Public Key Infrastructure (PKI) Certifiactes
Using OpenSSL
Documentation: http://www.openssl.org/docs/apps/pkcs8.html
Ø
Certificate
Requests Commands:
To
generate a certificate request and sign it from CA.
In
the following: replace <student> with your <login name>
% mkdir
<student>_cert_request
% cd <student>_cert_request
% cp /home/cs472/public_html/PKI/shell_scripts/students/* .
This copies all the shell scripts and
files needed.
% gencertreq <student>
That will create two files:
<student>_certreq.pem
& <student>_privatekey.pem
To print <student>_certreq.pem
% printcertreq <student>
Submit file <student>_certreq.pem to CA to be signed:
% mkdir submit
% cp <student>_certreq.pem submit
% cd submit
% submit
cs472
The CA will sign your certificate
and sends an email to copy:
<student>_cert.pem & ca_cert.pem
Then you can print these two certificates using:
% printcert
<student>
% printcert ca
Ø Certificate Authority
(CA) Commands
To setup the necessary environment to create
CA keys and root certificate, and to sign the students
certificate requests.
To
create CA keys and root certificate
Copy the ca shell
scripts in any directory
you choose.
% cp /home/cs472/public_html/PKI/shell_scripts/ca/*
.
Edit file myopenssl.cnf to replace cs472 with your <login
name>
Then create the needed files and directories:
% setup
Then create CA keys (ca_key.pem)
& certificate (ca_cert.pem:.
% genca
Print
certificate ca_cert.pem:
% printcert ca
To
sign certificate requests
To sign a
request from a single student under:
submitted_requests/<student>_cerreq.pem
% issuecert <student>
This produces:
signed_requests/<student>_cert.pem &
issued_certs/xx.pem where <xx> is serial number of cert.
To sign more than
one certificate put the names in a file called: list and then use:
Application of PKI:
Secure Multipurpose Internet Mail
Exchange
(SMIME)
Use unix Mail to send and read your mail.
In reading a
mail message: write the message to a file (e.g.,
w file)
Copy all the shell scripts
and files needed.
% cd
<student>_cert_request
% cp
/home/cs472/public_html/PKI/shell_scripts/securemail/*
.
§
Encrypted mail
: to send/receive encrypted messages.
à
Send:
% sendencmail
<receiver> <file>
The sender should have: <receiver>_cert.pem
<file> is the message to be encrypted.
This
produce <file>.enc which is encrypted with a secret key.
The secret key is encrypted
with the public key in <receiver>_cert.pem
à Read:
First read
your mail and save the msg in <file> then use the following command:
% readencmail <receiver> <file>
The recipient should have:
<receiver>_cert.pem> &
<receiver>_privatekey.pem
This decrypt mail in <file> using the supplied certificate and private key.
First, the secret key is decrypted
using <receiver>_privatekey.pem
Then <file> is decrypted with the secret
key.
§
Signed mail to
send/receive signed messages
à Send:
% sendsignmail
<receiver> <file>
<sender>
The sender should
have:
<sender>_cert.pem & <sender>_privatekey.pem
To
sign <file> using the <sender>
certificate and private key.
The signed message as well as the <sender> certificate are
written to the output <file> .sig
à Read:
First read your mail and save the msg
in <file> then use the following command:
% readsignmail
<file>
The recipient
should have: ca_cert.pem
This verifies signed <file> using the sender’s certificate and the CA
certificate.
and
outputs the sender’s information and the message content.
§ Signed +Encrypted mail to
send/receive signed and encrypted messages
à Send:
% sendsign_encmail <receiver> <file> <sender>
The sender should
have: <receiver>_cert.pem,
<sender>_cert.pem & <sender>_privatekey.pem
This
signs the <file> using the <sender>
certificate and private key.
The signed file as well as the <sender> certificate are
written to the output <file> .sig which is then encrypted to <file>.enc using a secret key.
The secret key is encrypted
with the public key in <receiver>_cert.pem
à Read:
First read your mail and save the msg
in <file> then use the following command:
% readsign_encmail
<receiver> <file>
The reciepient should have: <receiver>_cert.pem, <receiver>_privatekey.pem
& ca_cert.pem
This first decrypts
mail in <file> using the receiver certificate and private key.
The secret key is decrypted
using <receiver>_privatekey.pem
Then <file> is decrypted using the secret key.
It then
verifies the signed <file> using the sender’s and CA certificates.
Finally it outputs the sender’s information
and the message
content.
«
Sign
then Encrypt Versus Encrypt then Sign?
Sign
then Encrypt:
·
A
wants to send B a message M as signed then encrypted message.
Sign M as M’ and then encrypt M’ as M” and mail
M” to B.
·
B
decrypts M” to M’ and verify that M’ was sent as M from A.
·
if B wants to forwards the message M’ to C,
B can forwards the signed message M’ to C.
C can reads the message M and verify that A
is the author.
Encrypt
then Sign:
·
A
wants to send B a message M as encrypted then signed message.
Encrypt M as M’ and then sign M’ as M” and mail
M” to B.
·
B
verifies M” was signed by A and then M’ decrypted to read M.
·
If B
wants to forward the message to C, then he can send M”.
C can verify that M” was signed by A.
However C
can NOT decrypt M’ to read the message M since he does not have the private key
of B!