Part 2 - Key Generation - Secret and Authentic Channels

During Part 1 we setup and tested the Java environment running a simple distributed system composed by a client and a server.
Review Task 0 and Task 1 if you do not remember how to compile and run Java programs using the AnBxJ library.

We are working in this folder

To use the scripts on this page, the environmental variables JAVA_HOME and PATH must be set are described in Task 0.
Download the following command files (they will help you to compile and run the programs):

• on Windows
  • make.cmd
  • run_server.cmd
  • run_client.cmd
• on Linux
  • make.sh
  • run_server.sh
  • run_client.sh

After downloading these files, double check that the extension of is .cmd/.sh (sometimes the browser may change it to .cmd.txt)

TASK 1 - Key generation

We are going to create RSA (2048 bits) keypairs (private and public) for alice and bob; keys will be stored on keystore of type PKCS12.

• create a folder keygen inside
• download the following files:
  • on Windows
    • keygen.cmd
    • keyexport.cmd
    • keyimport.cmd
    • certexport.cmd
  • on Linux, in order to execute the scripts you need to change the permissions (e.g. chmod +x scriptname).
    
    • keygen.sh
    • keyexport.sh
    • keyimport.sh
    • certexport.sh
• open these files and look at the code. Identify the variables that set the agent's alias and keystore name and password
• run the following commands (after each one, look at the content of the folder and see which files are created/updated)
  use extension .sh if using the Linux scripts
  • keygen alice to create alice's keys
  • keyexport alice to export alice's public key
  • create now bob's keypair and export his public key
  • keyimport alice bob to import bob's public key into alice's public keystores
  • list the keys into alice keystores (when asked for the password enter alicepassword - this is only for testing purpose)
    • keytool -keystore alice_enc.public -list -v
  • import alice's publickey into bob's public keystore
  • run certexport alice to export alice's CSR (Certificate Signature Request)
  • open the .csr file and check if it is valid
    https://redkestrel.co.uk/tools/decoder
• repeat the same for bob CSR
• You can repeat the same process to generate keys similarly to the keystore folder described in the next task.
  • For each agent, you will need to create 2 files for each key "type" (purpose): enc, sig, hmc, tls (it requires a simple adaptation of the above scripts).
  • For each agent, create a .pwd file containing the keystores' passwords. Default password: <alias>password, e.g. alicepassword
    As a example follow the model used in the file alice.pwd.

TASK 2 - Configure the keystores for this tutorial

• download the file keystore.zip and expand it in the folder
• there is a \keystore folder where you find several keystores
  • each agent has private and public keystores (they contain RSA keys used for different purposes: enc, sig, hmc, tls)
• the file alice.pwd  is the configuration file for alice keystores (keystores password are there)

TASK 3 - Exchanging encrypted messages (Secrecy)

• download, compile and run Tutorial_02.java (there is a server and client)
• run the client 3 times. reply with the following names "alice","bob" and your name
  • How do explain the behaviour of the program?
• try to modify the program in order to make the client to able to reply to the server with a secret message (the client needs to learn the server's name and to check if he possesses the server's public key)

TASK 4 - Digitally signing messages (Authentication)

• download, compile and run Tutorial_03.java (there is a server and client)
• run the client 3 times. reply with the following names "alice","bob" and your name
  • How do explain the behavior of the program?
• think on how to improve the program. Can the server check the incoming data? hint: look at (<servername>,<timestamp>) message

TASK 5 - (optional)

• try to build a program that combines task 3 and task 4 (a secret exchange followed by an authenticated exchange)

TASK 6 - (optional)

• try running these programs with the keys you created on task 1 (hint: you need to configure your keygen folder similarly to the keystore folder and create a config files (e.g. alice.pwd) for each agent.