applied-cryptography/appliedcrypto
1
0
Fork 0
mirror of https://github.com/billbuchanan/appliedcrypto.git synced 2026-02-20 13:50:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
appliedcrypto/z_jupyter/10_digital_certs.ipynb
billbuchanan bd13a9d0cb Labs
2026-02-04 09:47:31 +00:00

533 lines
22 KiB
Plaintext
Raw Permalink Blame History

{
"cells": [
{
"cell_type": "markdown",
"id": "a7782a35",
"metadata": {},
"source": [
"# Trust and Digital Certificates\n",
"\n",
"Objective: Digital certificates are used to define a trust infrastructure within PKI (Public Key Infrastructure). A certificate can hold a key pair, while a distributable certificate will only contain the public key. In this lab we will read-in digital certificates and analyse them. A lab demo is [here](https://youtu.be/-uNQFv0GTZc).\n",
"\n",
"\n",
"## A\tIntroduction\n",
"\n",
"### A.1\t\n",
"From this web link (Digital Certificate): \n",
"\n",
"```\n",
"http://asecuritysite.com/digitalcert/digitalcert\n",
"```\n",
"\n",
"Open up Certificate 1 and identify the following:\t\n",
"\n",
"* Serial number:\n",
"* Effective date:\n",
"* Name:\n",
"* Issuer:\n",
"* What is CN used for:\n",
"* What is OU used for:\n",
"* What is O used for:\n",
"* What is L used for:\n",
"\n",
"The public key should be \"30818902 ... 203010001\". We can see this starts with \"30\", and which represents a DER format. We can examine by pasting into this DER analyser [here](https://asecuritysite.com/digitalcert/sigs3). Using this, what do the two values represent, and what type of public key is it?\n",
"\n",
"\n",
"### A.2\t\n",
"Now open-up the ZIP file for the certificates , and view the CER file.\n",
"\n",
"* What other information can you gain from the certificate:\n",
"* What is the size of the public key:\n",
"* Which hashing method has been used:\n",
"* Is the certificate trusted on your system: [Yes][No]\n",
"\n",
"### A.3\t\n",
"Make a connection to the www.live.com Web site:\n",
"\n",
"```\n",
"openssl s_client -connect www.live.com:443\n",
"```\n",
"\n",
"Can you identity the certificate chain?\n",
"\n",
"What is the subject on the certificate?\n",
"\n",
"Who is the issuer on the certificate?\n",
"\n",
"### A.4\t\n",
"\n",
"Google moved in July 2018 to mark sites as being insecure if they did not have a match between their digital certificate and the site. First open a browser and see if you can access testfire.net (you can try both https and http for the connection). \n",
"\n",
"* Run a scan from [SSLLabs](https://www.ssllabs.com/) on testfire.net. What do you observe from the result?\n",
"* What is the SSLLabs rating on this site? Is it \"A\", \"B\", \"C\", \"D\", \"E\" or \"F\"?\n",
"* What does a “T” rating identify?\n",
"* Can you locate another \"T\" rated site?\n",
"\n",
"### A.5\t\n",
"Which the certificates in A.2, for Example 2 to Example 6. Complete the following table:\n",
"\n",
"|Cert|\tOrganisation (Issued to)|\tDate range when valid|\tSize of public key|\tIssuer|\tRoot CA\tHash method|\tIs it trusted?|\n",
"| ----| --- | ---| ---| ---| ---| ---| \n",
"| 2 | ||||||\t\t\t\t\t\t\t\n",
"|3 | ||||||\t\t\t\t\t\t\t\n",
"|4 | ||||||\t\t\t\t\t\t\t\n",
"|5 | ||||||\t\t\t\t\t\t\t\n",
"|6 | ||||||\t\t\t\t\t\t\t\n",
"\n",
"### A.6\t\n",
"Now download the DER files from:\n",
"\n",
