mirror of https://github.com/captn3m0/talks.git synced 2024-09-27 19:22:49 +00:00
2019-02-21 12:35:02 +05:30

397 lines
6.1 KiB

theme: default
paginate: true
footer: Razorpay
# <!--fit--> Practical Cryptography
# Requirements
- `openssl version` (1.1.1a)
- `curl --version` (7.64.0)
- `php --version` (7.3.2)
- `php -m |grep -e openssl -e curl`
- `composer --version` (See <https://getcomposer.org/download/>) (1.8.4)
- `docker --version` (18.09.2-ce)
- `libtasn` (`brew install libtasn1`) (4.13)
# <!--fit--> Practical PKI
_backgroundColor: rebeccapurple
_color: white
_class: lead
# <!--fit--> Why
# Objectives
- Get familiar with Crypto primitives
- Hands-on with
- OpenSSL
- Curl
# Non-Goals
- Understanding all Crypto-Attacks (we'll discuss a couple)
- Elliptic Curve Crypto
- crypto-currencies :money_mouth_face:
- Math
- Intermediate Certs
- Cert Revocation
# Requirements
- `openssl version` (1.1.1a)
- `curl --version` (7.64.0)
- `php --version` (7.3.2)
- `php -m |grep -e openssl -e curl`
- `composer --version` (See <https://getcomposer.org/download/>) (1.8.4)
- `docker --version` (18.09.2-ce)
- `libtasn` (`brew install libtasn1`) (4.13)
# Setup
1. Have a browser open with Google (Lots of googling needed for this)
2. `git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans`
3. `composer install`
# <!--fit--> Koans 💃
# **koan**
_noun_, **plural ko·ans, ko·an.** _Zen._
1. a nonsensical or paradoxical question to a student for which an answer is demanded, the stress of meditation on the question often being illuminating.
# <!--fit--> What is the colour of wind?
## Ruby 💎
ruby path_to_enlightenment.rb
Thinking AboutAsserts
test_assert_truth has damaged your karma.
You have not yet reached enlightenment ...
<false> is not true.
Please meditate on the following code:
./about_asserts.rb:10:in `test_assert_truth'
mountains are merely mountains
# We shall contemplate truth by testing reality, via asserts.
def test_assert_truth
assert false # This should be true
# tl;dr
1. Run tests
2. Why is the test failing? (`koans/files` directories)
3. Get it to pass
👌🏼 Don't Cheat
- ❗ Means you must do something here
- Keep a solutions.md file listing down commands as you run them
# Setup
1. Have a browser open with Google (Lots of googling needed for this)
2. `git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans`
3. `composer install`
4. `vendor/bin/phpunit`
5. `man openssl`, `man curl`
# <!--fit--> `vendor/bin/phpunit`
# `OpensslKeyGenerationKoans.php`
`vendor/bin/phpunit --filter BOpensslKeyGenerationKoans`
## <!--fit--> Questions❓
# `FileFormatKoans.php`
`vendor/bin/phpunit --filter CFileFormatKoans`
## <!--fit--> Questions❓
- What is PEM vs DER?
# Theory Break 1
- Keys
- Certificates
- Signatures
# `CA Certificates`
`vendor/bin/phpunit --filter DCaCertificateKoans.php`
# <!--fit--> Generate A CA Certificate
# testCaCertificateExists
openssl req -x509
-newkey rsa:1024
-keyout files/ca.key
-out files/ca.pem
-subj '/CN=crypto.koans.invalid'
# <!--fit--> Generate a Certificate Signing Request
# <!--fit--> Generate a Certificate Signing Request
openssl req -new
-key files/1.key
-subj '/CN=server.crypto.koans.invalid'
-out files/1.csr
# <!--fit--> Sign your CSR with your CA
# <!--fit--> Sign your CSR with your CA
openssl x509 -req
-in files/1.csr
-CA files/ca.pem
-CAkey files/ca.key
-out files/1.crt
# <!--fit--> What can a Certificate Do?
# What can a Certificate Do?
openssl x509
-in google.pem
-noout #Remove this and retry
# <!--fit--> Generate a Client Certificate
# Generate a Client Certificate
## Step 1
printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > client.cnf
# Generate a Client Certificate
## Step 2
# As Alice
openssl req -subj '/CN=alice.crypto.koans'
-key files/client.key
-out files/client.csr
# As Bob
openssl x509 -req -in files/alice.csr
-CA files/ca.pem
-CAkey files/ca.key
-extfile client.cnf
-out files/alice.crt
# Generate a Client Certificate
## Step 3
1. Save `alice.crt` as `client.crt`
2. Save the CA file you received as `bob.pem`
3. See `testClientBundleGenerated`
# Theory Break 2
# What Alice Had
1. Client (`client.key`, `client.csr`)
# What Bob Had
1. Client CSR (`client.csr`)
2. CA (`ca.pem`, `ca.key`)
# What Bob Had
1. Client CSR (`client.csr`, `alice.crt`)
2. CA (`ca.pem`, `ca.key`)
# What Alice Has
1. Client (`client.key`, `client.csr`, `client.crt`)
2. Bob's CA (`bob.pem`)
# What Bob Has
1. Server (`1.key`, `1.csr`, `1.crt`)
2. CA (`ca.pem`, `ca.key`)
# What Alice Has
1. Client (`client.key`, `client.crt`)
2. Bob's CA (`bob.pem`)
# What Bob Has
1. Server (`1.key`, `1.crt`)
2. Bob's Own CA (`ca.pem`)
# Where we're going
# <!--fit--> :whale: :rocket:
# :whale: :one: / :two:
## As Bob
Bring up a server using your key (`1.key`) and certificate (`1.crt`) and allow any client signed
by your CA (`ca.pem`) to talk to you.
docker run --volume `pwd`/files:/etc/koans
--publish 8443:443
# ssl_certificate /etc/koans/1.crt;
# ssl_certificate_key /etc/koans/1.key;
# ssl_client_certificate /etc/koans/ca.pem;
# Give your WiFi IP to your partner
# :whale: :two: / :two:
## As Alice
Use the certificate (signed by Bob) and the key
(which only you have) to talk to Bob's server (which
you can verify using the CA given)
curl https://server.crypto.koans.invalid:8443
--resolve server.crypto.koans.invalid:8443:
--cert files/client.crt
--key files/client.key
--cacert files/bob.pem
# /etc/hosts server.crypto.koans.invalid
# Browser 🌍
1. Import `bundle.pfx` in your browser
2. Enable CA Usage for websites
3. Open https://server.crypto.koans.invalid:8443