diff --git a/crypto.koans/index.html b/crypto.koans/index.html new file mode 100644 index 0000000..ab62b30 --- /dev/null +++ b/crypto.koans/index.html @@ -0,0 +1,453 @@ +crypto.tls
+

Practical Cryptography

+

Requirements

+
    +
  • openssl version (1.1.1a)
    • +
  • curl --version (7.64.0)
    • +
  • php --version (7.3.2)
    • +
  • php -m |grep -e openssl -e curl
    • +
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
    • +
  • docker --version (18.09.2-ce)
    • +
  • libtasn (brew install libtasn1) (4.13)
    • +
+
Razorpay
+
+
+

Practical PKI

+

nemo

+
Razorpay
+
+
+

Why

+
Razorpay
+
+
+

Objectives

+
    +
  • Get familiar with Crypto primitives
    • +
  • Hands-on with +
      +
    • OpenSSL
      • +
    • TLS
      • +
    • Curl
      • +
    +
    • +
+
Razorpay
+
+
+

Non-Goals

+
    +
  • Understanding all Crypto-Attacks (we'll discuss a couple)
    • +
  • Elliptic Curve Crypto
    • +
  • crypto-currencies πŸ€‘
    • +
  • Math
    • +
  • Intermediate Certs
    • +
  • Cert Revocation
    • +
+
Razorpay
+
+
+

Requirements

+
    +
  • openssl version (1.1.1a)
    • +
  • curl --version (7.64.0)
    • +
  • php --version (7.3.2)
    • +
  • php -m |grep -e openssl -e curl
    • +
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
    • +
  • docker --version (18.09.2-ce)
    • +
  • libtasn (brew install libtasn1) (4.13)
    • +
+
Razorpay
+
+
+

Setup

+
    +
  1. Have a browser open with Google (Lots of googling needed for this)
    2. +
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
    3. +
  3. composer install
    4. +
+
Razorpay
+
+
+

Koans πŸ’ƒ

+
Razorpay
+
+
+

koan

+

noun, plural koΒ·ans, koΒ·an. Zen.

+
    +
  1. a nonsensical or paradoxical question to a student for which an answer is demanded, the stress of meditation on the question often being illuminating.
    2. +
+
Razorpay
+
+
+

What is the colour of wind?

+
Razorpay
+
+
+

Ruby πŸ’Ž

+
ruby path_to_enlightenment.rb
+
+Thinking AboutAsserts
+test_assert_truth has damaged your karma.
+
+You have not yet reached enlightenment ...
+<false> is not true.
+
+Please meditate on the following code:
+./about_asserts.rb:10:in `test_assert_truth'
+path_to_enlightenment.rb:27
+
+mountains are merely mountains
+
+
Razorpay
+
+
+
 # We shall contemplate truth by testing reality, via asserts.
+def test_assert_truth
+  assert false # This should be true
+end
+
+
Razorpay
+
+
+

tl;dr

+
    +
  1. Run tests
    2. +
  2. Why is the test failing? (koans/files directories)
    3. +
  3. Get it to pass
    4. +
+

πŸ‘ŒπŸΌ Don't Cheat

+
    +
  • ❗ Means you must do something here
    • +
  • Keep a solutions.md file listing down commands as you run them
    • +
+
Razorpay
+
+
+

Setup

+
    +
  1. Have a browser open with Google (Lots of googling needed for this)
    2. +
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
    3. +
  3. composer install
    4. +
  4. vendor/bin/phpunit
    5. +
  5. man openssl, man curl
    6. +
+

πŸ§˜β€β™€οΈπŸ§˜β€β™‚οΈ

+
Razorpay
+
+
+

vendor/bin/phpunit

+
Razorpay
+
+
+

OpensslKeyGenerationKoans.php

+

vendor/bin/phpunit --filter BOpensslKeyGenerationKoans

+

Questions❓

+
Razorpay
+
+
+

FileFormatKoans.php

+

vendor/bin/phpunit --filter CFileFormatKoans

+

Questions❓

+
    +
  • What is PEM vs DER?
    • +
+
Razorpay
+
+
+

Theory Break 1

+
    +
  • Keys
    • +
  • Certificates
    • +
  • Signatures
    • +
+
Razorpay
+
+
+

CA Certificates

+

vendor/bin/phpunit --filter DCaCertificateKoans.php

+
Razorpay
+
+
+

Generate A CA Certificate

+
Razorpay
+
+
+

testCaCertificateExists

+
openssl req -x509
+-newkey rsa:1024
+-keyout files/ca.key
+-nodes
+-out files/ca.pem
+-subj '/CN=crypto.koans.invalid'
+
+
Razorpay
+
+
+

