Question 1. HTTPS and Certificates

Aim

Your aim is to setup a web server that supports HTTPS, and explain the issues with HTTPS and certificates.

Complete the following phases, in order:

Phase 1: Setup

1. Ensure your MyUni grading system, including new student user and domain of are setup. See the instructions in Assignment 1. You can continue to use the setup from Assignment 1.

Phase 2: Certificate Signing Request

You will need to use the files from Assignment 1.

1. Using [StudentID]-keypair.pem from Assignment 1, create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values:

• State: state of your campus

• Locality: city of your campus

• Organisation Name: your full name

• Common Name: www.[StudentID].edu

• Email address: your @cqumail address

• Other field values must be selected appropriately.

Phase 3: Self-Signed CA Certificate

Now you will switch mode, and act as a Certificate Authority (CA). You can find the instructions for the following two steps in NSL 12.3.1.

1. Using [StudentID]-keypair.pem from Assignment 1, create a CA Self-signed certificate called [StudentID]-ca.pem. The self-signed certificate must contain these field values:

• State: state of your campus

• Locality: city of your campus

• Organisation Name: your full name

• Common Name: CA [StudentID]

• Email address: your @cqumail address

• Other field values must be selected appropriately.

2. Setup a Certificate Authority directory (e.g. demoCA or similar).

3. Upload your CA Self-signed Certificate to the CA Directory on Moodle.

In the following phases, you will act as the CA for your partner, and your partner will act as the CA for you.

Phase 4: Certificate from CA

Your partner will act as your Certificate Authority. You may use the same partner from Assignment 1 or change partners.

1. Email your CSR to your partner.

2. Your partner will create a Certificate for you and publish in the Certificate Directory on Moodle.

3. You download your Certificate from the directory, saved as the file [StudentID]-cert.pem.

Phase 5: HTTPS Configuration

1. Configure Apache web server on node3 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replaced with your actual student ID.

2. Load the appropriate CA certificate into the client on node1. The CA certificate can be downloaded from the directory from Moodle.

Phase 6: Testing

1. Start capturing on node2 using tcpdump.

2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades.

3. Exit lynx.

4. Stop capturing and save the file as [StudentID]-https.pcap.

Phase 7: Analysis

(a) Add the following files to [StudentID]-files.zip.:

CSR: [StudentID]-csr.pem

CA Certificate you created: [StudentID]-ca.pem

Certificate you received: [StudentID]-cert.pem

Packet capture: [StudentID]-https.pcap

(b) As the attacker you can learn information from intercepting the packets. Based on the packet capture file, write a brief report on what useful information you can learn from the interception. The report, must refer to specific values and packet numbers, as well as give a brief explanation of how the information may be useful for the attacker.

Now consider the role of certificates in this question.

(c) There were two different certificates exchanged between server and browser. For each certificate complete the following information.

Information                                                                     Certificate 1                             Certificate 2

Whose public key is included?

What hash algorithm was used in signing?

Whose private key was used

when creating the certificate?

Now consider the use of certificates in the real Internet (not in virtnet), in particular certificates used for websites. To answer these questions, you may need to research further about the topics.

(d) One issue with certificates is dealing with compromised certificates (e.g. when the private key has been compromised or the certificate is no longer correct). Explain what a CRL and OCSP is, including how the assist in dealing with compromised certificates, and compare the two.

(e) Consider the validity period (or lifetime) of certificates issued by a Certificate Authority. Compare the validity period used, allowed or recommended by different services (that is, organisations that issue or accept certificates, e.g. LetsEncrypt, Apple, GoDaddy, DigiCert, Google or others). Discuss the advantages and disadvantages of having a shorter validity period. In your discussion refer to the specific services and the values they use or allow.