- Task 1: Becoming a Certificate Authority (CA)
在宿主机/docker 1.1.1.1上执行以下命令:
sudo cp /usr/lib/ssl/openssl.cnf /
sudo openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Enter PEM pass phrase:xxxxx
Verifying - Enter PEM pass phrase:xxxxx
继续执行命令,如图所示:
sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
> -keyout ca.key -out ca.crt \
> -subj "/CN=www.modelCA.com/O=Model CA LTD./C=US" \
> -passout pass:dees
openssl x509 -in ca.crt -text -noout
继续输入指令:openssl rsa -in ca.key -text -noout
针对实验手册中提出的问题:
Please run the above commands. From the output, please identify the followings:
• What part of the certifificate indicates this is a CA’s certifificate?
• What part of the certifificate indicates this is a self-signed certifificate?
• In the RSA algorithm, we have a public exponent e, a private exponent d, a modulus n, and two secret numbers p and q, such that n = pq. Please identify the values for these elements in your certifificate and key fifiles.
我们回答如下:
- Issuer: CN = www.modelCA.com, O = Model CA LTD., C = US
Validity
Not Before: Aug 10 01:42:07 2022 GMT
Not After : Aug 7 01:42:07 2032 GMT
- Issuer: CN = www.modelCA.com, O = Model CA LTD., C = US
Subject: CN = www.modelCA.com, O = Model CA LTD., C = US
(3)e=65537 n=00:b8:01:62:f0:36:e5:c9:fd:dc:49:86:7e:d1:e6:
e9:c7:1d:2a:52:a4:3c:c3:00:16:63:3d:7d:1d:24:
73:89:db:b1:01:c1:39:49:ec:3e:da:c4:b8:a8:2c:
8a:6a:55:2b:f3:f5:66:21:65:d4:f6:4e:4c:61:4f:
39:40:0e:05:5a:94:12:73:2c:26:42:03:f2:8c:04:
6c:73:7e:c5:cb:e1:9b:60:ab:26:51:4c:f7:9d:cf:
65:2a:81:3f:2b:a9:8a:41:dd:7e:7f:9d:3b:9b:4a:
a1:84:3b:94:b7:9e:fe:3c:7c:2b:fa:d2:12:77:9f:
c0:8d:72:50:8c:4d:f7:f8:bd:86:21:86:bd:f2:a7:
6f:9b:fd:0f:eb:4b:73:40:ce:73:ff:89:8a:3d:06:
50:4c:a4:9e:87:15:7e:0f:1f:bc:d7:6c:24:86:e8:
86:d6:a7:d3:b1:82:94:89:8f:fa:ee:1b:9f:44:57:
ad:6a:d6:87:d5:1d:bd:3c:73:1f:42:d7:b2:83:11:
60:a1:31:36:96:c6:21:f6:18:13:20:69:dc:97:d6:
3a:18:92:ec:a8:d3:77:59:0e:f5:58:3e:a5:49:83:
4f:45:71:b1:85:9f:4d:31:61:4d:60:37:22:5e:c3:
82:86:07:62:4c:c0:fa:e1:82:24:8a:bd:54:5a:cc:
43:76:e0:02:ba:2a:71:dc:dc:2b:48:6d:7f:13:5d:
5b:36:67:f1:00:a6:c8:a2:75:04:dc:72:c7:45:52:
33:c9:3c:06:27:4a:75:93:62:0d:78:e1:28:63:0b:
38:4e:f3:82:37:6c:bd:2f:0a:e4:25:be:e9:dd:51:
a7:1a:9d:dd:fd:90:bd:72:c8:4e:c3:c9:91:60:97:
c1:8b:24:af:0c:42:bd:88:96:88:a2:2a:76:19:97:
23:33:76:1a:60:b1:a6:26:f2:3c:dc:27:45:b9:f7:
3e:25:2a:38:72:5b:6a:20:b8:ca:f1:68:ec:b0:06:
a0:fb:4d:75:e3:07:27:54:4c:e0:f1:de:56:b6:60:
ba:59:71:4d:80:d1:f5:60:ae:7e:ce:c2:19:f8:c4:
95:e0:9f:16:ad:ce:b7:07:61:3b:a5:8e:a9:54:f5:
3a:58:fc:df:a2:1f:d0:e2:d9:e4:26:95:68:83:2e:
06:42:98:53:12:32:7f:39:b7:4e:d5:dc:7b:37:a4:
a1:e5:24:41:bc:cd:f9:da:1e:8c:35:31:4d:60:8f:
de:aa:c7:c2:60:bf:64:74:f9:bb:8d:0e:d2:3e:48:
31:62:73:22:a4:27:d9:6d:74:ad:1a:46:98:d1:28:
1f:aa:1b:61:ef:2d:94:ce:04:91:01:f9:6a:4c:c3:
70:f9:f3
d=6d:b2:ad:e8:65:e2:22:c5:0c:b2:6c:d3:68:92:10:
a7:5b:54:e3:05:f5:0f:90:1a:c8:b9:5c:c0:a5:fd:
97:9f:78:ec:81:e4:84:94:aa:78:44:35:8e:55:57:
83:c3:19:3c:0c:fe:01:45:33:6c:50:0b:ab:2b:cf:
06:c8:15:1b:06:11:e5:c5:d9:5d:1b:fb:5a:cc:3c:
57:b2:a9:7b:3e:1a:22:cc:86:40:8b:f1:47:8c:e0:
54:31:cf:96:59:32:0a:c8:60:e4:f5:b9:16:80:ac:
c0:27:c1:26:a3:4c:10:85:3a:b7:02:cc:6d:b2:b8:
d9:da:df:f8:75:77:33:3c:d2:1d:64:b6:13:57:0c:
eb:e3:37:bd:60:32:ea:dc:ea:3c:db:23:a5:f4:00:
a5:60:b2:fd:f7:ab:3a:9b:02:3b:2f:c6:ab:03:2f:
78:03:7f:ea:60:dd:eb:11:02:59:37:f0:80:8f:00:
dd:23:de:c1:08:44:cc:28:19:e8:00:ad:f5:03:c4:
26:f5:2f:05:3e:43:fa:f2:29:5c:f6:9f:c3:89:bd:
02:ef:7c:d5:bd:94:76:6c:bb:8a:0b:77:00:d7:9e:
c7:d8:db:2b:bd:68:08:db:68:84:c6:f9:df:a3:11:
4a:94:56:5f:49:e1:87:d5:cd:b1:44:e4:68:69:44:
82:33:9c:ba:25:52:8a:97:9f:f4:87:57:ac:75:84:
96:60:07:db:42:3a:f5:be:03:32:b6:73:1e:4b:8a:
07:ab:b8:3b:c4:f5:ed:88:e0:c7:b3:12:44:66:0b:
1c:ce:95:f8:83:59:88:b7:0a:16:30:b4:61:a7:ba:
be:e5:b2:00:b8:ef:7c:d3:62:2e:2f:94:5e:2e:af:
d3:27:f8:5e:11:43:52:d0:a1:d3:71:0f:e5:91:5d:
47:82:a1:47:c4:75:74:0f:82:13:c2:a1:f8:db:23:
80:24:da:a0:c2:05:c1:72:92:18:a0:ce:0b:9b:58:
65:16:ce:da:4c:21:46:00:5f:db:8f:cf:26:77:62:
e3:b6:37:11:3a:1b:0b:7b:74:34:79:d4:74:04:6c:
f5:5f:14:ab:31:76:65:59:6a:70:46:7e:b3:d4:87:
cb:22:d1:dc:aa:47:73:85:dd:b8:c9:0d:e7:5d:31:
0d:dd:3b:5b:4d:ad:17:ad:dd:a2:a2:f0:a3:af:e9:
22:ac:c5:a0:a1:20:47:54:27:c5:23:3a:b4:58:24:
10:04:92:d1:26:2a:b2:40:0b:13:4d:dc:38:14:fd:
b6:51:06:f5:25:69:cb:74:c8:25:47:45:bd:e1:75:
42:8b:c7:8a:2e:91:dc:91:98:86:cc:c6:45:92:6a:
8e:19
p=00:ec:43:24:dd:7c:7e:cf:17:76:a7:96:67:06:dc:
b9:2b:45:84:49:7e:4e:e4:21:d8:d8:b3:5f:9a:88:
ab:78:3a:31:b4:5a:6c:f8:84:f8:85:38:19:18:ec:
34:26:92:e9:59:7b:8a:c7:12:86:28:1a:5d:5e:93:
c8:28:4f:0b:09:1c:5c:f9:38:ca:90:13:c6:59:98:
03:cd:ce:7a:b6:e8:f9:83:97:fd:22:82:a9:cc:9b:
da:30:b4:00:7b:d5:9d:ad:4d:13:12:83:b5:9f:17:
37:51:78:4c:45:2f:6f:1f:26:1d:33:0b:50:d7:4c:
