CSNB414 Data and Computer Security 1

LAB 1: Symmetric Encryption

Partly taken from SEED labs http://www.cis.syr.edu/˜wedu/seed/

Learning Objectives
 Apply symmetric encryption using openssl and different ciphers.

Introduction
Block cipher
 The most commonly used symmetric encryption algorithms
 Processes the plaintext input in fixed-sized blocks and produces a block of ciphertext of
equal size for each plaintext block

3 most important symmetric block ciphers are Data Encryption Standard (DES), Triple DES
(3DES), and Advanced Encryption Standard (AES).

To apply a block cipher in a variety of applications, four “modes of operation” have been defined
by NIST (FIPS 81). In essence, a mode of operation is a technique for enhancing the effect of a
cryptographic algorithm or adapting the algorithm for an application. The modes are summarized
in Table 1:

Table 1: Block Cipher Modes of Operation

Mode Description Typical Application
Electronic Each block of 64 plaintext bits is encoded Secure transmission of
Codebook (ECB) independently using the same key. single values (e.g., an
encryption key)
Cipher-Block The input to the encryption algorithm is the General-purpose block-
Chaining (CBC) XOR of the next 64 bits of plaintext and the oriented transmission
preceding 64 bits of ciphertext. Authentication
Cipher Feedback Input is processed j bits at a time. Preceding General-purpose block-
(CFB) ciphertext is used as input to the encryption oriented transmission
algorithm to produce pseudorandom output, Authentication
which is XORed with plaintext to produce next
unit of ciphertext.
Output Feedback Similar to CFB, except that the input to the Stream-oriented
(OFB) encryption algorithm is the preceding DES transmission over noisy
output. channel (e.g., satellite
communication)
Counter (CTR) Each block of plaintext is XORed with an General-purpose block-
encrypted counter. The counter is incremented oriented transmission
for each subsequent block. Useful for high-speed
requirements
CSNB414 Data and Computer Security 2

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) network protocols and related cryptography standards. The openssl
program is a command line tool for using the various cryptography functions of OpenSSL's
crypto library from the shell. It can be used for:
 Encryption and Decryption with various ciphers
 Calculation of Message Digests
 Creation of RSA, DH and DSA key parameters
 Creation of X.509 certificates, CSRs and CRLs
 SSL/TLS Client and Server Tests
 Handling of S/MIME signed or encrypted mail

Part 1: Encryption using different ciphers and modes

We will experiment with various encryption algorithms and modes.

1. Folder SN000000 is created in /home/seed directory.

seed@User(10.0.2.4):~$ mkdir SN000000

2. Navigate to the folder.

seed@User(10.0.2.4):~$ cd SN000000

3. myfile.txt is created in /home/seed/SN000000 directory.

seed@User(10.0.2.4):~/SN000000$ cat > myfile.txt

Example:

Press Ctrl + D to exit the file and return to the prompt after editing.

4. The following command is used to verify the file was created.

seed@User(10.0.2.4):~/SN000000$ ls -l myfile.txt
CSNB414 Data and Computer Security 3

5. You will be using the openssl tool for this purpose. To configure and install openssl
libraries, go to the openssl-1.0.1 folder and run the following commands.
(This step might not needed if openssl is already configured)
seed@User(10.0.2.4):~/SN000000$ cd /home/seed/openssl-1.0.1
seed@User(10.0.2.4):~$ sudo ./config
seed@User(10.0.2.4):~$ sudo make
seed@User(10.0.2.4):~$ sudo make test
seed@User(10.0.2.4):~$ sudo make install

6. Use the openssl enc command to encrypt/decrypt a file.

Encrypt
seed@User(10.0.2.4):~/openssl-1.0.1$ openssl enc –aes-256-
cbc –e –in /home/seed/SN000000/myfile.txt –out
/home/seed/SN000000/myfile.dat
(Note, enter the above command listing on a single line.)
enter aes-256-cbc encryption password: <insert the
password>
Verifying - enter aes-256-cbc encryption password: <insert
the password>

Example:

openssl is the command; enc stands for encryption, -aes256 for – AES with 256 bit
of keylength, -in is the input message (plaintext), -out is the output message
(ciphertext). The selection of the extension .dat is arbitrary. You could have used any
file name of your liking, provided it doesn’t exist already in your home directory.

Decrypt
seed@User(10.0.2.4):~/openssl-1.0.1$ openssl enc –aes-256-
cbc –d –in /home/seed/SN000000/myfile.dat –out
/home/seed/SN000000/mydecryptedfile.txt
(Note, enter the above command listing on a single line.)
enter aes-256-cbc decryption password: <insert the
password>
CSNB414 Data and Computer Security 4

Below are some common options for the openssl enc command:
Option Description
-in input file
-out output file
-e Encrypt
-d Decrypt

Hint: You can find the meaning of the command-line options and all the supported cipher types
by typing man enc.
Option Description
des-cbc DES in CBC mode
des-cfb DES in CFB mode
des-ede3-cbc Three key triple DES in CBC mode
aes-128-cbc AES 128 bit in CBC mode

Part 2: Encoding using pseudo random number as a key with DES and AES
• Use OpenSSL to generate a pseudo random number, which you will use as a DES key.
• Utilize OpenSSL’s DES utility to encrypt and decrypt documents.
• Download an encrypted file.
• Create file hashes to demonstrate file integrity.

The following steps will generate a 56 bit DES key. Then, DES key will be used to encrypt, and
decrypt, an ASCII text file. After that, SHA-1 hashes will be employed to demonstrate that the
unencrypted file is identical to the original text file.

1. We will explore on how to create a file containing a pseudo random number that is 56 bits
long. In the current directory that has been created, which is SN000000, type the following:

openssl rand -out des_keyXXXXXXXX 56

and then to see that the file was created, type:

ls -la des_keyXXXXXXXX

Recall that you need to substitute your student ID for the XXXXXXXX.
You may open your des_keyXXXXXXXX using GHex editor to see 56 bits key.
CSNB414 Data and Computer Security 5

2. Next, encrypt myfile.txt using DES encryption:

openssl enc -des -e -kfile des_keyXXXXXXXX -in myfile.txt -

out myfile.enc
(Note, enter the above command listing on a single line.)

To make sure that the encryption operation worked, list the encrypted file:

ls -la myfile.enc

3. Now, to provide assurance that the process works appropriately, you should decrypt the .enc
file that you just created. After you decrypt the file, go ahead and list it to make sure it’s
there, and show the contents of it to ensure it properly decrypted.

openssl enc -des -d -kfile des_keyXXXXXXXX -in myfile.enc -

out mydecryptedusingkey.txt
(Note, enter the above command listing on a single line.)

ls -la mydecryptedusingkey.txt

more mydecryptedusingkey.txt

4. We would expect the decrypted file mydecryptedusingkey.txt to be identical to the

file that you created myfile.txt. Since this file was a text file, we could just list the
contents and see that they were the same. However, we would have to tediously read through
every character of the file to ensure there have not been any minor, accidental changes. You
can imagine that with a binary file, this would be painfully tedious!

Since identical files will have identical message digests, you can prove that the files are
identical by creating and comparing each file’s message digest. Enter the following
command, and then compare the generated digests (hashes).

openssl sha1 myfile.txt

openssl sha1 mydecryptedusingkey.txt

If both hashes are identical, it demonstrate that the decrypted file is identical to the original
text file.