Fonts matter.
This is an i (lower case letter)
This is a  1 (Arabic numeral)
This is an l (lower case letter)
This is an I (upper case letter)

STEP 0: Lab Prep

  1. Make sure you are viewing this page in Firefox, and do the lab in Firefox!
    If not, close your browser and reopen this page in Firefox.
    This page uses forms in which you will enter values, so Javascript must be enabled.
    Once the page is open in Firefox, do NOT refresh/reopen the page: you will lose information you have already entered.
  2. Create a directory named digCertLab on your Desktop. All files downloaded and created for this lab MUST be in this directory!
  3. Open two Administrator command-prompt windows.
    All commands for this lab MUST be entered and executed in these command-prompt windows.
    DO NOT CLOSE THESE WINDOWS!
    In the command-prompt windows, use the cd command to change directory to digCertLab directory you just created.
    In case you don't remember it will be something like:
    cd c:\users\mxxxx\desktop\digcertlab
  4. Give the command hostname in your command-prompt window.
    Copy the hostname that appears in the command window, paste it into the box below, and click the Submit button.
    (should look like: WRKrandomMIDN )
  5. Use Notepad++ to create a file with the following contents:
    <HTML>
      <BODY>
        <H1>Welcome to Complete above <FORM> first</H1>
        Trust me, I really am who I say I am!
      </BODY>
    </HTML>
    Name the file index.html, and save it in your digCertLab directory.

    Open the file in Firefox and verify that it looks like it should. (And you should be able to tell what it ought to look like!)

  6. Follow the below directions to turn off Windows Firewall:
    1. Press the System key.
    2. Type Firewall in the search bar.
    3. Select the Windows Firewall result in the top window
    4. Click the Turn Windows Firewall on or off link in the navigation panel on the left.
    5. Click Yes if the User Account Control dialog pops up.
    6. Select the Turn off Windows Firewall for all of the network profiles (Domain, Private, Public).
    7. Click the OK button.
    8. You should see a red X shield next to each of the network profiles in the Windows Firewall window.
    9. If a warning box comes from the lower right-hand corner click the small white "x" in the upper right hand corner to close it. Do not click anywhere else in the box or it will turn your firewall back on.
    10. Once you have confirmed the firewalls are off, close the Windows Firewall window.
 ↑ Worksheet Step 0. 

STEP 0.5: Instructor Demo

Sit tight and participate in this demo.

 ↑ Worksheet Step 0.5 

STEP 1: Certificates and Trust

In a new Firefox tab, open https://www.navyfederal.org.
This is Navy Federal Credit Union's page. Certainly we would like to be sure that this really is Navy Federal's page before entering a username and password! If a Bad Guy using a Man-In-The-Middle attack could successfully pose as the Navy Federal website, some very bad things could result.
  1. Click on the green lock icon in the left of the address bar.
    Firefox View Certificate - 01
  2. Click the Right Arrow and then the More Information button. You will see a pop-up box that tells you: to whom you are connected, who verified this identity, and that your communication is encrypted. It's the identity and the verification of that identity that we care about. That information comes to your browser as a certificate (more precisely, a certificate using the X.509 standard).
    Firefox View Certificate - 02

    The certificate certifies that the identity www.navyfederal.org is associated with a particular public key.
    Why? So that when you send data to navyfederal.org that has been encrypted with that public key, you know the actual entity "www.navyfederal.org" is the only one who can decrypt the data.

    But what makes you trust the certificate?

    The idea is that there are Certificate Authorities, entities that vouch for the validity of certificates by signing them. When your browser was installed, it came with a list of Certificate Authorities that it (and thus you) already trust -- but you can add or remove authorities.

    You might be surprised at who you are currently trusting. Let's look!
  3. Certificate authority TURKTRUST not so trustworthy
    Certificates that your browser is set to "trust" are labeled with what exactly you trust them for: HTTPS sessions, digitally signing e-mail, digitally signing code, or issuing certificates, are some examples. Certificate authorities that your browser is set to trust to issue certificates are given essentially unlimited trust.

    In January 2013, it was discovered that the authority Certificate Authority TURKTRUST had accidentally issued a certificate to a customer that stated that the certificate was valid for issuing new certificates — it should only have been valid for HTTPS sessions. This certificate was then used to issue fraudulent certificates for Google domain names, which allowed the bad guys to carry out man-in-the-middle attacks. The blog krebsonsecurity.com has the story: Turkish Registrar Enabled Phishers to Spoof Google.

    Click on the hot dog menu (three horizontal bars) on the right side of the Firefox toolbar.
  4. Click the Options button to open the options in a tab.
    Firefox Options
  5. Click Privacy and Security in the navigation menu on the left.
  6. Click the Certificates panel.
  7. Click the View Certificates button.
  8. Firefox Advanced Certificate
  9. Click the Authorities tab.
    Firefox Certificate Authorities

    In the display window you will see the list of Certificate Authorities that you are trusting.