0b:0f:50:e6:16:ee:29:5b:1b:ad:24:3c:14:2f:fa:
97:de:a8:3b:e1:37:a0:b4:93:9c:c1:af:3e:a2:69:
52:8d:13:d7:47:53:37:85:7c:9f:4e:0b:1d:1e:4e:
f8:39:fe:a7:a6:db:d2:a2:4f:4c:99:fc:e5:f3:a0:
89:09:15:d5:d8:16:90:98:28:df:d0:6f:14:70:c3:
33:1e:09:d1:58:a7:f4:58:73:c4:7d:4f:c5:d5:ff:
ac:5b:aa:d0:9a:b1:4b:c3:b1:7d:19:a9:33:98:63:
cb:c8:a4:72:8f:9f:81:43:e6:9e:b1:f6:9f:42:07:
e6:a9:e6:9f:d4:ce:3a:ee:7d:45:b5:12:f2:56:cf:
43:7f
q=00:c7:60:a4:cf:2d:ad:65:96:4f:bf:f1:f0:73:f8:
d6:b2:42:9d:c9:57:3f:5b:f7:1a:d6:93:36:dc:a0:
8a:28:ba:1f:00:59:fe:c9:34:bc:10:42:e0:3c:fb:
6f:6f:db:26:5c:42:ab:80:56:05:8c:81:bc:7a:4f:
4a:40:c4:a7:1f:09:16:e4:10:db:ee:6e:8d:c1:07:
5c:30:26:83:43:d0:13:a1:9d:af:e5:32:2b:6c:8d:
47:7d:34:c5:f4:3e:db:ba:88:c0:32:bf:ba:20:8c:
48:66:e6:c8:6e:ae:25:83:36:53:41:fd:ac:ac:c5:
ed:87:60:e6:82:a9:21:64:c6:77:ca:4d:8a:ca:02:
35:28:b7:d0:cb:a0:bf:02:82:bc:05:e0:15:86:25:
b3:e5:53:32:d9:1f:d8:f4:3b:a9:72:a6:8c:e4:4b:
7e:76:fc:29:02:fc:0f:f7:4f:40:01:ea:65:60:73:
1c:4e:33:6c:73:d4:23:e2:2b:f3:fc:64:78:45:be:
d2:61:29:1f:50:55:5f:af:f1:21:bf:d8:35:16:f9:
8c:7b:78:98:95:29:91:b3:48:30:11:fe:35:e7:4b:
77:86:74:45:c9:37:9d:fa:e1:37:18:33:7b:58:ec:
e1:23:32:1b:fb:cb:22:4b:4b:10:e1:38:2e:a8:69:
b3:8d
综上综述,通过执行以上操作,我们完成了becoming a Certificate Authority(CA)任务
- Task 2: Generating a Certifificate Request for Your Web Server
在宿主机/docker 1.1.1.1上执行以下命令:
openssl req -newkey rsa:2048 -sha256 \
> -keyout server.key -out server.csr \
> -subj "/CN=www.name2022.com/O=Name2022 Inc./C=US" \
> -passout pass:dees \ //改密码
-addext "subjectAltName = DNS:www.name2022.com, \
> DNS:www.name2022A.com, \
> DNS:www.name2022B.com" //添加附加名
继续执行指令:
openssl req -in server.csr -text -noout
openssl rsa -in server.key -text -noout
综上综述,通过执行以上操作,我们完成了Generating a Certifificate Request for Your Web Server任务
3. Task 3: Generating a Certifificate for your server
在宿主机/docker 1.1.1.1上执行以下命令:
openssl ca -config openssl.cnf -policy policy_anything \
> -md sha256 -days 3650 \
> -in /demoCA/server.csr -out /demoCA/server.crt -batch \
> -cert /demoCA/ca.crt -keyfile /demoCA/ca.key
修改openssl.cnf的配置文件,to allow the "openssl ca" command to copy the extension fifield from the request to the fifinal certifificate.:
# Extension copying option: use with caution.
copy_extensions = copy
执行命令:
openssl x509 -in /demoCA/server.crt -text -noout//check whether the alternative names are included.