"Web link (Digital Certificate): http://asecuritysite.com/der.zip\n",
"\n",
"Now use openssl to read the certificates:\n",
"\n",
"```\n",
"openssl x509 -inform der -in [certname] -noout -text\n",
"```\n",
"\n",
"### A.7\n",
"Examine the following certificate, and identify its weakness.\n",
"\n",
"![alt text](http://asecuritysite.com/public/certp.png)\n",
"\n",
"There are two OID numbers related to the public key encryption method and the siganture method. Use this page [here](https://oidref.com/) to identify them.\n",
"\n",
"## B\tCreating certificates\n",
"\n",
"Now we will create our own self-signed certificates.\n",
"\n",
"\n",
"### B.1\t\n",
"Create your own certificate from:\n",
"\n",
"Web link (Create Certificate): [here](http://asecuritysite.com/digitalcert/createcert)\n",
"\n",
"Add in your own details.\t\n",
"\n",
"* View the certificate, and verify some of the details on the certificate.\n",
"* Can you view the DER file?\n",
"\n",
"We have a root certificate authority of My Global Corp, which is based in Washington, US, and the administrator is admin@myglobalcorp.com and we are going to issue a certificate to My Little Corp, which is based in Glasgow, UK, and the administrator is admin@mylittlecorp.com.\n",
"\n",
"\n",
"### B.2\t\n",
"Create your RSA key pair with:\n",
"\n",
"```\n",
"openssl genrsa -out ca.key 2048\n",
"```\n",
"\n",
"Next create a self-signed root CA certificate ca.crt for My Global Corp:\n",
"\n",
"```\n",
"openssl req -new -x509 -days 1826 -key ca.key -out ca.crt\n",
"```\n",
"\n",
"\n",
"\t\n",
"* How many years will the certificate be valid for?\n",
"* Which details have you entered:\n",
"\n",
"### B.3\t\n",
"Next go to Places, and from your Home folder, open up ca.crt and view the details of the certificate.\n",
"\n",
"* Which Key Algorithm has been used:\n",
"* Which hashing methods have been used:\n",
"* When does the certificate expire:\n",
"* Who is it verified by:\n",
"* Who has it been issued to:\n",
"\n",
"### B.4\t\n",
"Next we will create a subordinate CA (My Little Corp), and which will be used for the signing of the certificate. First, generate the key:\n",
"\n",
"```\n",
"openssl genrsa -out ia.key 2048\n",
"```\n",
"\n",
"Next we will request a certificate for our newly created subordinate CA:\n",
"\n",
"```\n",
"openssl req -new -key ia.key -out ia.csr\n",
"```\n",
"\n",
"We can then create a certificate from the subordinate CA certificate and signed by the root CA.\n",
"\n",
"```\n",
"openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt\n",
"```\n",
"\n",
"* View the newly created certificate.\n",
"* When does it expire:\n",
"* Who is the subject of the certificate:\n",
"* Which is their country:\n",
"* Who signed the certificate:\n",
"* Which is their country:\n",
"* What is the serial number of the certificate:\n",
"* Check the serial number for the root certificate. What is its serial number:\n",
"\n",
"### B.5\t\n",
"If we want to use this certificate to digitally sign files and verify the signatures, we need to convert it to a PKCS12 file:\n",
"\n",
"```\n",
"openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt\n",
"```\n",
"\n",
"* Can you view ia.p12 in a text edit?\n",
"\n",
"\n",
"\n",
"### B.6\t\n",
"The crt format is in encoded in binary. If we want to export to a Base64 format, we can use DER:\n",
