-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
72c96b6
commit 0aeab94
Showing
4 changed files
with
364 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # Practical Encryption | ||
|
|
||
| ## Videos | ||
|
|
||
| | Video | Length | Slides | | ||
| |-------|-------:|--------| | ||
|
|
||
|
|
||
| ## Exercises | ||
|
|
||
| - [OpenSSL](./openssl.md) | ||
| - [PGP](./pgp.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,229 @@ | ||
|
|
||
|
|
||
| # Introduction to OpenSSL: A Hands-On Lab using OpenSSL and encryption | ||
|
|
||
| OpenSSL is a widely used open-source software library that provides cryptographic functions and protocols to secure communications over computer networks. In this lab, we will gain hands-on experience with OpenSSL by performing cryptographic operations. The goal of this lab is to learn how to generate cryptographic keys, create digital certificates, and perform encryption and decryption operations. | ||
|
|
||
| # Objectives: | ||
|
|
||
| - Understand the purpose and role of SSL Certificate Authorities in web security. | ||
| - Create a root Certificate Authority (CA) for local development. | ||
| - Generate SSL certificates for localhost domains. | ||
| - Configure web servers to use the self-signed SSL certificates for HTTPS. | ||
| - Test the secure communication with HTTPS-enabled web servers. | ||
|
|
||
| ### First we install the OpenSSL tool | ||
|
|
||
| Use your VM to install `openssl` with the appropriate command. On Debian that is: | ||
|
|
||
| ~~~~.sh | ||
| $ sudo apt install openssl | ||
| ~~~~ | ||
|
|
||
| Alternatively, you could build from the source [https://www.openssl.org/source/](https://www.openssl.org/source/) after obtaining and extracting it: | ||
|
|
||
| ~~~~.sh | ||
| $ ./config | ||
| $ make | ||
| $ make test # This step is optional. | ||
| $ sudo make install | ||
| ~~~~ | ||
|
|
||
| Remember that you can add the `apt install` line to your Vagrantfile to use OpenSSL on Vagrant. | ||
|
|
||
|
|
||
| Use OpenSSL to encrypt files with symmetric encryption | ||
| ====================================================== | ||
|
|
||
| Create a text file called `mytext.txt` and write a message you want to send inside it. | ||
| Then, encrypt this file with a symmetric AES 256 key using OpenSSL: | ||
|
|
||
| ```bash | ||
| openssl aes256 -in mytext.txt -out mytext.enc | ||
| ``` | ||
|
|
||
| You'll be asked for a passphrase to create the key. The output will be named `mytext.enc`. Be sure not to forget your passphrase. | ||
|
|
||
| #### What is the difference between your unencrypted file and the encrypted one? Try and read an ecrypted file. | ||
|
|
||
| Alternatively, you can encode the encrypted file with `base64`. This option creates a file with ASCII characters instead of a pure binary stream, making it suitable for sending via email. To do this, encrypt again specifying base64 instead of AES 256, and also passing the `-a` flag. | ||
|
|
||
| #### Is the file size larger than before? If so, why? | ||
|
|
||
| Now, you can send your encrypted sensitive information to the recipient. | ||
|
|
||
| How to decrypt using OpenSSL | ||
| ----------------------------- | ||
|
|
||
| Use email or another method to swap encrypted files with someone. Utilize the `-d` parameter to decrypt the file, whether it's a binary stream or consists only of ASCII characters. You'll need to use the same passphrase for this as was used to encrypt the file. | ||
|
|
||
| #### Once decrypted, can you read the correct message? | ||
|
|
||
| Use OpenSSL to encrypt files with asymmetric encryption | ||
| ================================================== | ||
|
|
||
| Asymmetric encryption uses two sets of keys, called a key pair. A public key that can be freely distributed with the entity you want to communicate with, and a private key that is never shared. | ||
|
|
||
|
|
||
| Generate key pairs | ||
| ------------------ | ||
| Using the `openssl` man pages, figure out how to use `genrsa` to generate a 1024-bit public-private key pair. | ||
|
|
||
| Distribute the public key | ||
| -------------------------- | ||
| The public key is meant to be shared with others. Extract your public key with the OpenSSL tool into a `.pem` file using the `-pubout` parameter. | ||
|
|
||
| Exchange your public keys | ||
| ------------------------- | ||
| Exchange public keys with someoone else. Next, create an encrypted message using the OpenSSL `-encrypt` command. You will need the following to formulate the command: | ||
|
|
||
| - Name of the file | ||
| - Other's person public key to encrypt | ||
| - The name of the output file | ||
|
|
||
| #### Try and view the file, what is the format? | ||
|
|
||
