CYBR 171 2023 T1: Lab Exercise 2
Due 02 Apr 11:59pm
Goals
This lab will give you practice at using command-line tools that:
- Perform symmetric encryption.
- Work with BASE64 files.
- Manage public keys.
- Encrypt files using public keys.
Resources and links
Preparation
Read through this lab exercise and watch the demonstration video for part three before you start to familiarise yourself with what needs to be done.
Summary
- Symmetric Cryptography:
Watch the video and refer to the notes to complete the two exercises.
- Asymmetric Cryptography:
Watch the video and refer to the notes to complete the exercise.
- Exercises to Complete:
Complete these exercises and fill out the template with the answers. Submit the completed template via the submission system.
- GoingFurther:
Want to go further? Check out the resources on PGP.
You should perform all of the following exercises using one of the ECS servers so we have consistent outputs.
1. Symmetric cryptography
OpenSSL (
https://www.openssl.org/) is an opensource cryptography library that can be used to secure communications over computer networks. It is used across the Internet and provides security for the majority of all websites.
We are going to use the Linux operating system version of OpenSSL, but versions are available for macOS and Microsoft Windows. They only provide the source code on the website, but binaries are available elsewhere (
https://www.openssl.org/community/binaries.html).
OpenSSL is used for both symmetric and asymmetric cryptography, but we will be focusing on symmetric cryptography in this lab.
Getting Help
OpenSSL has many commands, but in this lab we use only the
enc command that allows you to encrypt and decrypt data.
There are many options for this command, you can find out of these using the help command.
openssl help enc
Watch the video below that provides an overview and examples of using
openssl. You can maximise the screen by clicking on the maximise to full-screen icon in the lower right-hand corner of the video similar to an embedded YouTube video.
Encryption and Decryption
Encrypt the contents of file
filename1 with the
AES algorithm using
ECB mode, a key of
256 bits and write out the result into file
filename2.
The option
-pbkdf2 allows you to provide a password that is converted to the secret key of 256 bits and
-pass allows you to specify the password on the command line.
openssl enc -aes-256-ecb -pbkdf2 -in filename1 -out filename2 -pass pass:hello
Decrypt the contents of
filename2 using the
-d option and write the result to
filename3.
openssl enc -aes-256-ecb -pbkdf2 -d -in filename2 -pass pass:hello
Changing cryptographic algorithm and encryption mode
You can change the algorithm, key length and mode by changing
-aes-256-ecb to the desired combination.
You can find out the supported combinations using the help command.
openssl enc -ciphers
*Note:the new version of OpenSSL, by default, does not support old/insecure algorithms. Hence, you will need to add the following flags/arguments while encrypting/decrypting using some ciphers, e.g., Blowfish. You may get the following error message (or a similar one):
Error setting cipher BF-CBC
40C799C4DA7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (BF-CBC : 14), Properties ()
Use the following arguments along with your command to resolve the issue.
-provider legacy -provider default
Turning binary files into text
Base64 is an encoding scheme used to convert binary data into text that can be attached to email or sent via other text-only communication channels.
To convert from binary to text, use the following command where you replace
filename2 and
filename2-base64 with the files of your choice.
openssl enc -base64 -in filename2 -out filename2-base64
You could print out the contents of
filename2-base64 and cut-paste into an email message.
cat filename2-base64
Received a base64 message and want to convert back to binary? Just add
-d and specify the base64 file as the input with the destination binary file as the output.
openssl enc -base64 -d -in filename2-base64 -out filename2-binary
2. Asymmetric Cryptography using GPG
GPG stands for
Gnu Privacy Guard and is a free implementation of the
OpenPGP standard as defined by
RFC4880 (also known as PGP).
It is based on the
Pretty Good Privacy (PGP) freeware software as originally developed in 1991 by Phil Zimmermann. For that, Phil was the target of a three-year criminal investigation, because the US government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its publication as freeware (in book form).
OpenPGP is a non-proprietary version of the PGP protocol for encrypting email using public key or asymmetric cryptography. The OpenPGP protocol defines standard formats for encrypted messages, signatures, private keys, and certificates for exchanging public keys.
We are using the
gpg tool, there is another version called
gpg2 that is more GUI friendly.
We're only going to look at a fraction of what is provided by
gpg, normally we would ask you to create a keypair. The problem with that is it requires a lot of random input that isn't available unless you have a lot of activity. Our undergraduate servers are quiet and you will get due to working remotely and using the server.
Importing someone's public key
You can either import a public key from keyserver available on the Internet (we are not doing that in this lab, because we do not want to fill it up with test keys) or receive it as a file and import it manually into your local keyring (the database holding your keys on the workstation). Let us assume that you have been sent someone’s public key and saved it as the file
publickey.asc attached public key from their email and save it somewhere you can find it.
The command for importing the key is:
gpg --import publickey.asc
Downloading from a key server
There is also the possibility that the person you need a key from has uploaded their key to a public key server. These servers store people’s public keys from all over the world. The key servers synchronize with one another periodically so that keys are universally available.