"\n",
"```\n",
"openssl x509 -inform pem -outform pem -in ca.crt -out ca.cer\n",
"```\n",
"\n",
"and for My Little Corp:\n",
"```\n",
"openssl x509 -inform pem -outform pem -in ia.crt -out ia.cer\n",
"```\n",
"\n",
"* View each of the output files in a text editor (ca.cer and then ia.cer). What can you observe from the format:\n",
"* Which are the standard headers and footers on the file used:\n",
"\n",
"\n",
"\n",
"### B.7\t\n",
"Enter and run the following program, and verify its operation:\n",
"\n",
"```python\n",
"import OpenSSL.crypto\n",
"from OpenSSL.crypto import load_certificate_request, FILETYPE_PEM\n",
"\n",
"csr = '''-----BEGIN NEW CERTIFICATE REQUEST-----\n",
"MIICyTCCAbECAQAwajELMAkGA1UEBhMCVUsxDTALBgNVBAgTBE5vbmUxEjAQBgNV\n",
"BAcTCUVkaW5idXJnaDEXMBUGA1UEChMOTXkgTGl0dGxlIENvcnAxDDAKBgNVBAsT\n",
"A01MQzERMA8GA1UEAxMITUxDLm5vbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n",
"ggEKAoIBAQCuQE68qgssJ210wGxfKjCX3PG/RgSb5VpAp2rzavx71M9Bhg9kUORE\n",
"OP7BQC3E6DGu+xba3NdnhrHAFNa+hH9dnTZrlxb98aM5q9+TUm76V1toIseOMDdU\n",
"UE9IpxXoFvD6b0inbFZnbrjFj3XUUzIIqvvizw4rIOxzgbWqZ5+F7YpP8d59eWW0\n",
"6iXzJKoeE/+Gw7Slsdr1+QQAUaX05MHTweMYbZEHir2M8f1RA4o81zEd2tWCK85F\n",
"6VS/EkCzUG1cqDBQQ7D2S9MWN8Zk2P7CS8/yZx7uRTmT1t3UWKLUyIN0TU3IjCeY\n",
"t53P6C+9DT6UD0fDFZRBCmPOH+qb6/YBAgMBAAGgGjAYBgkqhkiG9w0BCQcxCxMJ\n",
"UXdlcnR5MTIzMA0GCSqGSIb3DQEBBQUAA4IBAQCqpXjmaQf2/o/xbNZG5ggAV8yV\n",
"d6rSabnov5zIkcit9NQXsPJEi84u7CbcriYqY5h7XlMWjv476mAGbgAVZB2ZhIlp\n",
"qLal+lx9xwhFbuLHNRxZcUMM0g9KQZaZTkAQdlDVU/vPzRjq+EHGoPfG7R9QKGD0\n",
"k1b4DqOvInWLOs+yuWT7YYtWdr2TNKPpcBqbzCYzrWL6UaUN7LYFpNn4BbqXRgVw\n",
"iMAnUh9fvLMe7oreYfTaevXT/506Sj9WvQFXTcLtRhs+M30q22/wUK0ZZ8APjpwf\n",
"rQMegvzXXEIO3xEGrBi5/wXJxsawRLcM3ZSGPu/Ws950oM5Ahn8K8HBdKubQ\n",
"-----END NEW CERTIFICATE REQUEST-----'''\n",
"\n",
"req = load_certificate_request(FILETYPE_PEM, csr)\n",
"key = req.get_pubkey()\n",
"key_type = 'RSA' if key.type() == OpenSSL.crypto.TYPE_RSA else 'DSA'\n",
"subject = req.get_subject()\n",
"components = dict(subject.get_components())\n",
"print (\"Key algorithm:\", key_type)\n",
"print (\"Key size:\", key.bits())\n",
"print (\"Common name:\", components['CN'])\n",
"print (\"Organisation:\", components['O'])\n",
"print (\"Organisational unit\", components['OU'])\n",
"print (\"City/locality:\", components['L'])\n",
"print (\"State/province:\", components['ST'])\n",
"print (\"Country:\", components['C'])\n",
"```\n",
"\n",
"Web link (CSR): [here](https://asecuritysite.com/digitalcert/csr)\n",
"\n",
"### D.8\t\n",
"Now check the signing on these certificate requests:\n",
"```\n",
"-----BEGIN NEW CERTIFICATE REQUEST-----\n",
"MIICyTCCAbECAQAwajELMAkGA1UEBhMCVUsxDTALBgNVBAgTBE5vbmUxEjAQBgNV\n",
"BAcTCUVkaW5idXJnaDEXMBUGA1UEChMOTXkgTGl0dGxlIENvcnAxDDAKBgNVBAsT\n",
"A01MQzERMA8GA1UEAxMITUxDLm5vbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n",
"ggEKAoIBAQCuQE68qgssJ210wGxfKjCX3PG/RgSb5VpAp2rzavx71M9Bhg9kUORE\n",
"OP7BQC3E6DGu+xba3NdnhrHAFNa+hH9dnTZrlxb98aM5q9+TUm76V1toIseOMDdU\n",
"UE9IpxXoFvD6b0inbFZnbrjFj3XUUzIIqvvizw4rIOxzgbWqZ5+F7YpP8d59eWW0\n",
"6iXzJKoeE/+Gw7Slsdr1+QQAUaX05MHTweMYbZEHir2M8f1RA4o81zEd2tWCK85F\n",
"6VS/EkCzUG1cqDBQQ7D2S9MWN8Zk2P7CS8/yZx7uRTmT1t3UWKLUyIN0TU3IjCeY\n",
"t53P6C+9DT6UD0fDFZRBCmPOH+qb6/YBAgMBAAGgGjAYBgkqhkiG9w0BCQcxCxMJ\n",
