New York Institute of Technology

School of Engineering and Computing Sciences

INCS 741 - Cryptography

Exploring Symmetric Key Encryption Modes

Group 1

Marcelo Magnus Antunes de Oliveira (1282591)

Meet Soni (1279545)
Harshita Grover (1276595)

Professor: Tokunbo Makanju

Date Submitted:
April 15, 2021

PKI Lab Report

2.1 Task 1: Becoming a Certificate Authority (CA)

Please answer the questions below:
1. How is the ownership of a public key being certified?
Ownership of a public key certificate is based on the integrity and identification
provided by the both parties.

2. What is the purpose of this task?

The main focus is to make the website private by using public key certificates
through trusted entities such as Certificate Authority.

3. What does root CA do?

A root Certificate Authority is used to own one or more trusted roots. It mainly
identifies the root certificate.

4. Are root CA’s certificates trusted?

Every root CA issues the SSL certificate, which is used by major industries and
proprietary companies.

5. What is a file with .cnf means?

The .cnf file extension allows to connect with telnet connection files. These files
mainly store the information which is used to connect with telnet connection.

Provide the screenshot of creating the necessary folder and files for this task: [1 Mark]

What does this openssl command do here? [1 Mark]

// openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
This command is used to generate self-signed certificates for Certificate Authority. It
authenticates the certificate by prompting information related to the certificate.
Please find out about the openssl command for this task and fill out the table below:

req Creates a signing request.

-new Creates new requests.

-x509 Inspects signed certificate by loading x509 modules.

-keyout Used to give a path to a filename, where it writes newly created private keys.

-out Specifies the output file where the result will be stored.

-config Configuration file to be specified.

Please provide the screenshots of:

1. The command you are running [1 Mark]

2. The output files after running the command [1 Mark]

The output file ca.key:
 The output file ca.crt:

2.2 Task 2: Creating a Certificate for SEEDPKILab2020.com

Please find out the openssl command parameters in this task and fill out the table
below:
 genrsa Created new RSA private key.

-aes128 Encrypts the private key with specified cipher before resulting.

-out filename Results are stored in the specified output file.

1024 The lengths, in bits of private key

Please provide the screenshot of output for running this command and answer the
questions below?[2 Marks] [0.5 for each questions and 1 for screenshot]
1. What is the output file?[0.5]
The output file generated after running the command:
$ openssl genrsa -aes128 -out server.key 1024
is “server.key” file.
2. What is the role of the output file? [0.5]

The output file “server.key” file stores the public/private RSA key pair generated by
the openssl command.

Screenshot: The file “server.key” is generated.

Please fill out the table below and explain what is this command used for? [2 Marks]
Answer:
 rsa Runs the RSA encryption program.

-in filename Specifies the input filename to read for processing the result.

-text Prints out the certificate in the text format.

Provide screenshots to display the content of server.key: [1 Mark]

Generate a Certificate Signing Request (CSR)

What does a CSR include? [0.5]
Answer: The CSR includes the public key which is chosen by the applicant or the client which
requests for a certificate to be generated. Also information identifying the applicant, which must
be used at signing applicant’s private key. The information such as a distinguished name or
email in the case of an X.509 certificate.

What is -key in the command below used for [0.5 Mark]

Answer: The -key in the command specifies the key file to be used.
Provide screenshot for running the command and the result [1 Mark]
The output of the following command is the output file “server.csr” file.

Generating Certificates

Please fill out the table below to explain the related openssl commands parameters :
 ca Certificate Authority module is loaded.

-in filename Specifies the input filename to read for processing the result.

-out filename Results are stored in the specified output file.

-cert Certificate Authority certificate file.

-keyfile filename The private key to sign requests.

server.csr Server.csr is the input filename to read for processing the result.

server.crt Server.crt stores the result of the file.

ca.crt Ca.crt is the signed certificate.

ca.key Ca.key is the private key to the certificate.

Please provide screenshots of: [3 Marks] [1 Mark each]

1. Generating certificate
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

2. The result of running the command

The output of the following command is “server.crt” file.
3. Certificate files generated

Displaying the contents of server.crt file.

Displaying the contents of 1000.pem file.
2.3 Task 3: Deploying Certificate in an HTTPS Web Server

Please provide the screenshot of how you configure the web server and what is the
result. Then write down your observation. [2 Marks for screenshot and the result + 1 Mark
for observation]
Step1: Configuring the DNS
Go to the file named hosts in the /etc directory.
The /etc/hosts file opens up.
Adding the following entry in /etc/hosts file.
127.0.0.1 SEEDPKILab2020.com

Exit the gedit editor.

Step 2: Configuring the web server

Copy the contents of “server.key” and “server.crt” files into “server.pem” file.
Launch the web server using “server.pem” file.

Point the browser to https://SEEDPKILab2020.com:4433. Please describe and explain

your observations: [2 Mark]
Observations and Explanation:
When we point the browser to “https://SEEDPKILab2020.com:4433” url,the browser displays the
message that the connection to the site is not secure. This is because the certificate of the
website is not issued by the trusted CA, which is our own CA, and this CA is not known/ trusted
by the browser.
Screenshots:
The browser prompts that the connection to the site is not secure.

Observations and Explanation:

In order for the browser to accept/recognise the certificate and make the connection secure, we
have to manually make the browser recognise our own created CA by adding the certificate
(ca.crt) manually to the browser’s trusted certificates. For that, in the browser, we will go to the
Preferences > View Certificates > Import and then import the file named “ca.crt” to the browser
as shown in the screenshots below.
After we make the browser recognise the CA and trust it, we will observe that we will not see
any error or prompt saying “insecure connection”. Rather we can see that the browser has
accepted the certificate and has recognised the website to be a secure one.
Screenshots of the process: Go to Preferences in the browser window.
Scroll down to the “View Certificates” tile.