Generate a Certificate Signing Request

+
Razorpay
+
+
+

Generate a Certificate Signing Request

+
openssl req -new
+-key files/1.key
+-subj '/CN=server.crypto.koans.invalid'
+-out files/1.csr
+
+
Razorpay
+
+
+

Sign your CSR with your CA

+
Razorpay
+
+
+

Sign your CSR with your CA

+
openssl x509 -req
+-in files/1.csr
+-CA files/ca.pem
+-CAkey files/ca.key
+-CAcreateserial
+-out files/1.crt
+
+
Razorpay
+
+
+

What can a Certificate Do?

+
Razorpay
+
+
+

What can a Certificate Do?

+
openssl x509
+-in google.pem
+-purpose
+-noout #Remove this and retry
+
+
Razorpay
+
+
+

Generate a Client Certificate

+
Razorpay
+
+
+

Generate a Client Certificate

+

Step 1

+
printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > client.cnf
+
+
Razorpay
+
+
+

Generate a Client Certificate

+

Step 2

+
# As Alice
+openssl req -subj '/CN=alice.crypto.koans'
+-key files/client.key
+-new
+-out files/client.csr
+# As Bob
+openssl x509 -req -in files/alice.csr
+-CA files/ca.pem
+-CAkey files/ca.key
+-CAcreateserial
+-extfile client.cnf
+-out files/alice.crt
+
+
Razorpay
+
+
+

Generate a Client Certificate

+

Step 3

+
    +
  1. Save alice.crt as client.crt
    2. +
  2. Save the CA file you received as bob.pem
    3. +
  3. See testClientBundleGenerated
    4. +
+
Razorpay
+
+
+

Theory Break 2

+
Razorpay
+
+
+

What Alice Had

+
    +
  1. Client (client.key, client.csr)
    2. +
+
Razorpay
+
+
+

What Bob Had

+
    +
  1. Client CSR (client.csr)
    2. +
  2. CA (ca.pem, ca.key)
    3. +
+
Razorpay
+
+
+

What Bob Had

+
    +
  1. Client CSR (client.csr, alice.crt)
    2. +
  2. CA (ca.pem, ca.key)
    3. +
+
Razorpay
+
+
+

What Alice Has

+
    +
  1. Client (client.key, client.csr, client.crt)
    2. +
  2. Bob's CA (bob.pem)
    3. +
+

What Bob Has

+
    +
  1. Server (1.key, 1.csr, 1.crt)
    2. +
  2. CA (ca.pem, ca.key)
    3. +
+
Razorpay
+
+
+

What Alice Has

+
    +
  1. Client (client.key, client.crt)
    2. +
  2. Bob's CA (bob.pem)
    3. +
+

What Bob Has

+
    +
  1. Server (1.key, 1.crt)
    2. +
  2. Bob's Own CA (ca.pem)
    3. +
+
Razorpay
+
+
+

Where we're going

+

🐳 πŸš€

+
Razorpay
+
+
+

🐳 1️⃣ / 2️⃣

+

As Bob

+

Bring up a server using your key (1.key) and certificate (1.crt) and allow any client signed
+by your CA (ca.pem) to talk to you.

+
docker run --volume `pwd`/files:/etc/koans
+--publish 8443:443
+captn3m0/crypto.koans
+
+
# ssl_certificate /etc/koans/1.crt;
+# ssl_certificate_key /etc/koans/1.key;
+# ssl_client_certificate /etc/koans/ca.pem;
+# Give your WiFi IP to your partner
+
+
Razorpay
+
+
+

🐳 2️⃣ / 2️⃣

+

As Alice

+

Use the certificate (signed by Bob) and the key
+(which only you have) to talk to Bob's server (which
+you can verify using the CA given)

+
curl https://server.crypto.koans.invalid:8443
+--resolve server.crypto.koans.invalid:8443:192.168.1.121
+--cert files/client.crt
+--key files/client.key
+--cacert files/bob.pem
+
+
# /etc/hosts
+192.168.1.121 server.crypto.koans.invalid
+
+
Razorpay
+
+
+

Browser 🌍

+
    +
  1. Import bundle.pfx in your browser
    2. +
  2. Enable CA Usage for websites
    3. +
  3. Open https://server.crypto.koans.invalid:8443
    4. +
+ +
+
\ No newline at end of file