"UXdlcnR5MTIzMA0GCSqGSIb3DQEBBQUAA4IBAQCqpXjmaQf2/o/xbNZG5ggAV8yV\n",
"d6rSabnov5zIkcit9NQXsPJEi84u7CbcriYqY5h7XlMWjv476mAGbgAVZB2ZhIlp\n",
"qLal+lx9xwhFbuLHNRxZcUMM0g9KQZaZTkAQdlDVU/vPzRjq+EHGoPfG7R9QKGD0\n",
"k1b4DqOvInWLOs+yuWT7YYtWdr2TNKPpcBqbzCYzrWL6UaUN7LYFpNn4BbqXRgVw\n",
"iMAnUh9fvLMe7oreYfTaevXT/506Sj9WvQFXTcLtRhs+M30q22/wUK0ZZ8APjpwf\n",
"rQMegvzXXEIO3xEGrBi5/wXJxsawRLcM3ZSGPu/Ws950oM5Ahn8K8HBdKubQ\n",
"-----END NEW CERTIFICATE REQUEST-----\n",
"```\n",
"and:\n",
"\n",
"```\n",
"-----BEGIN NEW CERTIFICATE REQUEST-----\n",
"MIIDPzCCAqgCAQAwZDELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAmJqMQswCQYDVQQH\n",
"EwJiajERMA8GA1UEChMIbXhjei5uZXQxETAPBgNVBAsTCG14Y3oubmV0MRUwEwYD\n",
"VQQDEwx3d3cubXhjei5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQ7\n",
"an4v6pHRusBA0prMWXMWJCXY1AO1H0X8pvZj96T5GWg++JPCQE9guPgGwlD02U0B\n",
"NDoEABeD1fwyKZ+JV5UFiOeSjO5sWrzIupdMI7hf34UaPNxHo6r4bLYEykw/Rnmb\n",
"GKnNcD4QlPkypE+mLR4p0bnHZhe3lOlNtgd6NpXbAgMBAAGgggGZMBoGCisGAQQB\n",
"gjcNAgMxDBYKNS4yLjM3OTAuMjB7BgorBgEEAYI3AgEOMW0wazAOBgNVHQ8BAf8E\n",
"BAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcN\n",
"AwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUFBwMB\n",
"MIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABS\n",
"AFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABp\n",
"AGMAIABQAHIAbwB2AGkAZABlAHIDgYkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
"AAAAAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQUFAAOBgQBIKHVhHb9FZdVLV4VZ\n",
"9DK4aBSuYY//jlIpvsfMIdHXfAsuan7w7PH87asp1wdb6lD9snvLZix1UGK7VQg6\n",
"wUFYNlMqJh1m7ITVvzhjdnx7EzCKkBXSxEom4mwbvSNvzqOKAWsDE0gvHQ9aCSby\n",
"NFBQQMoW94LqrG/kuIQtjwVdZA==\n",
"-----END NEW CERTIFICATE REQUEST-----\n",
"```\n",
"and:\n",
"\n",
"```\n",
"-----BEGIN CERTIFICATE REQUEST-----\n",
"MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh\n",
"MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w\n",
"HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v\n",
"Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV\n",
"IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr\n",
"WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J\n",
"cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl\n",
"4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH\n",
"Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D\n",
"6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn\n",
"-----END CERTIFICATE REQUEST-----\n",
"```\n",
"\n",
"* What are the details on the requests?\n",
"\n",
"## C\tElliptic Curve Key Creation\n",
"Elliptic curve key pairs are increasing used within corporate Web sites. \n",
"\n",
"In Openssl we can view the curves with the ecparam option:\n",
"\n",
"```\n",
"openssl ecparam -list_curves\n",
"```\n",
"\n",
"* Outline some of the curve names:\n",
"* By performing an Internet search, which are the most popular curves (and where are they used)?\n",
"\n",
"\n",
"We can create our elliptic parameter file with:\n",
"```\n",
"openssl ecparam -name secp256k1 -out secp256k1.pem\n",
"```\n",
"\n",
"Now view the details with:\n",
"\n",
"```\n",
"openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout\n",
"```\n",
"\n",
"* What are the details of the key?\n",
"\n",
"\n",
"Now we can create our key pair:\n",
"\n",
"```\n",
"openssl ecparam -in secp256k1.pem -genkey -noout -out mykey.pem\n",
