CSE 539: Applied Cryptography

Project 5, Due date: Nov 19 2019

Certificate Authentication

[Groups of TWO]

Purpose

Digital certificates are electronic documents that are used to identify an individual, company, server, or other entity while associating the identity with a public key. You could think of a digital certificate like that of a passport, driverís license, or personal ID which provides a recognized proof of identity. Digital certificates can be essential to security. The implementation of digital certifications assists in the problem of impersonation as it is privacy-based which will allow the private data to be protected and prevents those without access from viewing. The purpose of this project is to challenge students to write a program that interacts with given certificates.

Objectives

Students will be able to:

        Differentiate digital certificates and certification authority (CA)

        Encrypt and decrypt strings with RSA using public and private keys

        Explain ubiquity

Technology Requirements

        Python 3 on Linux


Project Description

In cryptography, a certification authority (CA) is an entity that issues digital certificates. A CA acts as a trusted third party who can be trusted both by the owner of the certificate and the party relying upon the certificate. A digital certificate certifies that a public key is owned by the named owner of the certificate (subject). The format of these certificates is specified by the X.509 or OpenSSL standards. A very common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the WWW.

A certificate is essential to circumvent a malicious party which happens to be on the route to a target server which acts as if it were the target. The client (your browser) uses the CA certificate to authenticate the CA signature on the server certificate as part of the authorizations before launching a secure connection. Usually, browsers include a set of trusted CA certificates. The quantity of internet browsers, other devices, and applications which trust certificate authority is referred to as ubiquity.

Submission Directions for Project Deliverables

This project should be submitted electronically and will be graded by execution of the program. Use Python, and provide a README with details on how to execute your program. Keep in mind that during grading, the programs will be executed on a Linux machine - do not use paths like C:\\ in your code. Keep them relative according to Linux norms for ease of grading.

Method of Submission:

Submit your program as a single file named CertAuth.py. The OpenSSL and cryptography Python 3 libraries will be needed, see ďHow toĒ below.

Directions

For this assignment you have been provided 3 certificates in the certificate.zip file:

        A public certificate (subject.crt)

        A backup file containing the private key corresponding to it (cert_bckup.p12)

        Password on the .p12 file: CSE539_Rocks!

        The CA public certificate (root.cer)

Write a Python 3 program to do tasks 1-6. For each task, you should print out the relevant value as a line of text.

1.       Verify the Subjectís certificate (print True if valid, False otherwise)

2.       Print the following form on the Subjectís certificate (where applicable, print the common name):

a.       Subject name

b.       Issuer

c.       Serial Number

d.       Encryption Algorithm

e.       Not Valid Before

f.        Not Valid After

3.       Print the Subjectís public and private key (the public key is represented by the integers n and e; and, the private key, by the integer d)

a.       Public Key Modulus (n)

b.       Public Key Exponent (e)

c.       Private Key Exponent (d)

4.       Print the public Key of Certification Authority.

a.       Root Public Key Modulus (n)

b.       Root Public Key Exponent (e)

5.       Print the hex signature on the Subjectís certificate

6.       Encrypt the following string using RSA: bíHello Worldí. Use OEAP padding, the mask generation function MGF1, and the SHA256 hash function. Note that encryption may not produce deterministic results. You can verify your encryption algorithm by writing a decryption algorithm in the same way. For encryption, use the subjectís public key. For decryption, use the subjectís private key.

For submission, your program should work with any files from the command line. You will receive as input, in order: the p12 file path, the CA (root) crt file path, the client (subject) crt file path, and the password. A sample of running the program with the given input files and a sample output is included at the end of this document. As mentioned above, encrypt may return a different value.

How To: Python

References:

https://pyopenssl.org/en/stable/api/crypto.html

https://cryptography.io/en/latest/x509/reference/

Read Certificate:

You will need to create certificate objects with both the OpenSSL and the x509 cryptography libraries. Printing signature in hex format is possible only with x509. Print all other the information using the OpenSSL certificate object only. You will need to supply CSE539_Rocks! as the password to access private certificate data for the sample file.

