Advanced Security for Systems Engineering VU - WS2022 (183.645) Lab0

Team size: 1

Start and deadline for this lab: see tuwel

Exercise interview: No exercise interviews. If submissions are unclear students can be invited for exercise interviews.

Exercise Lab0

This lab should enable you to work with encrypted emails and also with X.509 certificates and certificate authorities. Furthermore, it is needed to login to the exercise environment for the following labs.

Specification Lab0a

This part of the exercise deals with simple cryptography which you are obliged to solve for receiving credentials for the lab environment. It is compulsory that you use your student email-address (eMATRICULATION_NUMBER(at)student.tuwien.ac.at, MATRICULATION_NUMBER stands for your own matriculation number and (at) for @). Use a mail client of your choosing and configure your email address.

Install PGP or GnuPG. Create a key-pair and assign it to your e-mail address. Then use our Account Mailer.

IMPORTANT: You will receive the login credentials for further exercises via an encrypted e-mail. Therefore, it is mandatory that you manage to receive encrypted e-mails and decrypt them. Of course, you can use the account mailer service more than once for testing purposes. Please also remember your changed password for the further labs ;-)

Specification Lab0b

With the credentials of Lab0a you have to log in at the exercise environment using ssh (tese.inso.tuwien.ac.at, Port 20000. (On Windows you can use, e.g., putty.) After login on tese, you will find a file containing some text that you must include in the submission document (refer to Specification Lab0d).

The following fingerprints can be used for verification of the host key: SHA256:z5nliIMs3Iy5jInoqLzyBvKVrY3BE1p6ZIy4eeypahE (ECDSA), SHA256:EeLR4QpXUs1D7qKHKGQkKJw7HYZUHW3kB/8uwWl1Ris (RSA). You might need to configure your client in order to obtain the desired key type.

You are required to change the initial password of your account obtained via the Lab0a web service on the first login.

Please make sure that SSH multiplexing is not enabled. Otherwise, the password change request happens again on successive logins through the established SSH connection.

Specification Lab0c

In this exercise you will use/learn the basics of how to deal with X.509 certificates. A common library used for handling X.509 is openssl and its command-line tool. In case you have not yet heard about it, you should look up some documentation. For example, HOWTOs at http://www.openssl.org/docs/).

You first need to generate your own intermediate certificate authority (CA) and have it signed by our root certificate authority for this lab.

Create a certificate authority with the following details:

• Common Name (CN): MATRICULATION_NUMBER-Intermediate-CA-WS2022
• Organizational Unit (OU): ESSE-Lab0-Exercise
• Signature Algorithm: sha512WithRSAEncryption
• Public Key Algorithm: RSA
• Public-Key length: 4096 bit
• X509v3 Basic Constraints:
  • critical
  • CA:TRUE
  • pathlen:0
• X509v3 Key Usage
  • critical
  • Certificate Sign
  • CRL Sign

Create a certificate signing request (CSR) for this intermediate CA and upload it via tuwel at the submission page of Lab0c tuwel

If you successfully submitted the CSR and all details are correct the submission system will sign it with our root certificate authority (ESSE-Lab0-Root-CA-WS2022) for this lab. Your signed certificate and the certificate of our root certificate authority (ESSE-Lab0-Root-CA-WS2022) can be downloaded at the submission page of Lab0c in tuwel.

The submission of Lab0c is worth 5 points (of total 20 points for Lab0).

Specification Lab0d

Create a key pair for the purpose of signing documents with the following details:

• Common Name (CN): MATRICULATION_NUMBER-Signee-Entity-WS2022
• Public Key Algorithm: id-ecPublicKey
• Public-Key length: 256 bit
• Curve: prime256v1
• X509v3 Basic Constraints:
  • CA:FALSE
• X509v3 Key Usage
  • Digital Signature
  • Key Encipherment

Then sign this key (MATRICULATION_NUMBER-Signee-Entity-WS2022) with your intermediate CA (MATRICULATION_NUMBER-Intermediate-CA-WS2022) with the following details:

• Signature Algorithm: sha512WithRSAEncryption

Combine the certificates for the following CAs respectively key into the file cert-chain_MATRICULATION_NUMBER.pem:

• ESSE-Lab0-Root-CA-WS2022
• MATRICULATION_NUMBER-Intermediate-CA-WS2022 which is signed by ESSE-Lab0-Root-CA-WS2022
• MATRICULATION_NUMBER-Signee-Entity-WS2022 which is signed by MATRICULATION_NUMBER-Intermediate-CA-WS2022

Create a file cookie_MATRICULATION_NUMBER.txt with the following content:

• Include the full name of the file you found in Lab0b in the submission document.
• Copy the text of the file you found in Lab0b fully and exactly into the submission document.

Sign your file cookie_MATRICULATION_NUMBER.txt with the following details and save the signature in cookie_MATRICULATION_NUMBER.txt.sha512

• Using your key MATRICULATION_NUMBER-Signee-Entity-WS2022
• Digest: SHA512
• Output of signature in binary form

Pack the following files into the file lab0d_MATRICULATION_NUMBER.tar.bz2

• cert-chain_MATRICULATION_NUMBER.pem
• cookie_MATRICULATION_NUMBER.txt
• cookie_MATRICULATION_NUMBER.txt.sha512

Upload the file lab0d_MATRICULATION_NUMBER.tar.bz2 via tuwel at the submission page of Lab0d tuwel

The submission of Lab0d is worth 15 points (of total 20 points for Lab0).

Notes

• If you first deal with openssl and X.509 it might look fairly complex. Don't be afraid and keep on trying. :)
• In June 2017 the matriculation numbers were changed to 8 digits. For this submission you must only use the 8 digit version of your matriculation number.
• Upload your file before the deadline. Delayed uploads will be cut points even if you already uploaded a file before:
  • max. 1 day delayed: max. 70% of the maximal points
  • max. 2 days delayed: max. 50% of the maximal points
  • 3 or more days delayed: max. 0% of the points
• You will get automated feedback after the upload.
• Before uploading a file in tuwel make sure that your submission precisely complies with the specification as stated above. You are advised to carefully analyze your submission file on your local system before uploading it in tuwel.
• You have multiple (but limited) attempts for your submissions. After the eighth attempt for the submission of Lab0c you will lose 2 points with every succeeding attempt. After the third attempt for the submission of Lab0d you will lose 2 points with every succeeding attempt.
• The last document you upload will be used for grading.

Please keep in mind that this lab is relatively short. Do not deduce the effort of later labs from lab0.

Additional Notes

• Some of our systems will be rebooted at 04:00 AM automatically every day and are usually not reachable over the Internet for 30 minutes. You are responsible to finish your work before this time and save your data at your local computer. We do not backup any data from your exercise account. Anything you store in your exercise account may be deleted.
• Please stick to the given deadline. Otherwise, you may lose points.
• We will grade the last version of your submission to tuwel.
• For team exercises, division of labor within the team is allowed, of course. However, every team member must know about the specifics of every exercise and needs be able to answer questions about it.
• If stated, please use the compression algorithms or programs noted in the exercise descriptions. Should your submission differ from the given details, you will not be awarded any points.
• If you have any questions ask your colleagues first. You can also use the tuwel forum. Please write questions which only affect yourself to lva.security@inso-world.com
• Note concerning forums: We monitor the tuwel forum and answer questions there. We do not actively look at any other forums than the tuwel forum.
• Please do not expect any help in time if you ask the day before the deadline :-)

Back to Top