For this project you will practice using some of the crypto tools we covered in class, including SSL / TLS, GnuPG (gpg/pgp), OpenSSL, and other tools.
gpg
(or “Gnupg”) and MD5 to verify downloaded
software:
gnupg-2.1.9.tar.bz2
”)
and the matching GPG signature file
(in this case, “gnupg-2.1.9.tar.bz2.sig
”).
gnupg-2.0.19.tar.bz2.sha1
with the sum found
on this web page, using the format described in the sha1sum(1)
man page: the sum, two spaces (or space and asterisk), and the file name.
What exact command(s) did you use, and
what was the resulting output?
cp tarball tarball-original echo 'yikes!' >> tarball
The SHA1 checksum should fail but the gpg
verify may succeed!
This is because the signed tarball is self-contained; changes to
other files won't have any effect on it.
What would have happened if gnupg
had used a detatched signature (a tiny *.sig
file, and a separate tarball)?
It is harder if you want to make a change to the signed tarball.
This is because of a “feature” of gpg
: signed files
have delimiters at the start and end of the actual signed stuff.
Anything that appears before or after that in the file is ignored,
so appending some garbage to the end won't matter.
(This was designed to make it easy to save a signed file sent in
the body of an email message, so gpg
ignores the mail
headers and signature block.)
yum
repository configuration files on your host.
Which repos (if any) are configured to
required gpg signatures for packages?
Which ones (if any) don't require gpg signatures?
Where does your system store the public gpg keys needed for your
yum
repositories?
md5sum
,
gpg
to encrypt and sign a file:
echo 'Hello from Unix/Linux Security class.' > secret.txt echo 'Secret text file for crypto project, CTS-2311' >> secret.txt
secret.txt
in the file
secret.txt.md5
(the whole output or running md5sum
).
Repeat with sha1sum
, saving the checksum in the file
secret.txt.sha1
.
What were the two checksums?
secret.txt-sym.asc
”.
Use the password “secret
”.
What was the exact command line you used?
What is the default symmetric encryption algorithm used?
What would be the command line option to use AES
encryption with gpg
instead of the default algorithm?
secret.txt
”, in text (ASCII)
format, with the name “secret.txt.gpg.asc
”.
Did that work?
If so, what was the exact command line you used to do this?
If not, what is the most likely reason?
your name.key
”.
secret.txt
”,
using a plaintext (ASCII), detached signature in the file
“secret.txt.sig
”.
What was the exact command line used?
secret.txt
”
(say with “echo oops >>secret.txt
”),
and verify again.
What is the output this time?
secret
”, suitable
for use in the /etc/shadow
file as a password.
(That is, so you could copy the output of the command, and paste it into
the password field of /etc/shadow
, and it should
work, but don't do that.)
What is the exact command line used?
What is the password hash generated?
#!/bin/sh - # This was found at https://serverfault.com/questions/330069 # ("how-to-create-an-sha-512-hashed-password-for-shadow") if [ $# = 0 ] then echo "Usage: ${0##*/} <password>" >&2 exit 1 fi printf '%s' "$*" | python -c "\ import crypt,random,string print crypt.crypt(raw_input(), '\$6\$' + \ ''.join([random.choice(string.ascii_letters + string.digits) \ for _ in range(16)]))"
Using that script, generate a SHA512 hash of the word
“secret
”, suitable for use in the
/etc/shadow
file as a password.
What is the password hash generated?
Read the man pages for the commands (and file formats) used, and don't forget to search Internet resources on how to use these tools. There are some “cook-book” resources on our class web page at #SecTools you should find useful, and additional examples in the class lecture notes.
A description of each task you performed and the answers to the questions asked above, as well as the various files you created in part 2. You can send as email to (preferred). If email is a problem for some reason, you may turn in a hard-copy. In this case the pages should be readable, dated, and stapled together. Your name should appear on the first page.
Don't turn in your whole journal, just a copy of the relevant sections. It is common in fact to keep the journal as a text file on the system (with a paper backup of course).
Please see your syllabus for more information about submitting projects.