Week 10

Introduction

Lecture recording here.

Lab recording here.

This week we are going to look at security issues within an operating system. We will look at the RSA encryption alorithm. We will also look at authentication and encryption with openssl.

Videos

Security	5 Steps to Secure Linux (protect from hackers)
RSA Encryption	https://www.youtube.com/watch?v=ZPXVSJnDA_A
OpenSSL	Encryption and decryption with openssl

Quiz

Quiz 8 will be on OpenSSL. Study from the following: ssl server client programming using openssl in c

Lecture Material

Chapters 15 and 16 of Operating System Concepts
Chapter 38 of The Linux Programming Interface
The article: RSA Algorithm in Cryptography
The article: ssl server client programming using openssl in c
The article: Everything You Need To Know About Diffie-Hellman Key Exchange Vs. RSA

Labs

Lab 7 (March 24) - Semaphores with Shared Memory.
Lab 8 (March 31) - RSA Encryption/Decryption.

Assignment

Assignment 1.
Assignment 2.

Public Key Encryption Systems

Name of the Algorithm	Short Description of the Algorithm	Efficacy
RSA (Rivest-Shamir-Adleman)	One of the most widely used public-key cryptosystems, based on the difficulty of factoring large integers. Commonly used for secure communications and digital signatures.	Strong at key sizes ≥2048 bits; susceptible to quantum attacks.
ECC (Elliptic Curve Cryptography)	Uses elliptic curves over finite fields for encryption, offering the same security as RSA with much smaller key sizes. Common in modern secure communications.	More efficient than RSA at smaller key sizes; resistant to many classical attacks.
ElGamal	Based on the discrete logarithm problem, commonly used for encryption and digital signatures. Forms the basis for DSA (Digital Signature Algorithm).	Secure with large key sizes; inefficient due to message expansion.
Diffie-Hellman (DH)	Used for secure key exchange rather than encryption itself, based on the difficulty of computing discrete logarithms.	Strong with long key sizes; vulnerable to MITM attacks without authentication.
DSA (Digital Signature Algorithm)	Used for digital signatures, derived from ElGamal, providing authentication and integrity verification.	Strong but requires a good random number generator; less efficient than ECC.
Paillier	A homomorphic encryption scheme that allows computations on encrypted data without decryption.	Secure but computationally expensive, mainly used in privacy-preserving applications.
McEliece	A lesser-known algorithm based on error-correcting codes, resistant to quantum attacks.	Very strong against classical and quantum attacks, but requires large key sizes.

Sample Code

RSA Encryption

The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public key consists of two numbers where one number is multiplication of two large prime numbers. And private key is also derived from the same two prime numbers. So if somebody can factorize the large number, the private key is compromised. Therefore encryption strength totally lies on the key size and if we double or triple the key size, the strength of encryption increases exponentially. RSA keys can be typically 1024 or 2048 bits long, but experts believe that 1024 bit keys could be broken in the near future. But till now it seems to be an infeasible task.

Sample code that demonstrates RSA for small values can be found at: rsa.cpp.
Sample code that demonstrates RSA for larger values can be found at: rsa2.cpp.
Their Makefile can be found at: Makefile.
With rsa2.cpp, you can experiment to see how easy or difficult it is to factor n if it is derived from 2 large primes.

OpenSSL

An SSL (Secure Sockets Layer) is the standard security protocol used to establish an encrypted connection between a server and a client. After establishing the connection SSL/TLS ensures that the data transmitted between server and client are secured and intact. There are two parts to SSL. The first is the handshake, or the authentication. For this a certificate is required. The second part is the encryption of the data. To run SSL on a Linux machine, we have to first install the OpenSSL library:
$ sudo apt-get install libssl-dev

Before compiling the client and server program you will need a Certificate. You can generate your own certificate using the below command:
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Note: Here certificate name is mycert.pem.
Note: 1024 bit RSA might be too small. You might wish to use 2048 instead.

Here is what each option does:

1.  openssl req
    Runs OpenSSL's "req" (request) command, which is used to create and process certificate signing requests (CSRs) and certificates.

2.  -x509
    Specifies that the output should be a self-signed X.509 certificate instead of a certificate signing request (CSR).
    X.509 is the standard format for public key certificates.

3.  -nodes (No DES)
    Prevents encryption of the private key with a passphrase, making it easier to use in automated environments.
    If this option were omitted, OpenSSL would prompt for a passphrase to encrypt the private key.

4.  -days 365
    Specifies the certificate's validity period in days. In this case, the certificate will be valid for one year (365 days).
    After this period, the certificate will expire, requiring renewal or replacement.

5.  -newkey rsa:1024
    Creates a new private key along with the certificate.
    Uses RSA (Rivest-Shamir-Adleman) as the key algorithm.
    The key size is 1024 bits, which is considered insecure today. A more secure option would be 2048 or 4096 bits (rsa:2048 or rsa:4096).

6.  -keyout mycert.pem
    Saves the generated private key to the file mycert.pem.

7.  -out mycert.pem
    Saves the generated self-signed certificate to mycert.pem.
    Since the private key and certificate share the same filename (mycert.pem), they will be in the same file. 
    However, it's possible to specify different files for the private key and certificate.

Note: In the following demonstration code, you will have to generate a certificate for both the server and client. it is therefore best to keep the server and client in separate directories: client/Makefile, client/client.cpp, server/Makefile and server/server.cpp.
For notes on each function of the server, see ServerNotes.docx.
For notes on each function of the client, see ClientNotes.docx.