Hello dear,
I joined these group so that l can get assistance for my research work.
Up till now, l have not been able.
Here is my problem.
My Project is an Msc Research on HTTPS Man-In-The-Middle (MITM) Attack using a Compromised Certificate Authority.
Now I am going to be very elaborative so that you can read my mind and understand what I want to achieve.
I have a Journal base paper am already working on. The author designed a new HTTPAS (HTTP Active Secure) … These are the major work he did on his project. He designed a HTTPAS framework that will enhance Client-Server web Authentication and make the web authentication more comprehensive incase a MITM attacker has compromised one or few Certificate Authorities.
Note: The MITM attacker has different vantage point and different attacking patterns. For the
man-in-the-middle variant ①, the vantage point is close to the victim web user (e.g. a gateway or a wireless access point of the victim user is compromised by man-in-the-middle attackers), and
the attackers can blindly hijack all the HTTPS connections from the victim user to any remote web sites (i.e. the attacking pattern is non-selective hijacking).
Another Variant 2 takes the case that the vantage point is nearby web servers. This variant is harder to detect than the others, because nearly all the Internet paths to the victim web server necessarily pass through the vantage point.
Look at his designs
He designed a client-side countermeasure which enables a web user to actively collect site certificates from n different web sites. A man-in-the-middle attack can be confirmed if these n certificates are issued from less than μ CAs. (This countermeasure is based on a key insight that a large number of site certificates from different Internet domains are unlikely issued by the same CA, only if a man-in-the�middle variant is launched with a single compromised CA.)
He also designed another Client-side countermeasure by enabling web users to actively collect site certificates from other web servers of the same web site. The key insight of this countermeasure is that popular web sites usually deploy a large distributed system of servers across the Internet to serve end users from different regions for high availability and performance (i.e. content delivery network or CDN in short). These web servers are likely to use the certificates issued from the same CA, while the man-in-the-middle vantage point near one web server is unlikely to be close to others, especially the ones located in a different geographical region.
Concerning his implementations, please read very well…. “We evaluate these performance overheads
by implementing a prototype of HTTPAS using OpenSSL stacks. Our HTTPAS prototype runs additional certificate collection and verification tasks in a parallel manner. We achieve this parallel solution by exploiting the C++ multi-threading programming. We conduct the performance evaluation by running our HTTPAS prototype implementation in a virtual machine and a real machine, both of which are located in our laboratory with 8-core 2.67 GHz central processing unit and 6 GB memory. We use the virtual machine for HTTPAS performance evaluation due to a very practical reason: lots of modern web sites are now hosted by cloud computing environments, where virtual machines are the web servers running behind.
Dear friends, l need help, even though,it might require some financial involvement. I all respect that. I want to replicate this work and also improve it
On Apr 20, 2018 3:46 AM, "Scott Wisniewski" <swisniewski@xxxxxxxxxxxxxx> wrote:
FYI:If you provide an genrsa implementation in your engine that doesn't include the private parameters, even if it's marked with RSA_FLAG_EXT_PKEY, the openssl executable will not handle it correctly.That's because genrsa_main assumes that the object that comes back is an rsa private key. So it will attempt to save a PEM encoded RSA private key even though it doesn't have the private key fields and openssl won't be able to open the saved file.So, if you want to enable use of the openssl executable with genrsa being supported by your engine, you will actually need to modify apps/genrsa.c So that genrsa_main does:if (RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) == RSA_FLAG_EXT_PKEY) {
if (! PEM_write_bio_RSA_PUBKEY(out, rsa))
goto end;
}
else {
if (!PEM_write_bio_RSAPrivateKey(
out, rsa, enc, NULL, 0, (pem_password_cb *)password_callback,
&cb_data))
goto end;
}
instead of:if (!PEM_write_bio_RSAPrivateKey(
out, rsa, enc, NULL, 0, (pem_password_cb *)password_callback,
&cb_data))
goto end;
And then it will save the key you generated in public key pem format. which will allow openssl to read it.One thing to note:None of the open source engines I checked (neither the PCKS11 engine, the NCipher engine, nor the CAPI engine) implement the genrsa hook. If you are looking for wide compatibility you may wish to ask your clients to do key generation using an external utility (as that's how almost everyone else does it).On Fri, Apr 13, 2018 at 5:28 PM, William Roberts <bill.c.roberts@xxxxxxxxx> wrote:Thanks. I went and read the RSA page on Wikipedia, and sure enough itOn Fri, Apr 13, 2018 at 2:55 PM, Richard Levitte <levitte@xxxxxxxxxxx> wrote:
> In message <CAFftDdqWPXq1+Mo9_6J0EzhZ4uwg5QC=R5fx8N1j=QYchA8+YQ@xxxxxxx ail.com > on Fri, 13 Apr 2018 09:17:28 -0700, William Roberts <bill.c.roberts@xxxxxxxxx> said:
>
> bill.c.roberts> I am currently working on writing an openssl engine
> bill.c.roberts> to interface with a piece of hardware.
> bill.c.roberts>
> bill.c.roberts> I am trying to understand how to implement
> bill.c.roberts> rsa key generation, where the private key
> bill.c.roberts> bytes would not be available.
> bill.c.roberts>
> bill.c.roberts> I am currently invoking the
> bill.c.roberts> command:
> bill.c.roberts>
> bill.c.roberts> openssl genrsa -engine foo
> bill.c.roberts>
> bill.c.roberts> Which is calling my callback for RSA keygen, registered via ENGINE_set_RSA()
> bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY.
> bill.c.roberts>
> bill.c.roberts> However, genrsa app seems to want rsa->e set here:
> bill.c.roberts> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/ genrsa.c#L291
> bill.c.roberts>
> bill.c.roberts> I can't find documentation on how to handle the keygen interface
> bill.c.roberts> for RSA.
> bill.c.roberts>
> bill.c.roberts> Can someone point me in the right direction?
>
> e and n are public components of any RSA key pair (and RSA structure
> in OpenSSL). You *must* make them available. The rest of the numbers
> are private and do not need to be part of the RSA structure that
> OpenSSL handles.
has what common meanings of what all the single letter variables
are in the RSA struct.
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
>
> Cheers,
> Richard
>
> --
> Richard Levitte levitte@xxxxxxxxxxx
> OpenSSL Project http://www.openssl.org/~levitte/
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
