PKI lab
某三本学校的实验报告,图片我只放了重要的部分(我就是懒狗)
Task 1: Becoming a Certifificate Authority (CA)
生成自签名证书
openssl req -new -x509 -keyout ca.key -out ca.crt -config myCA_openssl.cnf
- 实验问题
- What part of the certifificate indicates this is a CA’s certifificate?
答:
Issuer部分确定CA证书的身份 - What part of the certifificate indicates this is a self-signed certifificate?
答:
Issuer和Subject相同 - In the RSA algorithm, we have a public exponent e, a private exponent d, a modulus n, and two secret numbers p and q, such that n = pq. Please identify the values for these elements in your certifificate and key fifiles.
答:
查看ca.key文件即可
- What part of the certifificate indicates this is a CA’s certifificate?
Task 2: Generating a Certifificate Request for Your Web Server
生成密钥server.key和请求文件server.csr并给www.bank57119419.com 添加替代名称
openssl req -newkey rsa:2048 -sha256 \
-keyout server.key -out server.csr \
-subj "/CN=www.bank57119419.com/O=Bank57119419 Inc./C=CN" \
-passout pass:dees \
-addext "subjectAltName = DNS:www.bank57119419.com, \
DNS:www.bank57119419A.com, \
DNS:www.bank57119419B.com"
Task 3: Generating a Certifificate for your server
将默认配置文件(/usr/lib/ssl/openssl.cnf)文件,复制到实验文件夹Labsetuo中,改名为myCA_openssl.cnf,同时为根CA配置相关文件:
![[Pasted image 20220811131115.png]]
为服务器生成证书
openssl ca -config myCA_openssl.cnf -policy policy_anything -md sha256 -days 3650 -in server.csr -out server.crt -batch -cert ca.crt -keyfile ca.key
Task 4: Deploying Certifificate in an Apache-Based HTTPS Website
创建容器并运行
dcbuild
dcup
进入容器中通过apache配置网页
修改host文件
通过共享文件夹volumes将证书和私钥server.key和server.crt拷贝到容器的/certs文件夹中
在/var/www/中添加新文件夹bank57119419,将/var/www/bank32中的html文件拷贝进/var/www/bank57119419并进行适当修改(需要安装vim)
修改容器中/etc/apache2/sites-available/bank32_apache_ssl.conf的内容
输入下面指令使得网页生效并使服务器运行
a2enmod ssl
a2ensite bank32_apache_ssl
service apache2 start
在firefox中输入about:preferences#privacy
添加自己的证书
成功访问网站
Task 5: Launching a Man-In-The-Middle Attack
在apache中再次开启一个site,也就是将/etc/apacha2/sites-available/bank32_apache_ssl.conf复制一份,命名为baidu_apache_ssl.conf
将bank57119419.com修改为www.baidu.com
重新加载apache
a2ensite baidu_apache_ssl
service apache2 reload
service apache2 start
添加映射
访问www.baidu.com,无法访问
由于无法获取www.baidu.com的证书,因此无法访问该网站
PKI可以抵御中间人攻击,是因为attacker无法获取CA对相应域名签名的证书,自签名的证书或者访问域名和证书域名不对应都不能完成攻击,因为自签名的证书浏览器没有对应的CA证书,域名无法对应也会异常。
Task 6: Launching a Man-In-The-Middle Attack with a Compromised CA
通过task1产生的CA来为www.baidu.com签名
#生成key和csr
openssl req -newkey rsa:2048 -sha256 \
-keyout server.key -out server.csr \
-subj "/CN=www.baidu.com/O=Bank57119419 Inc./C=CN" \
-passout pass:dees \
-addext "subjectAltName = DNS:www.baidu.com"
# 生成crt
openssl ca -config myCA_openssl.cnf -policy policy_anything -md sha256 -days 3650 -in server2.csr -out server2.crt -batch -cert ca.crt -keyfile ca.key
将证书与密钥存入容器的/certs文件夹
cp /volumes/server2.crt /certs
cp /volumes/server2.key /certs
修改/var/www/bank57119419中的html文件(index.html和index_red.html)
修改容器中/etc/apache2/sites-available/baidu_apache_ssl.conf的证书存放位置
重新加载apache
a2ensite baidu_apache_ssl
service apache2 reload
service apache2 start
添加映射
访问百度www.baidu.com,进入百度假网站
由于根CA被攻击者窃取,因此,攻击者可以使用此CA的私钥生成任何任意证书来生成钓鱼网站,
当用户遭受DNS缓存定位攻击使得DNS映射被修改,用户的HTTPS请求登陆到恶意的web服务器中时,浏览器不会产生任何警报。因此本次实验成功产生了中间人攻击。