Verify Validity:

You can use X509Store method in the OpenSSL crypto package. You will need to create a store object and add root certificate to it. After you create an X509 store context object and add store and subject certificate to it, you can call the verify method on the store context object.
Note that verify either returns true or throws an exception, so you will need to handle the exception using try catch like construct.

Read Public and Private Key:

Read the public key from the subject.crt certificate. A private key is only available in the .p12 backup file. You will need to supply the password CSE539_Rocks! to access the private key data. Read the CA public key from the root.crt certificate.

Encrypt and Decrypt:

You donít need to initialize a new key object; use the public key and private key objects you received when reading the subjectís public and private certificate. Use a public key to encrypt and a private key to decrypt.

Sample Input and Output

Input:

python3 CertAuth.py Certs/cert_bckup.p12 Certs/root.crt Certs/subject.crt CSE539_Rocks!

Output:

False

sundevilsafe.com

Sectigo RSA Domain Validation Secure Server CA

279175654248908418197316606967672119883

sha384

20190322000000Z

20190620235959Z

21077153818761509013420887295789777526381470891059241603835731174578561528272514732364372022128313222798429799591634889643647267740984746901232961644484807420124065572225124454192930109284610798617935357525847868490316254559361469173074997262741836934984543216611426323596674966026821843549785698420735419753126471392900277945728904520317719259592910223328604555566083744041993316206931791473030770736422668152835623336582614954598264269116246863755011903025431632958306918948555150293497429964013313496981504332051411997440129210325623096165343650017640049684435715502081065400604868571467789815798919466984120998231

65537

20469316708160485896168564531716922810345323676751263413939191328080347064863523584704749776346197593595246371585650637367429355172047182294318847517990212213995703213076773366739664962778851999628236442016687356543680038053918846277045094386098382522864354824109548060148581283285916808465648570233372709477222926078396437063074558652509596240217659669058906477447694617589514669915022823005730080777796709538516201141180486675691317261285377759600040684392562040472934417058570908651695501267618994383882755575654905239170830103038997863787228548690240631428563719194486647898359199841788125780247777507705990187345

27071805731268068429094433253870941103630115656544083986688557250096650002741356969068276793574297189996744882329828714710418422450500008985954757761749612179194262954838266897268532461471487935006536720272494786369295065485985775416665556679189441271529970596944264659076045397506534017596880375081936227230390079744485923579156075147392924215968126808432802589158460341539735535162275393422353916283261069707744210608603163551594107036190302366892832801673071921401850194237815007641724075220215236537097134132878656895768334289537403738520740616524362273323209296475725089291190047065303870231628551068954108124949

65537

2507d45cba6f3cf90bb9def0bd750413b3cd6041875be309d016846dda8ff56e026929d3cabc8021fcc58983201d5674ac08baaafc8fad36176523e40cf68f7a6ccb1829bdcdf243c161f352b1063a69c497254d388d6da96680b36eb1bef61e1f92e0647ff33fc3ce1fc1b96ea6fb8feea16c019d2c7f01eeef999b15c5b7ac6faf5ba266023aa5a7cfde17385c4f8f641f0690dda072ca283391afb6d570bca1e786ce7f981d412da48fd7666a5a902981ce39f406d1092bfd54c046e2a6cb4933075b9d3c5bd590ad2f84112e95ab8a7e581bd4860ae38813316874ec67b532cf137720694c00ba539aba66775a5e7be5e575ebe168415b0a1f12b5ddc85a

7dc13c3e3e2d74babae682f7c3ae9601ba1baeaab23b2a42d3fdf9e802e29fb134531f860ef00119a90117b332ef37f7d428da8732317cb41f13da568fdccb6337229bdf16800de827450d2f5fd4348e03d47b51c22b56aed334e4a6bb8b48f0abc33d0df60f919f6b84a22692af4713d3255eec140485f2aed9b74c4a1eeea6b2bf3a41762cb76e8929eb5bbb58a77aeaceec6eec9bd4ae79e4c9fac4a74b0285e9b093022c7ee0f1616d703ade41abf37e3a90f82c0e00002744defe6903867746367f34d4a1dc89e26dabbe550b2de0c6de027141ee201e9f7e44edfefcdaf435f875ede659aaa96af2d6978c612b44040d4f0113f63fc1866c9313d7bf30