"```\n",
"\n",
"Now we will encrypt your key pair (and add a password), and convert it into a format which is ready to be converted into a digital certificate:\n",
"\n",
"```\n",
"openssl ec -aes-128-cbc -in mykey.pem -out enckey.pem\n",
"```\n",
"\n",
"Finally we will convert into a DER format, so that we can import the keys into a system:\n",
"\n",
"```\n",
"openssl ec -in enckey.pem -outform DER -out enckey.der\n",
"```\n",
"\n",
"* Examine each of the files created and outline what they contain:\n",
"* Now pick another elliptic curve type and perform the same operations as above. Which type did you use?\n",
"* Outline the commands used:\n",
"* If you want to create a non-encrypted version (PFX), which command would you use:\n",
"\n",
"\n",
"\n",
"Go to www.cloudflare.com and examine the digital certificate on the site.\n",
"\n",
"* What is the public key method used?\n",
"* What is the size of the public key?\n",
"* What is the curve type used?\n",
"\n",
"## E\tPFX files\n",
"We have a root certificate authority of My Global Corp, which is based in Washington, US, and the administrator is admin@myglobalcorp.com and we are going to issue a certificate to My Little Corp, which is based in Glasgow, UK, and the administrator is admin@mylittlecorp.com.\n",
"\n",
"\n",
"### E.1\tWe will now view some PFX certificate files, and which are protected with a password:\n",
"\n",
"Web link (Digital Certificates): [here](http://asecuritysite.com/digitalcert/digitalcert2)\n",
"\n",
"* For Certificate 1, can you open it in the Web browser with an incorrect password:\n",
"* Now enter “apples” as a password, and record some of the key details of the certificate:\n",
"* Now repeat for Certificate 2:\n",
"\n",
"\n",
"### E.2\t\n",
"Now with the PFX files (contained in the ZIP files from the Web site), try and import them onto your computer. Try to enter an incorrect password first and observe the message.\n",
"\n",
"\n",
"* Was the import successful?\n",
"* If successful, outline some of the details of the certificates:\n",
"\n",
"\n",
"\n",
"\n",
"## F\tCracking Certificates\n",
"Digital certificates are often protected with a simple password. With this we can use a Python program to try various passwords on the certificate, and if it does not create an exception, then we have found the required password. First download the following pfx files:\n",
"\n",
"[here](https://asecuritysite.com/cert_crack.zip)\n",
"\n",
"Now for bill01.pfx and fred.pfx, crack the password with the following code:\n",
"\n",
"```python\n",
"import OpenSSL \n",
"from cryptography import x509\n",
"from cryptography.hazmat.backends import default_backend\n",
"\n",
"str=\"fred.pfx\"\n",
"\n",
"passwords=[\"ankle\",\"battery\",\"password\",\"bill\",\"apple\",\"apples\",\"orange\"]\n",
"\n",
"for password in passwords:\n",
"\ttry:\n",
"\t\tpfx = open(str, 'rb').read()\n",
"\t\t\n",
"\t\tp12 = OpenSSL.crypto.load_pkcs12(pfx, password.encode())\n",
"\t\tprint (\"Found: \",password)\n",
"\n",
"\n",
"\t\tprivkey=OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, p12.get_privatekey())\n",
"\n",
"\t\tcert=OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, p12.get_certificate())\n",
"\n",
"\t\tcert = x509.load_pem_x509_certificate(cert, default_backend())\n",
