Assignment 3 (Lab 1) - Exploring Symmetric Key Encryption Modes

Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

Assignment 3 (Lab 1) - Exploring Symmetric Key Encryption Modes

All tasks in this assignment are based on Labtainer - Symmetric Key Lab tasks and you should visit the original lab website for more information: https://nps.edu/web/c3o/labtainers

Environment Setup

To complete this lab assignment and future Labtainer lab assignments, you need to either import and install a pre-built virtual machine image or install a framework on an existing Linux host (e.g., a Linux VM). You can follow the section “Labtainer Student and Instructor Downloads” on the original lab website (https://nps.edu/web/c3o/labtainers) and refer to the “Labtainer Student Guide” document (provided on CANVAS) for more information on how to set up the environment for the lab.

Getting Started

Once you have your environment set up for this lab, boot your Linux system or VM. If necessary, log in and then open a terminal window and cd to the labtainer/labtainer-student directory. The pre-packaged Labtainer VM will start with such a terminal open for you. Then start the lab:

labtainer symkeylab

Note the terminal displays the paths to two files on your Linux host:

1) This lab manual

2) The lab report template

For this assignment, please ignore the two files provided and use this document as the lab manual. Please complete the report template provided on Instructure and use it as your submission.

Familiarize yourself with questions in the lab report template before you start.

In this lab, you will explore the concept of encryption modes and their properties. To perform this exploration, you will be using an open-source encryption product known as OpenSSL. You will explore the properties of these modes, seeing a visual representation of the state of the ciphertext, and exploring error propagation during decryption in these various modes.

Note: You can use the commands “man openssl” and “man enc” to get additional help on how to use the openssl command line tool. Appendix A contains a quick reference sheet of commonly used Unix commands and appendix B explains hexadecimal.

Appendix D describes the BMP image format, which is helpful to understand when performing the ECB portion of this lab.

Task 1: Warm-up: Encrypt and then decrypt a file (any file) [10 marks]

In this task you are only getting used to the syntax of the openssl command.

Do the following:

1. Create a text file with some small amount of content by either using an editor (e.g., leafpad) or the combination of the echo command and redirection (‘>’).

2. To encrypt the text file as “cipher.txt” type:

openssl CIPHER -e -in plain.txt -out cipher.txt -K KEY -iv IV

replacing:

● CIPHER with a specific cipher and CBC mode of operation, e.g. aes-128-cbc. (To see all the options use “man enc”).

● plain.txt is the name of the plain text file you just created

● cipher.txt is the name of the output file which will be the ciphertext

● KEY with a hexadecimal representation * of a symmetric key (your choice)

● IV with a hexadecimal representation * of an initialization vector (your choice)

* For hexadecimal representation of chosen KEY and IV strings, you will need to use string to hex converter, for example xxd.

$ echo "secretkey" | xxd -p

7365637265746b65790a

The KEY and IV strings should identify you or your group while performing tasks in this lab. A good example can be KEY=group4key and IV=group4iv

Be sure to use the -K option, and not the -k option. The latter may not produce an error but may cause issues later in the lab.

3. Observe the ciphertext you’ve created using cat, more, less or leafpad.

4. You should have observed that the encrypted file is gibberish that will not always display well. To see the actual hex values of the ciphertext, enter the following:

hexdump –C FILENAME

5. List the contents of the directory using the long option (i.e., enter “ls –l”) to see the sizes for your original file and the encrypted file.

6. You can decrypt the ciphertext you’ve created using the following command. Be sure to output to a new plaintext file, and not overwrite the original plaintext.

openssl CIPHER -d -in cipher.txt -out plainmod.txt -K KEY -iv IV

7. Compare the decrypted plaintext with the original plaintext using the diff command, as shown below (replacing ORIGINAL and UNENCRYPTED with the file names you used):

diff -a plain.txt plainmod.txt

[Note: if the two files are different then you did something wrong. If diff returns nothing, then there were no differences, which is what you would expect.]

Task 2: Encryption Modes [25 marks]

In this task, you will explore the differences in security attained by several modes of encryption.  You will use a web browser on your host Linux system (to view files that you create and modify on the “symkeylab” computer.  You will have noticed that the symkeylab computer contains a “index.html”and “nps-logo.bmp” file.  To see the page, start the firefox browser using this command:

./start_firefox &

You will see the NPS logo, the (nps-logo.bmp file), and a broken link to a modified version of the logo, (a nps-logo_mod.bmp file that you will be creating).