Click on “View Certificates”.

Click on the “Import” tile.

In the prompt, check mark the option “Trust this CA to identify websites”.
Click “Ok” and we will see the certificate in the Certificate Manager.

Reload the browser and visit the url “https://seedpkilab2020.com:4433” and we can now see
that the browser has accepted the certificate and has also recognised the CA.
Modify a single byte of server.pem, and restart the server, and reload the URL. What do
you observe? Provide the screenshot of the result. [2 Marks]
Observation: When a single byte of server.pem is changed, and we restart the server, the
server gives an error and does not accept the key file. When we reload the URL, the browser
does not establish the connection because the server is not able to set up the webpage.
Screenshots:
Open the file server.pem
The file server.pem is displayed.

We change the single byte of “h” to “p” as shown in the image below.
Save and exit.

Start the server.

Reloading the page.

Since SEEDPKILab2020.com points to the localhost, if we use https://localhost:4433

instead, we will be connecting to the same web server. Please do so, describe and
explain your observations, and provide the screenshot of the result [2 Marks]
Observations:
Although the seedpkilab2020.com points to the localhost but still using https://localhost:4433 is
not able to establish the secure connection because the CA has not issued the certificate to the
local host and hence the browser prompts that the connection is not secure.
Screenshot:

2.4 Task 4: Deploying Certificate in an Apache-Based HTTPS Website

Please answer the questions below: [1 Mark] [0.5 for each]
1. Any changes in the file 000-default.conf would reflect in the HTTP webpage of
the website that we host.
2. Any changes in the file default-ssl.conf would reflect in the HTTPS webpage of
the website that we host.

Screenshots of the whole process:

Create a directory /cryptopki in /var/www directory. Also, copy the html file (index.html) from
/var/www/html/ directory to /var/www/cryptopki directory that we created.

Create a directory /ssl in /etc/apache2 where the public and private keys of the webpage are
kept.
Copy the server.crt and server.key files into pki_cert.pem and pki_key.pem files respectively.
Then move these .pem files to /etc/apache/ssl directory for the server to access these files.

Provide a screenshot of the changes you have done on each file. [2 Marks]
Go to the /etc/apache2/sites-available directory and open the file named “000-default.conf”.

The file “000-default.conf” is displayed.

Changes in the file: 000-default.conf ; Add the <VirtualHost *:80> as shown in the image below:
Next, open the file named default-ssl.conf.

The file default-ssl.conf is displayed.

Changes in the file: default-ssl.conf; Add the <VirtualHost *:443> as shown in the image below:
Provide the screenshot of the result of this task. [2 Marks]
Running the apache server.

Output of the task: Accessing the url “https://seedpkilab2020.com” is shown in the following
image.
Please explain your observation.
As we have seen in the experiment of this task, we have used a pre built html file (index.html)
as a frontend for the website named SEEDPKILab2020.com and have deployed the certificate
of the website on an apache server and made it a secure webpage. We have also observed that
any changes to the default-ssl.conf file deploys changes in the https webpage, however, any
changes in the 000-default.conf file deploys changes in the http webpage of the website. That
means in order to deploy a certificate to the server, we need to make changes in the default-
ssl.conf file which then makes the connection between the browser and the server secure.

2.5 Task 5: Launching a Man-In-The-Middle Attack

Please provide the screenshot of how you set up the malicious website. [2 Marks]
Step1: Setting up the malicious website
Go to /etc/apache2/sites-available directory and open the file default-ssl.conf.

Add the <VirtualHost *:443> element, as shown in the image below, in the file for the website
“instagram.com”.

Save and exit the file.

Step 2: Becoming the Man in the Middle
Open the file /etc/hosts.

Enter the following entry in the file.

127.0.0.1 instagram.com
Save and exit the file
Step 3: Running the apache server and browsing the target website
Running the apache server

Browsing the website ‘instagram.com” but it is not a secure page as shown.

Try browsing the https://instagram.com web page to see if the connection is secure or not. But
the connection is not secure as shown in the image.

Please explain your observations [2 Marks]

Through this task, we have observed that we are successful in making the user accessing
instagram.com, land on the malicious webpage, however, the browser still displays the warning
that the connection is not secure. Suppose if the user accesses the http://instagram.com
webpage, he/she will land on the malicious page but will observe that the connection is not
secure(because of the http protocol used). In addition, if the user accesses
https://instagram.com webpage then the browser will display a prompt saying that the
connection to this website is not secure.
Hence, we are unable to launch a Man in the middle attack.

2.6 Task 6: Launching a Man-In-The-Middle Attack with a Compromised CA

Please provide screenshot of the steps below:[6 Mark]

1. Generate public/private key pair – nyit.edu
The command used is :
$ Openssl genrsa -aes128 -out nyit.key 1024
2. Generate the CSR
The command used is :
$ openssl req -new -key nyit.key -out nyit.csr -config openssl.cnf
3. default-ssl.conf configuration changes

4. the malicious html file

 5. the CSR for nyit.edu

6. result of using the change certificate

The output of the task performed:

Explain your observation

As opposed to the experiment done in task 5, we are easily able to launch the Man in the
Middle Attack because the CA’s private key is compromised and we have created a new
certificate for the legit site “nyit.edu” and have made it land on our compromised webpage as
shown in the screenshots.