Work done by CHEBBAH Mehdi

Table of Contents

Introduction

In this tutorial we will implement a hybrid secure exchange protocol that guarantees the following security services:

• Confidentiality of the exchange .
• Integrity of the exchanged data.
• Non-repudiation of the sender.

For this we will try to implement the system whose design has been previously established:

Implementation

Concerning this part, we will divide it into 3 phases:

Phase 1: Creation of key pairs

In this phase each of the two protagonists will create their own key pair a public key and a private key (PKi and SKi)

1. Script for creating key pairs

x
1
#!/bin/bash
2
​
3
# Ask the user to type the password
4
read -sp 'Entrez le mot de pass: ' mypass
5
​
6
# Generate a private key for RSA (skA.pem) then encrypt it using the DES algorithm and the password 'mypasswd'
7
openssl genrsa -out skA.pem -passout pass:$mypass -des 512
8
​
9
# Generation of the public key (pkA.pem) associated with the private key (skA.pem)
10
openssl rsa -in skA.pem -passin pass:$mypass -out pkA.pem -pubout

Obtained results:

1. Creation of two files skA.pem and pkA.pem in the current directory (of Alice)

Re-execute the script in Bob's directory changing skA.pem and pkA.pem to skB.pem and pkB.pem respectively.

Note:

• Each one can publish his public key in the unsecured channel. (copy the file pkX.pem)

Phase 2: Session key exchange

In the opening of the session Alice will randomly generate a session key that will be communicated to Bob, this key will be encrypted using Bob's public key, the signature will be guaranteed in this transfer (this is the role of asymmetric encryption in this hybrid system)

1. Session key generation and encryption script

xxxxxxxxxx
1
#!/bin/bash
2
​
3
# Generation of a random key of 64 bytes then save it in the kAB file
4
openssl rand 16 > kAB
5
​
6
# Encrypting the kAB file with Bob's public key 
7
openssl rsautl -in kAB -out kAB.crypt -inkey pkB.pem -pubin -encrypt
8
​
9
# Hash the kAB key with MD5 and write the result in binary format.
10
openssl dgst -md5 -binary -out kAB.md5 kAB
11
​
12
# Signature of the kAB hash by Alice's private key
13
openssl rsautl -in kAB.md5 -out kAB.md5.sign -sign -inkey skA.pem
14
​
15
# Delete kAB.md5 (temporary file)
16
rm -f kAB.md5

Obtained results:

1. Create a kAB file containing the session key.
2. Creation of a kAB.crypt file containing the kAB cryptogram.
3. Creation of a kAB.md5.sign file containing the session key's hash signature.

Note:

The two files (kAB.crypt and kAB.md5.sign) will be sent to Bob and deleted from Alice's directory

2. Decryption script and verification of non-repudiation and integrity of the session key

xxxxxxxxxx
1
#!/bin/bash
2
​
3
# Decryption of the received file kAB.crypt by the private key (skB.pem) 
4
openssl rsautl -decrypt -in kAB.crypt -out kAB -inkey skB.pem
5
​
6
# Hash of the kAB with MD5.
7
openssl dgst -md5 -binary -out kAB1.md5 kAB
8
​
9
# Verification of the signature of the received files using the public key of Alice 
10
openssl rsautl -in kAB.md5.sign -out kAB2.md5 -pubin -inkey pkA.pem
11
​
12
# Comparison of the result of the received kAB Hash and the sent kAB Hash
13
var1=$(cat kAB1.md5)
14
var2=$(cat kAB2.md5)
15
if [ "$var1" == "$var2" ]
16
    then
17
        # Deleting temporary files
18
        rm -f kAB.crypt kAB1.md5 kAB.md5.sign kAB2.md5
19
        echo "La cle a ete correctement transmis."
20
        # Display the message 'Press any key to exit' and wait for a character
21
        read -n 1 -s -r -p "Press any key to exit"
22
        exit 0 # Exit with success code
23
    else 
24
        # Deleting temporary files
25
        rm -f kAB.crypt kAB1.md5 kAB.md5.sign kAB2.md5
26
        echo "Attention, la cle a ete modifie."
27
        # Display the message 'Press any key to exit' and wait for a character
28
        read -n 1 -s -r -p "Press any key to exit"
29
        exit 1 # Exit with failure code
30
fi

Obtained results:

1. Creation of a kAB file containing the session key sent by Alice
2. display a success message ('The key has been correctly transmitted.') in case the transmission is correct (the received session key is the same as the one sent). Or the display of a failure message ('Attention, the key has been modified.') in case the sent file and the received file are different.

Phase 3: Exchange of messages

After the establishment of the two previous phases it is now possible to send messages between Alice and Bob using symmetric encryption for confidentiality and private key encryption for signature

1. Messages encryption script

xxxxxxxxxx
1
#!/bin/bash
2
​
3
# Encryption of the message (Message.txt) with the symmetric key (kAB)
4
openssl enc -des-cbc -in Message.txt -out Message.crypt -pass file:kAB
5
​
6
# Hash of the message (Message.txt) by the MD5 algorithm
7
openssl dgst -md5 -binary -out Message.md5 Message.txt
8
​
9
# Signature of the message hash with the private key of Alice
10
openssl rsautl -in Message.md5 -out Message.md5.sign -sign -inkey skA.pem
11
​
12
# Deleting intermediate files
13
rm -f Message.md5

Obtained results:

1. Creation of the file Message.crypte containing the message encrypted with the session key kAB.
2. Creation of the file Message.md5.sign containing the signature of the message hash

Note:

The two files (Message.crypt and Message.md5.sign) will be sent to Bob and then deleted from Alice's directory

2. Messages decryption script

xxxxxxxxxx
1
#!/bin/bash
2
​
3
# Decryption of the received file Message.crypt by the kAB session key using the DES algorithm and the CBC strategy
4
openssl enc -in Message.crypt -out Message.txt -pass file:kAB -d -des-cbc
5
​
6
# Verification of the signature of the files received using Alice's public key
7
openssl rsautl -in Message.md5.sign -out Msg1.md5 -pubin -inkey pkA.pem
8
​
9
# Hash the message 
10
openssl dgst -md5 -binary -out Msg2.md5 Message.txt
11
​
12
# Comparison of the result of the received kAB Hash and the sent kAB Hash
13
var1=$(cat Msg1.md5)
14
var2=$(cat Msg2.md5)
15
if [ "$var1" == "$var2" ]
16
    then
17
        # Deleting temporary files
18
        rm -f Message.crypt Msg1.md5 Message.md5.sign Msg2.md5
19
        echo "Le message est transmi avec succe. Vous pouvez le consuler dans Message.txt"
20
        # Display the message 'Press any key to exit' and wait for a character
21
        read -n 1 -s -r -p "Press any key to exit"
22
        exit 0 # Exit with success code
23
    else 
24
        # Deleting temporary files
25
        rm -f Message.crypt Msg1.md5 Message.md5.sign Msg2.md5
26
        echo "Echec du transmission du message (Le message a ete modiffier)."
27
        # Display the message 'Press any key to exit' and wait for a character
28
        read -n 1 -s -r -p "Press any key to exit"
29
        exit 1 # Exit with failure code
30
fi

Obtained results:

1. Creation of the file Message.txt containing the message received from Alice.
2. Display a success message ('The message is transmitted with success. You can read it in Message.txt') in case the transmission is correct (the received message is the same as the sent message). Or the display of a failure message ('Message transmission failed (The message has been modified).') in case the sent message and the received message are different.

Note:

Bob can now read the message sent by Alice.