You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

6.1 KiB

theme paginate footer
default true Razorpay

Practical Cryptography

Requirements

  • openssl version (1.1.1a)
  • curl --version (7.64.0)
  • php --version (7.3.2)
  • php -m |grep -e openssl -e curl
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
  • docker --version (18.09.2-ce)
  • libtasn (brew install libtasn1) (4.13)

Practical PKI

nemo


Why


Objectives

  • Get familiar with Crypto primitives
  • Hands-on with
    • OpenSSL
    • TLS
    • Curl

Non-Goals

  • Understanding all Crypto-Attacks (we'll discuss a couple)
  • Elliptic Curve Crypto
  • crypto-currencies 🤑
  • Math
  • Intermediate Certs
  • Cert Revocation

Requirements

  • openssl version (1.1.1a)
  • curl --version (7.64.0)
  • php --version (7.3.2)
  • php -m |grep -e openssl -e curl
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
  • docker --version (18.09.2-ce)
  • libtasn (brew install libtasn1) (4.13)

Setup

  1. Have a browser open with Google (Lots of googling needed for this)
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
  3. composer install

Koans 💃


koan

noun, plural ko·ans, ko·an. Zen.

  1. a nonsensical or paradoxical question to a student for which an answer is demanded, the stress of meditation on the question often being illuminating.

What is the colour of wind?


Ruby 💎

ruby path_to_enlightenment.rb

Thinking AboutAsserts
test_assert_truth has damaged your karma.

You have not yet reached enlightenment ...
<false> is not true.

Please meditate on the following code:
./about_asserts.rb:10:in `test_assert_truth'
path_to_enlightenment.rb:27

mountains are merely mountains

 # We shall contemplate truth by testing reality, via asserts.
def test_assert_truth
  assert false # This should be true
end

tl;dr

  1. Run tests
  2. Why is the test failing? (koans/files directories)
  3. Get it to pass

👌🏼 Don't Cheat

  • Means you must do something here
  • Keep a solutions.md file listing down commands as you run them

Setup

  1. Have a browser open with Google (Lots of googling needed for this)
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
  3. composer install
  4. vendor/bin/phpunit
  5. man openssl, man curl

🧘‍♀️🧘‍♂️


vendor/bin/phpunit


OpensslKeyGenerationKoans.php

vendor/bin/phpunit --filter BOpensslKeyGenerationKoans

Questions


FileFormatKoans.php

vendor/bin/phpunit --filter CFileFormatKoans

Questions

  • What is PEM vs DER?

Theory Break 1

  • Keys
  • Certificates
  • Signatures

CA Certificates

vendor/bin/phpunit --filter DCaCertificateKoans.php


Generate A CA Certificate


testCaCertificateExists

openssl req -x509
-newkey rsa:1024
-keyout files/ca.key
-nodes
-out files/ca.pem
-subj '/CN=crypto.koans.invalid'

Generate a Certificate Signing Request


Generate a Certificate Signing Request

openssl req -new
-key files/1.key
-subj '/CN=server.crypto.koans.invalid'
-out files/1.csr

Sign your CSR with your CA


Sign your CSR with your CA

openssl x509 -req
-in files/1.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-out files/1.crt

What can a Certificate Do?


What can a Certificate Do?

openssl x509
-in google.pem
-purpose
-noout #Remove this and retry

Generate a Client Certificate


Generate a Client Certificate

Step 1

printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > client.cnf

Generate a Client Certificate

Step 2

# As Alice
openssl req -subj '/CN=alice.crypto.koans'
-key files/client.key
-new
-out files/client.csr
# As Bob
openssl x509 -req -in files/alice.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-extfile client.cnf
-out files/alice.crt

Generate a Client Certificate

Step 3

  1. Save alice.crt as client.crt
  2. Save the CA file you received as bob.pem
  3. See testClientBundleGenerated

Theory Break 2


What Alice Had

  1. Client (client.key, client.csr)

What Bob Had

  1. Client CSR (client.csr)
  2. CA (ca.pem, ca.key)

What Bob Had

  1. Client CSR (client.csr, alice.crt)
  2. CA (ca.pem, ca.key)

What Alice Has

  1. Client (client.key, client.csr, client.crt)
  2. Bob's CA (bob.pem)

What Bob Has

  1. Server (1.key, 1.csr, 1.crt)
  2. CA (ca.pem, ca.key)

What Alice Has

  1. Client (client.key, client.crt)
  2. Bob's CA (bob.pem)

What Bob Has

  1. Server (1.key, 1.crt)
  2. Bob's Own CA (ca.pem)

Where we're going

🐳 🚀


🐳 1️⃣ / 2️⃣

As Bob

Bring up a server using your key (1.key) and certificate (1.crt) and allow any client signed by your CA (ca.pem) to talk to you.

docker run --volume `pwd`/files:/etc/koans
--publish 8443:443
captn3m0/crypto.koans
# ssl_certificate /etc/koans/1.crt;
# ssl_certificate_key /etc/koans/1.key;
# ssl_client_certificate /etc/koans/ca.pem;
# Give your WiFi IP to your partner

🐳 2️⃣ / 2️⃣

As Alice

Use the certificate (signed by Bob) and the key (which only you have) to talk to Bob's server (which you can verify using the CA given)

curl https://server.crypto.koans.invalid:8443
--resolve server.crypto.koans.invalid:8443:192.168.1.121
--cert files/client.crt
--key files/client.key
--cacert files/bob.pem
# /etc/hosts
192.168.1.121 server.crypto.koans.invalid

Browser 🌍

  1. Import bundle.pfx in your browser
  2. Enable CA Usage for websites
  3. Open https://server.crypto.koans.invalid:8443