1. ECB Mode

a. Observe the NPS logo.

b. Encrypt nps-logo.bmp using AES in ECB mode (with the option aes-128-ecb) to create a ciphertext (Name your ciphertext as “nps-logo_mod.bmp”.  [Because ECB mode does not require an IV, you do not need to provide one.]

c. List the contents of the directory using the long option to see the sizes for the plaintext logo file and the encrypted file.

Note: When you refresh the page in the web browser, it fails to display the modified file because it does not recognize it as a valid image.

d. You can visualize the ciphertext by tricking a browser into thinking that the encrypted file is still a valid image file. To do this, you need to do a little “preprocessing” to make the file viewable.

BMP images have a 54-byte header that informs the image viewer about the image, such as the image size, and its dimensions. You need to replace the encrypted BMP header in the ciphertext you created with a valid BMP header from nps-logo.bmp.

To replace the 54-byte header with one command, do the following:

dd if=nps-logo.bmp of=nps-logo_mod.bmp bs=1 count=54 conv=notrunc

e. After modifying the header, go back to the web browser and refresh the web page to view the encrypted image.

2. CBC, CFB, and OFB Modes

a. Encrypt, individually for each of the modes, nps-logo.bmp again, but this time use CBC, CFB and OFB modes to create a ciphertext (with the aes-128-* option). [This time you need to provide an IV.]

b. List the contents of the directory using the long option to see the size of the ciphertext file you just created.

c. Using the dd command described above, modify the header of the new ciphertext to have the same 54 bytes as the original BMP file.

d. View the encrypted ciphertext using the web browser refresh.

Task 3: Error Propagation During Decryption [25 marks]

This task will help you develop an understanding of the ability of various cipher modes of operation to recover from corruption. You will encrypt a text file in two different modes, change a single bit in the middle of the encrypted file, decrypt the corrupted file, and then view the effects of the corrupted bit on the plaintext file.

1. Introduction

a. List the contents of the directory using the long option so you can see the size of the declare.txt file (in bytes).

If each character in a text file is represented in ASCII format, where each character is represented in one byte, how many characters does it take to fill up an AES block? Write your answer in item 20 of the report.

2. ECB Mode

a. Encrypt declare.txt using AES-128 in ECB mode (with the aes-128-ecb option).

b. Open the encrypted file using ghex, as shown below, replacing ENCRYPTEDFILE with the name you chose (alternately, use hexedit as described in Appendix E):

ghex ENCRYPTEDFILE

c. Select Edit > Goto Byte and enter 0x1230, to take you to near the middle of the encrypted file. You should end up with “0x1230” as the “Offset:” in the lower left of the GHex window, and the cursor highlighted on the first of two hex characters reflecting the value stored at address as in the following figure. 

Note the addresses displayed on the left side may differ on your display, but the highlighted byte should correspond to address 1230.  Change the right-most digit of this pair such that only one bit is modified. Refer to the table in Appendix C to determine whether to change the hex digit up or down * to ensure that only one bit is modified in the ciphertext.

Save the change when you are done and then exit the hex editor.

* PS: Changing 7(0111) to 8(1000) changes 4 bits. So, prefer changing 7(0111) to 6(0110).

d. Decrypt the ciphertext without overwriting the original file.

e. Use the diff command (with the “-a” option, as shown earlier) to show where the original file is different from the decrypted file.

3. CBC Mode

a. Encrypt declare.txt again using AES-128 in CBC mode (with option aes-128-cbc).

b. Use ghex again to modify the ciphertext in the same location such that only one bit is modified.

c. Decrypt the ciphertext without overwriting the original file.

d. Use the diff command (with the “-a” option, as shown earlier) to show where the original file is different from the decrypted file.

Submission

After finishing the lab, go to the terminal on your Linux system that was used to start the lab and type:

stoplab symkeylab

When you stop the lab, the system will display a path to the zipped lab results on your Linux system.  For this assignment, you do not need to submit the zipped file. Instead, please complete the lab report template provided on the Instructure, answer all the questions, include the screenshots and commands you used, and submit it as your result.