| Send the file to the other party using your preferred method. The other person can decrypt the file and read the message using the private key and the parameter `-decrypt`. The recipient can write a response, encrypt it with your public key and send it back. | ||
|
|
||
| Why do we need HTTPS? | ||
| -------------------------- | ||
|
|
||
| Websites with HTTPS provide assurance to customers that their connections are secure. HTTPS, or Hypertext Transfer Protocol Secure, is a protected version of HTTP, the protocol used for data transmission between your browser and the website you're accessing. Prioritizing the safeguarding of users' privacy and data security is crucial for instilling trust in people connected to the web services we develop online | ||
|
|
||
| Why will we use HTTPS locally? | ||
| -------------------------------- | ||
| We need to create a development environment that closely resembles production. This practice helps to avoid future issues when deploying your web apps or websites online. | ||
|
|
||
| Configure and utilize Nginx with HTTPS for creating a localhost web app and sign a certificate request with OpenSSL. | ||
| ===================================================================================== | ||
|
|
||
| A certificate signing request (CSR) consists of three entities: the public key, the system that triggers the request, and the signature of the request. The private key will be used to encrypt the certificate. We will use OpenSSL for that. | ||
|
|
||
| To create a private key with OpenSSL, we first create a directory and generate the key inside it: | ||
| ~~~~.sh | ||
| $ mkdir ~/store-csr | ||
| ~~~~ | ||
|
|
||
| Then, we generate the RSA private key (keep note of the passphrase). Use OpenSSL with the `genrsa` command and the `-aes256 parameter` for a private key with size 2048. Next, generate a root certificate with OpenSSL using the `req` command and parameters `-x509` for a digital signature and `-sha256` for a hash function. Finally, make it valid for 30 days. | ||
|
|
||
| Then, we will make a request for the server we will use later, and we want to authenticate, for example: | ||
|
|
||
| ~~~~.sh | ||
| $ openssl genrsa -out cert.key 2048 | ||
| ~~~~ | ||
|
|
||
| As we can see from the output, we generated an RSA private key of 2048 bits. The `genrsa` command is used to generate RSA private key files, with the default value being 512 bits. You can specify different key sizes. Investigate the command options with `-help`. | ||
|
|
||
| Now, with the private key, we will create the CSR using the OpenSSL tool. Fill out the fields in a similar way as above, without leaving any value blank. We use the private key to create a certificate signing request as follows: | ||
|
|
||
| ~~~~.sh | ||
| $ openssl req -new -key cert.key -out cert.csr | ||
| ~~~~ | ||
|
|
||
| Create the Configuration File | ||
| ------------------------------ | ||
| We create a configuration file named `openssl.cnf` in the current folder using any text editor of your choice: | ||
|
|
||
| ```conf | ||
| [#]Extensions to add to a certificate request | ||
| basicConstraints = CA:FALSE | ||
| authorityKeyIdentifier = keyid:always, issuer:always | ||
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment | ||
| subjectAltName = @alt_names | ||
| [ alt_names ] | ||
| DNS.1 = your hostname | ||
| ``` | ||
| ----------------------------------- | ||
|
|
||
| Sign the certificate request and enter the passphrase. Verify the correctness of the certificate as follows: | ||
|
|
||
| ```bash | ||
| $ ~/store-csr$ openssl verify -CAfile rootCert.pem -verify_hostname your hostname cert.crt | ||
| ``` | ||
|
|
||
| Add the certificate to the browser to avoid receiving warnings about untrusted certificates. For the Mozilla browser, follow these steps: | ||
|
|
||
| - Go to Preferences -> Privacy -> View Certificates. | ||
| - Import the rootCert.pem file. | ||
| - Click "Next" and then select "Trust this CA to identify websites." | ||
| - These steps will ensure that the root certificate is trusted by the browser for identifying websites. | ||
|
|
||
| *Tip: if you want to name or re-name your machine use: `sudo hostnamectl set-hostname [new-hostname]` and check with `hostnamectl`* | ||
|
|
||
| Move the certificate and key into the folders: | ||
|
|
||
| ```bash | ||
| $ ~/store-csr$ sudo cp cert.crt /etc/ssl/certs/ | ||
| $ sudo cp cert.key /etc/ssl/private/ | ||
| ``` | ||
|
|
||
| Nginx Configuration | ||
| ------------------- | ||
| Install Nginx: | ||
|
|
||
| ```bash | ||
| $ sudo apt install nginx | ||
| ``` | ||
|
|
||
| Create a configuration file inside `/etc/nginx/sites-available`. For example, create a file `yourhostname.conf`: | ||
