097 This is one of the reasons why you should make good passwords** to find out if two (big) files are the same * **

23 Practical PKI and keys Now we will create public and private keys
Signing Private keys are used to sign documents Public keys are used to validate the signature Encryption/decryption Public keys are used to encrypt Private keys are used to decrypt

24 We will now generate a private key
Generate a RSA key The size of the key (in bits) openssl genrsa -out s123456_privat_nokkel.pem 1024 Open source program called openssl used for PKI The key is stored in a file called s123456_privat_nokkel.pem

25 cat s123456_privat_nokkel.pem
Look at the private key cat s123456_privat_nokkel.pem Can also be opened in explorer

26 We will now generate a public key
Generate a RSA public key openssl rsa -in s123456_privat_nokkel.pem -pubout -out s123456_offentlig_nokkel.pem Use private key s123456_privat_nokkel.pem as input to the public key Public key is stored in a file called s123456_offentlig_nokkel.pem

27 cat s123456_offentlig_nokkel.pem
Look at the public key cat s123456_offentlig_nokkel.pem

28 So far We have created a pair of private/public key
We shall use these to Sign/verify an XML file Encrypt an XML file Decrypt an XML file xmlsec1 This is part of a standard used for encryption/decryption of XML files with PKI sig.html ary/s-xmlsec.html/index.html

29 Sign an XML file with the private key
We will use the file: signerings_mal.xml Observe the data in: signerings_mal.xml Go back to the Linux tool and execute the commands

30 signerings_mal.xml Data that we want to sign goes here
<?xml version="1.0" encoding="UTF-8"?> <Envelope xmlns="urn:envelope"> <min_xmlData> This is my data </min_xmlData> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod Algorithm=" /> <SignatureMethod Algorithm=" /> <Reference URI=""> <Transforms> <Transform Algorithm=" /> </Transforms> <DigestMethod Algorithm=" /> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue/> <KeyInfo> <KeyName/> </KeyInfo> </Signature> </Envelope> Data that we want to sign goes here The checksum associated with SHA goes here The checksum associated with the private key goes here

31 Sign an XML file with the private key
xmlsec1 --sign --output signert_xml_fil.xml --privkey-pem s123456_privat_nokkel.pem signerings_mal.xml

32 The file: signert_xml_fil.xml
<?xml version="1.0" encoding="UTF-8"?> <Envelope xmlns="urn:envelope"> <min_xmlData> This is my data </min_xmlData> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <Reference URI=""> <Transforms> <Transform Algorithm=" </Transforms> <DigestMethod Algorithm=" <DigestValue>8B5bU1Yo6M3la8/oACJM/ggwWKo=</DigestValue> </Reference> </SignedInfo> <SignatureValue>oycOl0Ex07n5e2mH6fJ87gRdnsdT3m6NZMMTmSP/Hr9X88WkaD9dbZFG1nQ08Ze9 8L657332njkySJLaY22EKK7cLC5IwTCtyAC8CkRn8yvp5D8lg7RvwvWveKL1sR1U COGzWtUe3Sm67zBMHNbgGXdySf/PLOhzrJOjOWDAwd0=</SignatureValue> <KeyInfo> <KeyName/> </KeyInfo> </Signature> </Envelope> The checksum associated with SHA1 The checksum associated with the private key

33 We will now verify the public key
xmlsec1 verify --pubkey-pem s123456_offentlig_nokkel.pem signert_xml_fil.xml

34 So far We have seen how we can sign an XML file with our private key and then validate this file with our public key People can now know with certainty that this XML file came from you We have achieved non-repudiation Is this integrity/authenticity in an archive context? Next step is changing the content in the file and then check the validation Open the file and alter it Save the file and then try the verification command again

35 We will now verify the public key again
xmlsec1 verify --pubkey-pem s123456_offentlig_nokkel.pem signert_xml_fil.xml

36 Verifying the public key
We know that the file has been altered, but we don't know anything about what is changed xmlsec1 verify --pubkey-pem s123456_offentlig_nokkel.pem signert_xml_fil.xml func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "signert_xml_fil.xml"

