Public Key Infrastructure (PKI)
Certifiactes
Using OpenSSL
Documentation: http://www.openssl.org/docs/apps/pkcs8.html
êCertificate
Requests Commands:
To generate a
certificate request and sign it from CA.
ü In the following: replace <student> with your
<login
name>
% mkdir
<student>_cert_request
% cd <student>_cert_request
% cp /home/cs472/public_html/PKI/shell_scripts/students/* .
ü This copies all the shell scripts and files
needed.
% gencertreq <student>
ü That will create two files:
<student>_certreq.pem
& <student>_privatekey.pem
ü To
print <student>_certreq.pem
% printcertreq <student>
ü Submit file <student>_certreq.pem to CA to be signed:
% mkdir submit
% cp <student>_certreq.pem submit
% cd submit
% submit cs472
ü The CA will sign your certificate and sends
an email to copy:
<student>_cert.pem
& ca_cert.pem
From
/home/cs472/public_html/fall11/PKI_certificates/students/<student>_cert.
pem
ü You can print these two certificates using:
% printcert
<student>
% printcert ca
êCertificate Authority
(CA) Commands
To setup the necessary environment to
create CA keys and root certificate &
to sign certificate requests.
To
create CA keys and root certificate
ü Copy the ca shell scripts in any directory you choose.
% cp /home/cs472/public_html/PKI/shell_scripts/ca/*
.
ü Edit file myopenssl.cnf to replace cs472 with your <login name>
ü
Create the needed
files and directories:
% setup
ü
create CA keys (ca_key.pem) &
certificate (ca_cert.pem:.
% genca
ü Print certificate ca_cert.pem:
% printcert ca
ü To sign certificate requests
ü To sign a request from a single student
under:
submitted_requests/<student>_cerreq.pem
% issuecert <student>
ü This
produces:
signed_requests/<student>_cert.pem
&
issued_certs/xx.pem where <xx> is serial number of cert.
In addition it copies the <student>_cert.pem under:
/home/cs472/public_html/fall11/PKI_certificates/students/<student>_cert. pem
and send
email to <student>@cs.odu.edu
ü To sign more than one certificate put the
names in a file called: list and then use:
Application of PKI:
Secure
Multipurpose Internet Mail Exchange
(SMIME)
Use unix Mail to send and read your mail.
In reading a
mail message: write the message to a file (e.g.,
w file)
Copy
all the shell scripts and files needed.
% cd
<student>_cert_request
% cp
/home/cs472/public_html/PKI/shell_scripts/securemail/*
.
ê
Encrypted mail: to send/receive encrypted
messages.
à Send:
% sendencmail
<receiver> <file>
The sender should have: <receiver>_cert.pem
<file> is the message to be encrypted.
This
produce <file>.enc
which is encrypted with a secret
key.
The secret key is encrypted
with the public key in <receiver>_cert.pem
à
Read:
First read
your mail and save the msg in <file> then use the following command:
% readencmail <receiver> <file>
The recipient should have:
<receiver>_privatekey.pem
This decrypt the mail in <file> using the supplied private key.
First, the secret key is decrypted
using <receiver>_privatekey.pem
Then <file> is decrypted with the secret
key.
êSigned
mail to send/receive
signed messages
à
Send:
% sendsignmail
<receiver> <file>
<sender>
The sender should
have:
<sender>_cert.pem &
<sender>_privatekey.pem
To
sign <file> using the <sender>
certificate and private key.
The signed message as well as the <sender> certificate are
written to the output <file> .sig
à
Read:
First read your mail and save the msg
in <file> then use the following command:
% readsignmail
<file>
The recipient
should have: ca_cert.pem
This verifies signed <file> using the sender’s certificate and the CA
certificate.
and
outputs the sender’s information and the
message content.
êSigned +Encrypted
mail to send/receive signed and encrypted messages
à
Send:
% sendsign_encmail <receiver> <file> <sender>
The sender should
have: <receiver>_cert.pem,
<sender>_cert.pem & <sender>_privatekey.pem
This
signs the <file> using the <sender>
certificate and private key.
The signed file as well as the <sender> certificate are
written to the output <file> .sig which is then encrypted to <file>.enc using a secret key.
The secret key is encrypted
with the public key in <receiver>_cert.pem
à
Read:
First read your mail and save the msg
in <file> then use the following command:
% readsign_encmail
<receiver> <file>
The reciepient should have: <receiver>_privatekey.pem
& ca_cert.pem
This first decrypts
mail in <file> using the receiver certificate and private key.
The secret key is decrypted
using <receiver>_privatekey.pem
Then <file> is decrypted using the secret key.
It then verifies the
signed <file> using the sender’s and CA certificates.
Finally it outputs the
sender’s information and the
message content.
«
Sign
then Encrypt Versus Encrypt then Sign?
à Sign then Encrypt:
ü
A
wants to send B a message M as signed then encrypted message.
Sign M as
M1 and then encrypt M1 as M2 and mail M2 to B.
ü
B
decrypts M2 to
M1 and verify that M1 was sent as M from A.
ü
if B wants to forwards the message M1 to C,
o
B can
forwards the signed message M1 to C.
o
C can
reads the message M and verify that A is the author.
à Encrypt then Sign:
ü
A
wants to send B a message M as encrypted then signed message.
Encrypt M
as M1 and then sign M1 as M2 and mail M2 to B.
ü
B
verifies M2 was signed by A and then M1 decrypted to read M.
ü
If B
wants to forward the message to C, then he can send M2.
o
C can
verify that M2 was signed by A.
o
However
C can NOT decrypt M1 to read the message M since he does not have the private
key of B!