"\n",
"\n",
"\t\tprint (\" Issuer: \",cert.issuer)\n",
"\t\tprint (\" Subect: \",cert.subject)\n",
"\t\tprint (\" Serial number: \",cert.serial_number)\n",
"\t\tprint (\" Hash: \",cert.signature_hash_algorithm.name)\n",
"\t\tprint (privkey)\n",
"\n",
"\n",
"\n",
"\texcept:\n",
"\n",
"\t\tprint (\"Not working: \",password)\n",
"```\n",
"\n",
"* What is the password?\n",
"* The files bill01.pfx, bill02.pfx ... bill18.pfx have a password which are **fruits**. Can you determine the fruits used?\n",
"* The files country01.pfx, country02.pfx ... country06.pfx have a password which are **countries** of the world. Can you determine the countries used?\n",
"\n",
"## G\tSetting up a certificate on a Web site\n",
"### G.1\t\n",
"Now we will enable HTTPs on an Apache Web Server, and install a digital certificate. Execute the following commands:\n",
"```\n",
"sudo a2enmod ssl\n",
"service apache2 restart\n",
"openssl genrsa -out ca.key 2048\n",
"sudo openssl req -nodes -new -key ca.key -out ca.csr\n",
"sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt\n",
"sudo mkdir /etc/apache2/ssl\n",
"sudo cp ca.crt ca.key ca.csr /etc/apache2/ssl/\n",
"sudo nano /etc/apache2/sites-enabled/000-default.conf\n",
"sudo /etc/init.d/apache2 restart\n",
"```\n",
"\n",
"HTTPs should now be enabled with a self-signed certificate. If you try https://localhost, you will have to add an exception to view the page, as we are using a self-signed certificate:\n",
"\n",
" \n",
"## Additional lab question\n",
"The ECDSA signature is used in Bitcoin and Ethereum. Using the code [here](https://asecuritysite.com/ecdsa/ecdsa3):\n",
"\n",
"```python\n",
"import sys\n",
"import random\n",
"import hashlib\n",
"import libnum\n",
"\n",
"from secp256k1 import curve,scalar_mult,point_add\n",
"\n",
"msg=\"Hello\"\n",
"\n",
"if (len(sys.argv)>1):\n",
" msg=(sys.argv[1])\n",
"\n",
"# Alice's key pair (dA,QA)\n",
"dA = random.randint(0, curve.n-1)\n",
"QA = scalar_mult(dA,curve.g)\n",
"\n",
"h=int(hashlib.sha256(msg.encode()).hexdigest(),16)\n",
"\n",
"k = random.randint(0, curve.n-1)\n",
"\n",
"rpoint = scalar_mult(k,curve.g)\n",
"\n",
"r = rpoint[0] % curve.n\n",
"\n",
"# Bob takes m and (r,s) and checks\n",
"inv_k = libnum.invmod(k,curve.n)\n",
"\n",
"s = (inv_k*(h+r*dA)) % curve.n\n",
"\n",
"print (f\"Msg: {msg}\\n\\nAlice's private key={dA}\\nAlice's public key={QA}\\nk= {k}\\n\\nr={r}\\ns={s}\")\n",
"\n",
"# To check signature\n",
"\n",
"inv_s = libnum.invmod(s,curve.n)\n",
"c = inv_s\n",
"u1=(h*c) % curve.n\n",
"u2=(r*c) % curve.n\n",
"P = point_add(scalar_mult(u1,curve.g), scalar_mult(u2,QA))\n",
"\n",
"res = P[0] % curve.n\n",
"print (f\"\\nResult r={res}\")\n",
"\n",
"if (res==r):\n",
"\tprint(\"Signature matches!\")\n",
"```\n",
"\n",
"Run the code and answer the following questions:\n",
"\n",
"* How is the private key created?\n",
"* How is the public key created?\n",
"* Can you identify the nonce value used in the signature?\n",
"* What are the two output values of the signature?\n",
"* Which key (public or private key) is used to verify the signature?\n",
"* Which key (public or private key) is used to verify the signature?\n",
"\n"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.8.3"
}
},
"nbformat": 4,
"nbformat_minor": 5
}
Reference in New Issue View Git Blame Copy Permalink