37 Encryption with the public key
Ensure confidentiality We should be able to send data over an open communication line without anyone else reading the content Alice wants to send me a message that only I can read so she encrypts it with my public key Now we will try krypterings_mal.xml melding.xml

38 The file: melding.xml <melding> <fra>Alice</fra>
<til>Thomas</til> <innhold> Transfer ,- from account to account </innhold> </melding>

39 The file: krypterings_mal.xml
<?xml version="1.0" encoding="UTF-8"?> <EncryptedData xmlns=" Type=" <EncryptionMethod Algorithm=" <KeyInfo xmlns=" <EncryptedKey xmlns=" <EncryptionMethod Algorithm=" <KeyName/> </KeyInfo> <CipherData> <CipherValue/> </CipherData> </EncryptedKey> </EncryptedData>

40 Encryption with the public key (2)
xmlsec1 encrypt --pubkey-pem s123456_offentlig_nokkel.pem --session-key des-192 --xml-data melding.xml --output kryptert_melding.xml krypterings_mal.xml

41 The file: kryptert_melding.xml
<?xml version="1.0"?> <EncryptedData xmlns=" Type=" <EncryptionMethod Algorithm=" <KeyInfo xmlns=" <EncryptedKey xmlns=" <EncryptionMethod Algorithm=" <KeyName/> </KeyInfo> <CipherData> <CipherValue>kna8o5HkKLodmfDT1mKJFCJuCfNododRI/N8iDeQbLHTUOGCYph9MlHcGeYfkQew 08iCmRUONcIiYW56rcOatOOEL4FGyzgb/yINiAouPlNXG9pralrCcYP4V1L+ozvi GRIGP2vmpAW5M+yAMQzDaRN5uJwK+K/24LY7+wPCnIA=</CipherValue> </CipherData> </EncryptedKey> <CipherValue>hFYmRDArPDm3aZeHoethQsIAVstwGRGdFthtYCd9OtlAxxwLIn6lTwLefgalTNNi p0lblDNUBA6mDIftgMh/+g3cQeUrF21nOGd5bGbgza/pMf3U9QkLhRFKfIXTlTmZ Z+Cm4CjxevkE6/o8Ewl5TTx8vB75r/6CZzo/W2SGDdVKlWLgGBTjjENoN90bYJyH Mu0y+/0FV9qKvxa9LseqPp1Sq9J7OXn2QIUpQqyd3zc=</CipherValue> </EncryptedData> This is the encrypted message

42 Decryption with the private key
Here I have forgotten UTF-8 xmlsec1 decrypt --privkey-pem s123456_privat_nokkel.pem kryptert_melding.xml

43 Decryption with the private key (2)
If you want the content (the encrypted message) in a separate file instead of on the screen you have to use: --output dekryptert_melding.xml xmlsec1 decrypt --privkey-pem s123456_privat_nokkel.pem --output dekryptert_melding.xml kryptert_melding.xml

44 What have we achieved so far?
Integrity and authenticity We can verify who sent the document and that the content has not been altered Signing/verification of signature Confidentiality Although someone saw the message, it can only be decrypted with the private key What happens if we manually edit the content of kryptert_melding.xml?

45 Conclusion With these tools, how can we know that
Alice sends me a message about a transmission that is confidential, and will not have the possibility to deny it later Alice signs the message with her private key Alice encrypts the message with my public key I decrypt the message with my private key I verify the message with Alices public key

46 Assignment 3 How to ensure integrity and authenticity with PKI
Part 1: Generate keys Part 2: Securing Non-repudiation Part 3: Encryption Part 4: Ensuring the confidentiality and non- repudiation

Download ppt "Practical work with PKI"

Similar presentations

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Web services security I

Web services security I
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.

1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···

Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
XML Signature Prabath Siriwardena Director, Security Architecture.

XML Signature Prabath Siriwardena Director, Security Architecture.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
11-Basic Cryptography Dr. John P. Abraham Professor UTPA.

11-Basic Cryptography Dr. John P. Abraham Professor UTPA.
 A Web service is a method of communication between two electronic devices over World Wide Web.

 A Web service is a method of communication between two electronic devices over World Wide Web.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.

Digital Signatures, Message Digest and Authentication Week-9.

Similar presentations

Ads by Google