Practical Cryptography

Requirements

  • openssl version (1.1.1a)
  • curl --version (7.64.0)
  • php --version (7.3.2)
  • php -m |grep -e openssl -e curl
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
  • docker --version (18.09.2-ce)
  • libtasn (brew install libtasn1) (4.13)
Razorpay

Practical PKI

nemo

Razorpay

Why

Razorpay

Objectives

  • Get familiar with Crypto primitives
  • Hands-on with
    • OpenSSL
    • TLS
    • Curl
Razorpay

Non-Goals

  • Understanding all Crypto-Attacks (we'll discuss a couple)
  • Elliptic Curve Crypto
  • crypto-currencies πŸ€‘
  • Math
  • Intermediate Certs
  • Cert Revocation
Razorpay

Requirements

  • openssl version (1.1.1a)
  • curl --version (7.64.0)
  • php --version (7.3.2)
  • php -m |grep -e openssl -e curl
  • composer --version (See https://getcomposer.org/download/) (1.8.4)
  • docker --version (18.09.2-ce)
  • libtasn (brew install libtasn1) (4.13)
Razorpay

Setup

  1. Have a browser open with Google (Lots of googling needed for this)
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
  3. composer install
Razorpay

Koans πŸ’ƒ

Razorpay

koan

noun, plural koΒ·ans, koΒ·an. Zen.

  1. a nonsensical or paradoxical question to a student for which an answer is demanded, the stress of meditation on the question often being illuminating.
Razorpay

What is the colour of wind?

Razorpay

Ruby πŸ’Ž

ruby path_to_enlightenment.rb

Thinking AboutAsserts
test_assert_truth has damaged your karma.

You have not yet reached enlightenment ...
<false> is not true.

Please meditate on the following code:
./about_asserts.rb:10:in `test_assert_truth'
path_to_enlightenment.rb:27

mountains are merely mountains
Razorpay
 # We shall contemplate truth by testing reality, via asserts.
def test_assert_truth
  assert false # This should be true
end
Razorpay

tl;dr

  1. Run tests
  2. Why is the test failing? (koans/files directories)
  3. Get it to pass

πŸ‘ŒπŸΌ Don't Cheat

  • ❗ Means you must do something here
  • Keep a solutions.md file listing down commands as you run them
Razorpay

Setup

  1. Have a browser open with Google (Lots of googling needed for this)
  2. git clone git@github.com/captn3m0/crypto.koans.git && cd crypto.koans
  3. composer install
  4. vendor/bin/phpunit
  5. man openssl, man curl

πŸ§˜β€β™€οΈπŸ§˜β€β™‚οΈ

Razorpay

vendor/bin/phpunit

Razorpay

OpensslKeyGenerationKoans.php

vendor/bin/phpunit --filter BOpensslKeyGenerationKoans

Questions❓

Razorpay

FileFormatKoans.php

vendor/bin/phpunit --filter CFileFormatKoans

Questions❓

  • What is PEM vs DER?
Razorpay

Theory Break 1

  • Keys
  • Certificates
  • Signatures
Razorpay

CA Certificates

vendor/bin/phpunit --filter DCaCertificateKoans.php

Razorpay

Generate A CA Certificate

Razorpay

testCaCertificateExists

openssl req -x509
-newkey rsa:1024
-keyout files/ca.key
-nodes
-out files/ca.pem
-subj '/CN=crypto.koans.invalid'
Razorpay

Generate a Certificate Signing Request

Razorpay

Generate a Certificate Signing Request

openssl req -new
-key files/1.key
-subj '/CN=server.crypto.koans.invalid'
-out files/1.csr
Razorpay

Sign your CSR with your CA

Razorpay

Sign your CSR with your CA

openssl x509 -req
-in files/1.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-out files/1.crt
Razorpay

What can a Certificate Do?

Razorpay

What can a Certificate Do?

openssl x509
-in google.pem
-purpose
-noout #Remove this and retry
Razorpay

Generate a Client Certificate

Razorpay

Generate a Client Certificate

Step 1

printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > client.cnf
Razorpay

Generate a Client Certificate

Step 2

# As Alice
openssl req -subj '/CN=alice.crypto.koans'
-key files/client.key
-new
-out files/client.csr
# As Bob
openssl x509 -req -in files/alice.csr
-CA files/ca.pem
-CAkey files/ca.key
-CAcreateserial
-extfile client.cnf
-out files/alice.crt
Razorpay

Generate a Client Certificate

Step 3

  1. Save alice.crt as client.crt
  2. Save the CA file you received as bob.pem
  3. See testClientBundleGenerated
Razorpay

Theory Break 2

Razorpay

What Alice Had

  1. Client (client.key, client.csr)
Razorpay

What Bob Had

  1. Client CSR (client.csr)
  2. CA (ca.pem, ca.key)
Razorpay

What Bob Had

  1. Client CSR (client.csr, alice.crt)
  2. CA (ca.pem, ca.key)
Razorpay

What Alice Has

  1. Client (client.key, client.csr, client.crt)
  2. Bob's CA (bob.pem)

What Bob Has

  1. Server (1.key, 1.csr, 1.crt)
  2. CA (ca.pem, ca.key)
Razorpay

What Alice Has

  1. Client (client.key, client.crt)
  2. Bob's CA (bob.pem)

What Bob Has

  1. Server (1.key, 1.crt)
  2. Bob's Own CA (ca.pem)
Razorpay

Where we're going

🐳 πŸš€

Razorpay

🐳 1️⃣ / 2️⃣

As Bob

Bring up a server using your key (1.key) and certificate (1.crt) and allow any client signed
by your CA (ca.pem) to talk to you.

docker run --volume `pwd`/files:/etc/koans
--publish 8443:443
captn3m0/crypto.koans

# ssl_certificate /etc/koans/1.crt;
# ssl_certificate_key /etc/koans/1.key;
# ssl_client_certificate /etc/koans/ca.pem;
# Give your WiFi IP to your partner
Razorpay

🐳 2️⃣ / 2️⃣

As Alice

Use the certificate (signed by Bob) and the key
(which only you have) to talk to Bob's server (which
you can verify using the CA given)

curl https://server.crypto.koans.invalid:8443
--resolve server.crypto.koans.invalid:8443:192.168.1.121
--cert files/client.crt
--key files/client.key
--cacert files/bob.pem

# /etc/hosts
192.168.1.121 server.crypto.koans.invalid
Razorpay

Browser 🌍

  1. Import bundle.pfx in your browser
  2. Enable CA Usage for websites
  3. Open https://server.crypto.koans.invalid:8443