Security Tutorial (Java/AnBx)

Security Programming, Protocol Verification and Code Generation
Paolo Modesti -

Part 4 - Implementation of a Public Key Infrastructure (PKI)

The certificates generated in part 2 are self-signed. This means that they are signed with the private key of the same entity whose identity it certifies.
This does not provide any guarantee about the identity of the owner of the certificate (unless you trust him/her).
In a PKI setting, a digital signature from a trusted third party (a certificate authority) will attest the validity of a public key and its certificate.

We will create a certificate authority (CA) that will sign the certificates of all agents. Each agent will need to trust only the CA.

TASK 1 - Set up a Certificate Authority (CA)

We are going to use CFSSL to set up a Certificate authority.
Read some documentation about CFSSL: 1 and 2.

To initialize the CA you need to specify some parameters in configuration file which is in a JSON format.
A sample of a JSON file is available along with the package containing CFSSL from Windows
If you are using another operating system you can download binaries from here.

Generating self-signed root CA certificate and private key

 To generate a self-signed root CA certificate, specify the key request as а JSON file.

cfssl genkey -initca ca.json | cfssljson -bare ca

Three PEM-encoded entities will appear in the output: the private key, the CSR, and the self-signed certificate.

TASK 2 - Signing agent's certificate

Try signing the certificates you have generated in part 2. Follow these examples as guidance (you may need to adjust the paths!)
If you do not have the keystore you created in part2 you may use this one (containing self-signed certificates).

Signing alice CSR with CA key/cert piped to alice.pem

cfssl sign -ca ca.pem -ca-key ca-key.pem -hostname alice alice_enc.csr | cfssljson -bare alice_enc

Prints out some certificate info from the PEM

cfssl-certinfo -cert alice_enc.pem

TASK 3 - Import CA certificate in agent's keystore

This is similar to what you have done on part 2. Check the content of the keystore to verify that the certificate is imported as expected.

TASK 4 - Import Agent's certificates in agent's keystores

Again, this is similar to what you have done on part 2. Check the content of the keystore to verify the the certificate is imported as expected.
You could try to build you own script to automatize the process.
Hints: you may need to concatenate the self-signed certificate issued by the CA.
Moreover, you may need to remove the previous key, as you cannot have two keys with the same alias in a key store.

TASK 5 - Running protocols

There are two set of key stores available for download:
- the first one is with certificates already signed by CA
- the second one is with self-signed certificates.

Experiment running some of the examples of part 2 and 3 with the first one, the second, or mix (Alice from first and Bob from second).
Do you see something interesting? Report it to the instructor.

TASK 6 - Run CFSSL as a server (optional)

It is possible to run CFSSL as a http server.
Read the documentation here and try it.