The
pgp.net.nz key server is a New Zealand based keyserver that we use for the assignment. The MIT public key server
pgp.mit.edu is a popular key server and one that is regularly synchronized, so searching there should be successful. If someone has only recently uploaded a key, it might take a few days to appear.
Matches are listed for you and numbered. To import one, type the number and press Enter.
gpg --keyserver pgp.net.nz --search-keys cybr171@ecs.vuw.ac.nz
You can also search by fingerprint, this has the advantage of only matching one key rather than potentially multiple ones especially when you consider that keys can expire.
gpg --keyserver pgp.net.nz --recv-keys FCFC5FFB4D0CB8E4
Note that we don't discuss uploading, this might be something you want to investigate in your own time.
Encrypting a file
To encrypt a file called
message with CYBR171's public key so only CYBR171 will be able to read it:
gpg --encrypt -r cybr171@ecs.vuw.ac.nz -a message
This will create a file called
message.asc that is in the format of an
ASCII-armored file. ASCII is an older encoding scheme than UTF-8 and this format is used for sending output within an email or other text-based communication system.
Decrypting a file
So you have received a file or a message encrypted with GPG and you want to decrypt it. All you need to do is use the following command (where you replace
myfilename with the name of the encrypted file):
gpg --decrypt myfilename
You need the private key. We skip this bit and leave it as an optional exercise.
Verifying a signature
Imagine that
cybr171@ecs.vuw.ac.nz has provided a file
signed-message.asc to you and you want to verify that they really created it.
They have signed it using their private key.
You can use the
--verify command to do this.
gpg --verify signed-message.asc
If the signature is valid, it will output that it is a good signature.
You will have to use verify to complete one of the questions in the assignment.
Exercises to Complete
The instructions below require cutting and pasting into a file you create. You can skip these steps for exercise 2 and 3 by downloading a zip file and unpacking it in your home directory. You should use these commands:
curl -O https://ecs.wgtn.ac.nz/foswiki/pub/Courses/CYBR171_2023T1/Lab2/lab2.zip
unzip lab2
This is a
useful list of the different symmetric ciphers supported by OpenSSL. Note that you can also use this command
man openssl-enc. It will help with questions one and two.
1. Create a file called
plaintext.txt containing your name and student ID. You should encrypt this using AES with a key length of 256 under CBC mode. Use the passphrase
mypassword. Now convert the encrypted file to
base64 and display the contents of this converted file using
cat. Copy and paste the commands you have used and also the output into your answer file.
2. Copy and paste the encrypted data shown below into a file called
ciphertext.txt. Convert it from
base64 into a binary file. This file has been encrypted using Blowfish with CBC encryption mode with the passphrase
yourpassword. Decrypt the file and display the contents of the decrypted file using
cat. Copy and paste the commands you have used and also the output into your answer file.
U2FsdGVkX19ANAevL860iGO5mR7ClWYsrsrDVAwhjLWYfzKnDi08Lw==
3. Import the public key below. Use the command
gpg --list-keys to check it was imported correctly (hint - the name is
bob). Use the
plaintext.txt file containing your Student ID and name from the previous exercises. Encrypt the file
plaintext.txt using the public key associated with
bob@ecs.vuw.ac.nz. Make sure that you use the
-a option to make sure the output is an ASCII-armoured file. Use the command
cat to display the contents of the encrypted file. Copy and paste the commands you have used and also the output into your answer file.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGQVLqcBDADHMVkdEnvKm5GlwQ9eoPUbpL5Q0ENZAXXgOE8l5uzKiAngIbw6
e1tws/P4zbnSC476mpoydr9lboPIEm6/1agOQ209P5Fhh6IVm2y0iCxmlPxhqqqS
GmScW7mtWrHKN9yu6djguRrC5pwwd7sCcxXxRPBFXrxgtzwShbmeGxCd4L2G9Uac