|
|
||
| ```bash | ||
| /etc/nginx/sites-available$ sudo nano myhostname.conf | ||
| ``` | ||
|
|
||
| ```conf | ||
| server { | ||
| client_max_body_size 100M; | ||
| server_name yourhostname; | ||
| listen 443 ssl; | ||
| ssl_certificate /etc/ssl/certs/cert.crt; | ||
| ssl_certificate_key /etc/ssl/private/cert.key; | ||
| location / { | ||
| proxy_pass http://yourhostname:8000; | ||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Forwarded-Proto https; | ||
| proxy_read_timeout 60; | ||
| proxy_connect_timeout 60; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| Edit your ```bash /etc/hosts ``` file and add the line ```bash 127.0.0.1 “yourhostname” ``` using ```sudo```. | ||
|
|
||
| Restart the server: | ||
|
|
||
| ```bash | ||
| sudo systemctl restart nginx.service | ||
| ``` | ||
| *Tip: If you encounter any error check with `sudo tail -f /var/log/nginx/error.log`* | ||
|
|
||
| Create a symbolic link between the sites from nginx and your configuration file: | ||
|
|
||
| ```bash | ||
| sudo ln -s /etc/nginx/sites-available/yourhostname.conf /etc/nginx/sites-enabled/ | ||
| ``` | ||
|
|
||
| If everything is configured correctly, you should have access to your local website with your self-signed certificate, i.e., [https://my-hostname/](https://my-hostname/). This is a good way to test your web application locally before publishing it. Now you have created a local development environment to test your apps using HTTPS. | ||
|
|
||
| How to use OpenSSL to test an SSL connections | ||
| ============================================= | ||
| The OpenSSL tool includes many utilities. We can use one of them to verify a secure connection to a server. To do so, we will use the `s_client` utility to establish client-to-server communication. Therefore, we can determine whether a port is open, if the server is configured to support SSL, and when the certificate expires. | ||
|
|
||
| In the terminal, use `s_client` against a webserver with HTTPS. | ||
|
|
||
| #### What are the differences compared to other tools such as netcat or telnet? | ||
|
|
||
| Try running the command again with the `-crlf` and `-brief flags`. What is the difference?" | ||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| Introduction to PGP encryption | ||
| =============================== | ||
| This hands-on lab session aims to introduce you to PGP (Pretty Good Privacy), widely used encryption software for securing email communication and data files. Through practical exercises, you will learn how to generate PGP key pairs, encrypt and decrypt messages, sign and verify files, and exchange encrypted emails. This lab will provide all the essential skills for using PGP for secure communication and data protection. | ||
|
|
||
| Objectives: | ||
| ---------- | ||
| - Understand the principles of PGP encryption and digital signatures. | ||
| - Generate PGP key pairs for encryption and signing. | ||
| - Encrypt and decrypt messages using PGP. | ||
| - Sign and verify files using PGP digital signatures. | ||
| - Exchange encrypted messages with classmates. | ||
|
|
||
| Generating PGP Key Pairs to begin GPG tool to encrypt all the communication we want. | ||
| ------------------------------------------------------- | ||
|
|
||
| Use your VM to install `gnupg` with the appropriate command (if not already installed). On Debian that is: | ||
|
|
||
| ```bash | ||
| sudo apt-get install gnupg | ||
| ``` | ||
|
|
||
| First, create a keypair with the command: | ||
|
|
||
| ```bash | ||
| gpg --generate-key | ||
| ``` | ||
|
|
||
| *Tip: Don’t forget the passphrase, use a strong one!* | ||
|
|
||
| You can send your public key by exporting it through the GPG application: | ||
|
|
||
| ```bash | ||
| $ gpg --output ~/mypub.key --armor --export youremail@mail.com | ||
| ``` | ||
|
|
||
| You can send the key by email or any method of your choice. | ||
|
|
||
| How to import locally foreign public keys | ||
| ----------------------------------------- | ||
|
|
||
| We need to accept other users' public keys if we want to communicate with them. When you receive others' public keys, import them using the `import` parameter. | ||
|
|
||
| *Tip: There are other options to share your public key, such as using a public key server. Here's how to verify other keys.* | ||
|
|
||
| While it's generally safe to distribute your public keys, caution should be exercised when obtaining keys from other users. Therefore, it's crucial to verify the identity of others before importing their keys and initiating communication. A quick method to accomplish this is by comparing the fingerprints derived from those keys. Use the following command: | ||
|
|
||
| ```bash | ||
