mirror of
https://github.com/captn3m0/talks.git
synced 2024-09-28 22:22:56 +00:00
6.1 KiB
6.1 KiB
theme | paginate | footer |
---|---|---|
default | true | Razorpay |
Practical Cryptography
Requirements
openssl version
(1.1.1a)curl --version
(7.64.0)php --version
(7.3.2)php -m |grep -e openssl -e curl
composer --version
(See https://getcomposer.org/download/) (1.8.4)docker --version
(18.09.2-ce)libtasn
(brew install libtasn1
) (4.13)
Practical PKI
Why
Objectives
- Get familiar with Crypto primitives
- Hands-on with
- OpenSSL
- TLS
- Curl
Non-Goals
- Understanding all Crypto-Attacks (we'll discuss a couple)
- Elliptic Curve Crypto
- crypto-currencies 🤑
- Math
- Intermediate Certs
- Cert Revocation
Requirements
openssl version
(1.1.1a)curl --version
(7.64.0)php --version
(7.3.2)php -m |grep -e openssl -e curl
composer --version
(See https://getcomposer.org/download/) (1.8.4)docker --version
(18.09.2-ce)libtasn
(brew install libtasn1
) (4.13)
Setup
- Have a browser open with Google (Lots of googling needed for this)
git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
composer install
Koans 💃
koan
noun, plural ko·ans, ko·an. Zen.
- a nonsensical or paradoxical question to a student for which an answer is demanded, the stress of meditation on the question often being illuminating.
What is the colour of wind?
Ruby 💎
ruby path_to_enlightenment.rb
Thinking AboutAsserts
test_assert_truth has damaged your karma.
You have not yet reached enlightenment ...
<false> is not true.
Please meditate on the following code:
./about_asserts.rb:10:in `test_assert_truth'
path_to_enlightenment.rb:27
mountains are merely mountains
# We shall contemplate truth by testing reality, via asserts.
def test_assert_truth
assert false # This should be true
end
tl;dr
- Run tests
- Why is the test failing? (
koans/files
directories) - Get it to pass
👌🏼 Don't Cheat
- ❗ Means you must do something here
- Keep a solutions.md file listing down commands as you run them
Setup
- Have a browser open with Google (Lots of googling needed for this)
git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
composer install
vendor/bin/phpunit
man openssl
,man curl
🧘♀️🧘♂️
vendor/bin/phpunit
OpensslKeyGenerationKoans.php
vendor/bin/phpunit --filter BOpensslKeyGenerationKoans
Questions❓
FileFormatKoans.php
vendor/bin/phpunit --filter CFileFormatKoans
Questions❓
- What is PEM vs DER?
Theory Break 1
- Keys
- Certificates
- Signatures
CA Certificates
vendor/bin/phpunit --filter DCaCertificateKoans.php
Generate A CA Certificate
testCaCertificateExists
openssl req -x509
-newkey rsa:1024
-keyout files/ca.key
-nodes
-out files/ca.pem
-subj '/CN=crypto.koans.invalid'
Generate a Certificate Signing Request
Generate a Certificate Signing Request
openssl req -new
-key files/1.key
-subj '/CN=server.crypto.koans.invalid'
-out files/1.csr
Sign your CSR with your CA
Sign your CSR with your CA
openssl x509 -req
-in files/1.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-out files/1.crt
What can a Certificate Do?
What can a Certificate Do?
openssl x509
-in google.pem
-purpose
-noout #Remove this and retry
Generate a Client Certificate
Generate a Client Certificate
Step 1
printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > client.cnf
Generate a Client Certificate
Step 2
# As Alice
openssl req -subj '/CN=alice.crypto.koans'
-key files/client.key
-new
-out files/client.csr
# As Bob
openssl x509 -req -in files/alice.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-extfile client.cnf
-out files/alice.crt
Generate a Client Certificate
Step 3
- Save
alice.crt
asclient.crt
- Save the CA file you received as
bob.pem
- See
testClientBundleGenerated
Theory Break 2
What Alice Had
- Client (
client.key
,client.csr
)
What Bob Had
- Client CSR (
client.csr
) - CA (
ca.pem
,ca.key
)
What Bob Had
- Client CSR (
client.csr
,alice.crt
) - CA (
ca.pem
,ca.key
)
What Alice Has
- Client (
client.key
,client.csr
,client.crt
) - Bob's CA (
bob.pem
)
What Bob Has
- Server (
1.key
,1.csr
,1.crt
) - CA (
ca.pem
,ca.key
)
What Alice Has
- Client (
client.key
,client.crt
) - Bob's CA (
bob.pem
)
What Bob Has
- Server (
1.key
,1.crt
) - Bob's Own CA (
ca.pem
)
Where we're going
🐳 🚀
🐳 1️⃣ / 2️⃣
As Bob
Bring up a server using your key (1.key
) and certificate (1.crt
) and allow any client signed
by your CA (ca.pem
) to talk to you.
docker run --volume `pwd`/files:/etc/koans
--publish 8443:443
captn3m0/crypto.koans
# ssl_certificate /etc/koans/1.crt;
# ssl_certificate_key /etc/koans/1.key;
# ssl_client_certificate /etc/koans/ca.pem;
# Give your WiFi IP to your partner
🐳 2️⃣ / 2️⃣
As Alice
Use the certificate (signed by Bob) and the key (which only you have) to talk to Bob's server (which you can verify using the CA given)
curl https://server.crypto.koans.invalid:8443
--resolve server.crypto.koans.invalid:8443:192.168.1.121
--cert files/client.crt
--key files/client.key
--cacert files/bob.pem
# /etc/hosts
192.168.1.121 server.crypto.koans.invalid
Browser 🌍
- Import
bundle.pfx
in your browser - Enable CA Usage for websites
- Open https://server.crypto.koans.invalid:8443