z+2dSowAs/7Gb2JdV58yCl+gUbuaXPlK5s0KqefoCeCJ7ylIQHIFGgeLnoK70/g6
qZgo3dKqb/ajJRrvDIjCmq7A9YFZL+H9rbZ4PAC/fLMHh8gcumVriCNzi2nSj86q
kHwgqYMVbqC1lapQkWiEyEz77aqzxKNBDm8Gqgl9BUHlPlHZEbNKEI13dp+DgTAr
ilE+b2OZB0Ev4sUbJhZ2EoSvWHU46HdGdDDvUSWwjVD69PnPR7cLljGInClQRvRl
G8T5KUpE10/AQA5dAxeX7lG44fCx2Qhf/Dl+kGovUPc45Vqlk8ozK75+OYi0fCu9
BcmcQ6P1kJ2NxB8AEQEAAbQZQm9iYnkgPGJvYkBlY3MudnV3LmFjLm56PokB1AQT
AQgAPhYhBJcr8jB4IRGwnmSKw4mKzXotLZD+BQJkFS6nAhsDBQkDwmcABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEImKzXotLZD+WswL/Ak59TwQlO+5mGQLikDC
cn70+tfqlVXnP/1xdbUoVCfCOgbiEp87TJs5OLzVunDH6jFe8DkYfXBmk4or70pL
PZQNqF9Z4kLMRzv6jkUGfSU/gXxz/pr4RsAN78zCZFdEuH1/TZSETbGDGPdwh/BO
ekKTyoSGWJCx0q+2kMosgBcfI76pr12anUxTE+07khxzEl4wXmot59m9u6qUQZlk
rmJAswwm3q6cmpL/SIHqE2l/vPBg6JhvgnYkUNGqF/D4cT+r64Nb7zmcFyT6nxdH
WV8S9ZiddseIuGm4iJM1Sqlr0QRostPoyZoZpQOoU4c1VQFTWzjJ0YkNFtkF87vQ
CMkJtE+bwIGDIJuaGzEKMvhIEo5USXv89L8YLosio/YCi1r4Wsp/WvtoddnUIQoh
tj5x+k5ACpGcg49A2SernDPAtd0482XXrKHqYwU+npHFAwtuYMV6x5hJietXwBdr
0RtZw1oIeddxJY/rifxiaUyCCoN5bQsyn7bb9waB6N86t7kBjQRkFS6nAQwAwPiP
lEwzR3JgfcXfm/DulZ1CTV6WEktZVKtMIZms2orYtrkOGWoFxL3INYvhwmEJ1QR1
+Y7f7g2/igo1WDDJP12R3XIMNnhRtP4bI4wa/2QXi8UEMEplSZHJS1PkwZyK+npb
it9cpnB0asp5qN8oPeEmddPcLdoCntKChh/HGbBTnWgk/N8jZaLww+m3NvF6gGnG
p0qYWpyL4Lk3pbz+TnDNWDElfx4BMnoP0s7s1IfN9QIu5NX5lRCRUacAITA0Dllt
hJtnRXG0wio7gUROn2N04oCs4b9X+baOWOXUOJqqCi1fPdVT106G/A/xzE2mnSrT
BUs4cceTT3EzixKQcrLOnT2DuTA2l9BzMDzR7ahxvmfJuBIcnCz5bzQOXgA5adYm
Ew2SwVEixyBH3lr3/WgA9WZ0Jv7fC0E5fx/zvRZ4x9d5zQ/MrqmkQuMNw+ZpXPqt
pqY9MRyj+93s2TFAiSSccikAsNUP2zeFA4VjYTi5emv6c4vTTtSQh0j/LmAZABEB
AAGJAbwEGAEIACYWIQSXK/IweCERsJ5kisOJis16LS2Q/gUCZBUupwIbDAUJA8Jn
AAAKCRCJis16LS2Q/tBGC/kBUEKpwotrcrkHwhMVHhUzSAW9ZiIi5pOYC8cdUYcj
tqcfDsSdWD+i+F06k1nQIr7/BENxtp7S554H5gE/gy/7kUeMaoOSopdmc8DRVMF+
aAeLN8n+7u9mi5QMMR4MPXsQqzA7gHeSLDIoH9Dt9ETI5ccCcQjOD6A+EucMnvPr
KNMgxVoZYZ8htXF95orPc0AQl2E7cPvXrXVVoo1MeZtuy4dzImmvZWGTJbjYPpr3
BMoR9xUZXlH5EByBctjQTbpSXO1gEFNfIfASphgtJKPXjcxq25t21BHOqmfbDP8J
MB3KAV0U3+RZKGVpA9vcFZmBmB7mYw7btG79iX/G4SdqTEYBJklloa4wll22Wn5d
qKzueTxQAev9qJHJXLd+AphWLDHBuX++Ho6XoNgDpPpA1LIOExaLi+50BGXVBqVR
cyOZn1FUpoaldqJIFQmIioacwrvGVnYO/ZdObLTp4Tm5DIThtX2AtuUUS5aee4jV
HC3dQBBYNG2EYxUOLogxxkA=
=ES49
-----END PGP PUBLIC KEY BLOCK-----
Submit your answers to these questions using the submission system. In your web browser, go to the top of the Lab Exercise 2 page, and click on the
"Submit" link.
The submission page will let you upload your files to the submission system, where the tutors and markers can access them.
You may re-submit the same file as often as you like, but the submission system will only remember the latest version of each file.
Use the "+Upload files..." button, then navigate to and select the
Lab2_answer_sheet.txt file, which you created on your desktop computer.
If you accidentally add a file the submission system does not accept, e.g.
Lab2_answer_sheet.docx there will be a red line shown.
Once you submit your answers, your complete submission process should succeed and you will be presented with a success screen.
If you decide you want to change your answers after submission, you should submit it again using the same process. You can resubmit files as many times as you wish --- your latest submission will be treated as the real submission. This means that you can submit your answers earlier in the week when it is only partly done, and then submit it again later when you have got more of it finished. This a good way of checking that the submission process is working.
Going Further
Here are some more resources if you want to explore PGP further, we recommend that you either install the software on your own machine or use an ECS workstation. When using the servers we have had problems generating keys due to the lack of entropy:
You might want to explore yourself:
- Creating your own public and private keys.
- Exchanging your public keys with someone else.
- Verifying and signing the public keys so that you know they are authentic.
- Send each other encrypted messages and decrypt them.