| $ gpg --fingerprint youremail@mail.com | ||
| ``` | ||
|
|
||
| This will result in a more concise string of numbers, making it easier to compare. We can then verify this string either with the individual themselves or with another party who has access to the person in question. | ||
|
|
||
| Now sign the keys | ||
| ------------------ | ||
|
|
||
| By signing each other's keys, we essentially indicate trust in the keys we possess and confirm the identity of the individual associated with that key. | ||
|
|
||
| ```bash | ||
| $ gpg --sign-key youremail@mail.com | ||
| ``` | ||
|
|
||
| To ensure that the person whose key you're signing benefits from your trusted relationship, send them back the signed key. You can accomplish this by typing: | ||
|
|
||
| ```bash | ||
| $ gpg --output ~/signed.key --export --armor youremail@mail.com | ||
| ``` | ||
|
|
||
| Upon receiving this newly signed key, they can import it, incorporating the signing information you've generated into their GPG database. They can achieve this by using the `import` parameter. | ||
|
|
||
| Now that you have established a secure channel to communicate with trusted ends, you can send and receive encrypted messages with each other! | ||
|
|
||
| After sharing your key with the other party, you can now send and receive encrypted messages. You can encrypt your messages with the following command: | ||
|
|
||
| ```bash | ||
| $ gpg --encrypt --sign --armor -r other_person@mail.com file_name | ||
| ``` | ||
|
|
||
| This command encrypts the message and signs it with your private key to ensure that the message originates from you. The output will be an encrypted file with the extension `.asc`. You can use the `cat` command to view the file. | ||
|
|
||
| Keep in mind that this message will be encrypted using the recipient's public key, making it unreadable to you (Unless you somehow obtain the recipient's private key!). | ||
|
|
||
| *Tip: You can modify the command above to generate a message only you can read, using your private key. Think about how.* | ||
|
|
||
| Decrypt received messages | ||
| ------------------------- | ||
| Upon message receipt, you would be able to read with the `gpg` command and the `decrypt` parameter. | ||
|
|
||
| *Tip: In case you have a raw stream text message, paste the message after typing `gpg` with no arguments. Then press `CTRL+D` to end the message.* | ||
|
|
||
| If you've completed all the above steps correctly, you can now communicate securely with different individuals. You can send your public key to multiple recipients and import multiple keys as well. This is an essential step to keep your messages private and protect your sensitive information from eavesdropping attacks. | ||
|
|
||
| Import other people's public keys from a public key server | ||
| --------------------------------------------------------- | ||
| An alternative method to share your GPG keys is through a public keyserver. Anyone can upload a key to a public server, making it accessible to others who may need to communicate securely with you. | ||
|
|
||
| Export your public key using: | ||
| ```bash | ||
| $ gpg --armor --export email | ||
| ``` | ||
|
|
||
| Send your public key to a public server using the `--send-key` parameter. By default, your key is sent to [https://keys.openpgp.org/](https://keys.openpgp.org/), or you can specify a different key server using the `--keyserver` option. | ||
|
|
||
| Before importing a user's key, verify its validity with the command `gpg --list-sigs user_id` where the `user_id` is for example the email address you want to communicate with. To find a key on a public keyserver, use the `--search` parameter. | ||
|
|
||
| Import the key you want with the `--import` parameter. You can once again verify the sender's identity using the `--fingerprint` parameter and checking its validity via a second channel. Then, similarly, sign the key obtained from the public key server. | ||
|
|
||
| ### Here you can find some key IDs of people you may certainly know: | ||
|
|
||
| + **413109AF27CBFBF9**, | ||
| + **9A88F479F6D1BBBA**, | ||
| + **1C29680110FA7E87** | ||
|
|
||
| These keys are on the [http://keyserver.ubuntu.com//](http://keyserver.ubuntu.com//) public keyserver. | ||
|
|
||
|
|
||
| - Use the `gpg` command with the `--search` parameter to find out, for each key, the associated email address or User ID (username). | ||
| - Use the `gpg` command with the `--recv-keys` parameter if you decide to import a key into your keyring. | ||
| - Use the `gpg` command with the `--fingerprint` option to verify the authenticity of the keys. | ||
| - Now, can you try searching based on the email addresses? | ||
| - Can you find Joseph's old expired key? |