综上综述,通过执行以上操作,我们完成了Generating a Certifificate for your server任务
4.Task 4: Deploying Certifificate in an Apache-Based HTTPS Website
修改一下配置文件内容。
在宿主机上修改hosts文件内容:
执行如下命令:
a2enmod ssl// Enable the SSL module
a2ensite default.ssl// Enable the sites described in this file
service apache2 start// Start the server
将证书导入火狐:
在火狐上输入网址即可:
针对实验手册中提出的问题,我们回答如下:
刚开始打开网址时,一直无法正确打开,会出现这个:
后来发现原因是我之前修改hosts的文件操作一直是在docker环境下修改的,实质上应该在主机的hosts文件修改,这次修改之后,就可以正常访问了,如图:
综上综述,通过执行以上操作,我们完成了Deploying Certifificate in an Apache-Based HTTPS Website 任务。
5.task 5: Launching a Man-In-The-Middle Attack
修改一下配置文件default-ssl.conf内容。
修改hosts文件。
执行代码同task4,然后使用火狐访问网站:www.seu.edu.cn
首先,在火狐浏览器输入网址:https://www.seu.edu.cn
执行结果如图所示:
然后,在火狐浏览器输入网址:http://www.seu.edu.cn
得到的结果如图所示:
针对实验手册中提出的问题,我们回答如下:
两次在火狐上搜素网址得到的结果并不相同,第一次使用了https,发现火狐会提示出现了安全问题,而导致无法访问;第二次使用了http,发现火狐在该网址下访问了我们自己设置的网站。
有关这一结果,通过上网查阅相关资料,我们找到浏览器会验证通用名称域,在SSL握手期间,会进行两个重要的验证:
1.核对接收到的证书是否有效,即确保证书中的公钥属于Subject域描述的主体,但不能说明证书域正在访问的网站是否匹配.SSL库执行
2.浏览器验证证书通用名称是否与访问的网站名称匹配.浏览器等应用程序执行.
所以导致了第一次访问的失败。
这也有力地说明了PKI can defeat Man-In-The-Middle (MITM) attacks.
综上综述,通过执行以上操作,我们完成了Launching a Man-In-The-Middle Attack任务
- Task 6: Launching a Man-In-The-Middle Attack with a Compromised CA
为了实现task6,找到一个商业网站,www.taobao.com
然后,利用之前几个任务中的步骤,为这个网站,用自己的CA签证书。
修改hosts,以及配置文件default-ssl.conf
在宿主机/docker 1.1.1.1上执行以下命令:
openssl req -newkey rsa:2048 -sha256 \
> -keyout /demoCA/taobao.key -out /demoCA/taobao.csr \
> -subj "/CN=www.taobao.com/O=Taobao Inc./C=US" \
> -passout pass:dees
openssl req -in /demoCA/taobao.csr -text -noout
openssl rsa -in /demoCA/taobao.key -text -noout
openssl ca -config openssl.cnf -policy policy_anything \
> -md sha256 -days 3650 \
> -in /demoCA/taobao.csr -out /demoCA/taobao.crt -batch \
> -cert /demoCA/ca.crt -keyfile /demoCA/ca.key
openssl x509 -in /demoCA/taobao.crt -text -noout
a2enmod ssl
a2ensite default-ssl.conf
service apache2 start
去火狐输入网址:https://www.taobao.com得到如下图结果
需要注意,与task5相比,我们做到了使得commonName=www.taobao.com
综上综述,通过执行以上操作,我们完成了Launching a Man-In-The-Middle Attack with a Compromised CA 任务。
标签:www,实验报告,ca,demoCA,openssl,Lab,60,73,PKI From: https://blog.csdn.net/XLYcmy/article/details/143104478