Secure Virtual Private Network (VPN) Setup
Added on 2019-09-18
13 Pages3497 Words643 Views
|
|
|
Project 1: Public Key, Root CA, Certificates, Hash, MAC and SSLVPNs1Lab Preparation...................................................................................................................................22Performance Comparison: RSA versus AES..........................................................................................23Become a root CA and sign a Certificate..............................................................................................33.1Create a new CA..........................................................................................................................33.2Generate a new certificate request.............................................................................................43.3Sign the certificate request..........................................................................................................44Configure SSL certificates on the Apache server..................................................................................54.1Modify the Apache server configuration.....................................................................................54.2Test an SSL/TLS connection.........................................................................................................55Install the CA root certificate as a Trusted Root Certificate.................................................................65.1Install the root CA for Firefox on the Linux server.......................................................................65.2Install the root CA for Firefox on a Linux client............................................................................75.3Install the root CA for IE on Windows..........................................................................................75.4Install the root CA for Firefox on Windows..................................................................................76One-Way Hash Function and MAC......................................................................................................76.1One-way Hash Functions.............................................................................................................76.2Keyed Hash and HMAC................................................................................................................87Setting SSL based VPNs for Linux.........................................................................................................87.1Build Certificate Authority (CA)....................................................................................................87.2Certificate and key generation.....................................................................................................97.3Server configuration..................................................................................................................107.4Client configuration...................................................................................................................118Configure client certificates for authentication (optional).................................................................11Goal: In this lab we will exercise the idea that digital certificates are verified using a chain oftrust. The trust anchor for the digital certificates is the Root Certificate Authority (CA). Inaddition, we will practice using command-line procedures for setting up SSL/TLS certificates.First, we will generate a root certificate (to become the root CA) and other certificates. Then, wewill sign the certificates with the root certificate. Next, we will place these certificates on anApache web server. When the web server is visited by a client’s browser with the root CAinstalled, the server will be trusted automatically due the chain of trust.Page | 1
Major Reference for this lab: http://www.reppep.com/~pepper/writing/tidbits/ssl-article/ssl2.textHow to use virtualbox:http://www.makeuseof.com/tag/how-to-use-virtualbox/How to use vmware:https://www.vmware.com/pdf/ws80-using.pdfFedora live image:I used Fedora-18-x86_64-Live-Desktop.iso.http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/You also can download the new version.https://getfedora.org/en/workstation/download/Windows:I used IE8 on Win7 virtual machines. You can download free virtual machines from this webpage:https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/1Lab Preparation (2 points)On your FC Linux server, as root, type the following command to update your openssl and httpdutilities: (needs Internet access)yum –y install opensslyum –y install openssl-*yum –y install httpd-*yum –y install mod_ssl2Performance Comparison: RSA versus AESIn this task, we will study the performance of public-key algorithms. Please prepare a file(message.txt) that contains a 16-byte message. Please also generate a 1024-bit RSApublic/private key pair by using the following commands:openssl genrsa -out private.pem 1024This command creates a key file called private.pem that uses 1024 bits. This file actually hasboth the private and public keys, so you should extract the public one from this file:openssl rsa -in private.pem -out public.pem -outform PEM –puboutThe commands of encryption and decryption using public key look like the following:openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.sslopenssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txtThe commands of encryption and decryption using AES like the following:Page | 2
openssl enc –aes-128-cbc -in file.txt -out file.encopenssl enc –d –aes-128-cbc -in file.enc -out file.txtNext, do the following:1. Encrypt message.txt using the public key; save the output in message enc.ssl. (2 points)2. Decrypt message enc.ssl using the private key. (2 points)3. Encrypt message.txt using a 128-bit AES key. (2 points)2.1.1Compare the time spent on each of the above operations, and describe your observations. If an operation is too fast, you may want to repeat it for many times, and then take an average. (5 points)After you finish the above exercise, you can now use the openssl speed commands to do such a benchmarking. The following command shows examples of using speed to benchmark RSA and AES:openssl speed rsaopenssl speed aes2.1.2Please describe whether your observations are similar to those from the outputs of the speed command. (2 points)3Become a root CA and sign a CertificateGo to the /etc/pki/tls/misc/ directory. There is a file named CA.pl. We will use this file tocreate a root certificate and other certificates. 3.1Create a new CA./CA.pl -newca A certificate filename (or enter to create) <enter> Making CA certificate ... Using configuration from openssl.cnf Generating a 1024 bit RSA private key ............++++++ ......................++++++ writing new private key to '/etc/pki/CA/private/cakey.pem' Enter PEM pass phrase: <secret passphrase here> write it down for future reference, mine is CMSC622y Verifying password - Enter PEM pass phrase: <secret passphrase again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.Page | 3
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:VA Locality Name (eg, city) []:Richmond Organization Name (eg, company) []:VCU Organizational Unit Name (eg, section) []:CS Common Name (eg, YOUR name) []: WeiCheng # I put WeiCheng here as the example common name. A more general practice is to put your sever’s DNS name.Email Address []:yourname@vcu.eduNo need to add a challenge passwordYou will be asked to input your PEM key again in the end (before the accomplish of the certificate creation)This creates a new root certificate in the directory /etc/pki/CA. The new root certificate file isnamed as cacert.pem. (3 points)3.2Generate a new certificate request./CA.pl -newreqUsing configuration from openssl.cnf Generating a 1024 bit RSA private key ..........++++++ ..............++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: <another secret passphrase here> mine is 622req Verifying password - Enter PEM pass phrase: <another secret passphrase again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:VA Locality Name (eg, city) []:Richmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:VCU Organizational Unit Name (eg, section) []:CStest Common Name (eg, YOUR name) []:192.168.56.101, which is the http server’sIP address. You can use your FC Linux server’s IP (i.e., the IP of the virtual machine). If the http server has a DNS name, please use the DNS name. Email Address []:yourname@vcu.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<enter> An optional company name []:<enter> Request is in newreq.pem, private key is in newkey.pemPage | 4
End of preview
Want to access all the pages? Upload your documents or become a member.