  10. Scroll through the list, find a Certificate Authority that you are surprised you are (didn't expect to be) trusting.  ← Worksheet Step 1. Part 2. 
  11. Let's explore more details of the Navy Federal certificate. Reopen the "More Information" dialog window.
    Firefox View Certificate - 02
  12. Click the View Certificate button.
    Firefox View Certificate - 03
  13. Explore the Certificate Viewer dialog window.
    Firefox View Certificate - 04
  14. Answer the following questions on the worksheet:  ↓ Worksheet Step 1. Part 3. 
    • Who issued the certificate (Common Name)?
    • When does the certificate expire?
    • What algorithms are used as fingerprints (used as Integrity checks)?

    The subject's Common Name is the real identity the certificate is about.

  15. You will now download an unknown certificate and look at it.

    Right click the following link, select Save Link As ..., navigate to your digCertLab directory, and save the certificate there: unknown certificate

    Examine the certificate by entering the following command in your command window:

    openssl x509 -text -in ra37891_cert.pem
    • Whose identity is this certifying? (look for the subject's Common Name)
    • Who signed the certificate? (look for issuer's Common Name)
    • What's fishy about this?

     ↑ Worksheet Step 1. Part 4. 

STEP 2: How the Digital Certificate System Works

Under the hood, here's basically what happens:
Alice wants to connect via https to bob.org, which is Bob's server.
Alice trusts a Certificate Authority named Cedric.
All three of these - Alice, Bob, and Cedric - have public/private key pairs. Alice, of course, has Cedric's public key, and she trusts it is authentic, because she trusts that Certificate Authority.
  1. Bob submits to Cedric: proof of his identity, the domain name he wants a certificate for, and his public key.
  2. After verifying Bob's identity, Cedric uses Cedric's private key to encrypt the pair (domain name, public key) ... which in this case is (bob.org,Bob's-public-key). That encrypted "thing" is the actual certificate bob.org will use to prove its identity.
  3. When Alice browses to bob.org, bob.org sends Alice its certificate: (bob.org,Bob's-public-key) which has been encrypted with Cedric's private key.
  4. Alice decrypts the certificate with Cedric's public key (remember, Cedric is a certificate Authority she trusts). She now has (bob.org,Bob's-public-key). She knows Cedric must indeed have created this certificate, because his private key is required to make something decryptable by his public key.
  5. Because she trusts Cedric, Alice trusts that the public key in the certificate really belongs to bob.org. She can then use it to send data and ensure confidentiality.
The actual scheme used by X.509 is a little more complicated that what we described, but conceptually the same.
 ↑ Worksheet Step 2. 

STEP 3: Set up your own secure web server with a signed certificate

You are going to run a dirt-simple web-server hosting a dirt-simple web-site off of your laptop. The site will be accessible via HTTPS, with certificates and all. Your site will be accessible via your computer's full domain name (N/A), and you will create a certificate, which will be signed by the SY110 Certificate Authority, will certify that the name matches your public key (which you will generate for yourself).

1. Generate a public private key pair


  
2. Fill in a certificate request form, requesting that the identity
N/A
be certified to match the public key generated in (1).


  
3. Submit request to SY110 Certificate Authority to have a certificate created and signed.


  
4. Start an HTTPS web server process listening to port 443


  1. This command generates a 1024-bit RSA public/private key pair and stores it in a file named pubpri.key file:
    N/A
    Use the dir command in your command-prompt window and verify that you have just created a file named pubpri.key
  2. The next command generates a request to certify that identity Complete <FORM> above. is associated with the public key you've just created. You will later submit this request to the SY110 Certificate Authority. Fill in all fields for the request except for "common name" with lies (i.e. make stuff up). The "common name" field must be your computer's full domain name.

    Important For "Common Name" you must enter exactly this: ERROR: Resubmit your system's hostname in STEP 0   ← READ THIS   
    N/A
    Use the dir command in your command-prompt window and verify that you have just created a file named .csr and that it's size is not 0.
  3. The next step is to actually submit your request to the SY110 Certificate Authority.
    Using the Browse button below, choose the file .csr from your digCertLab directory, then press the Sign This File button.
    Choose a file to upload:

    Follow the directions on that page, then return to this page, then use the dir command in your command-prompt window and verify that you have just created a file named .crt

  4. Finally, you need to actually launch your very own secure web server, which can serve up your beautiful index.html page in a secure and authenticated manner!
    Important: Just let this run. If you need to bring the web server down, just give a ctrl-c while in the terminal window. However ...
    Important: Please leave the server running for the rest of the period. That means this particular command shell won't be available for entering commands.
    N/A
 ↑ Worksheet Step 3. 

Your instructor will discuss if the below information is needed.

SY110 Instructor Workstation Network Information
Room Number Inst Stat Hostname Inst Stat IP Address Inst Port
MI200 wrk1062915govt.academy.usna.edu 10.53.21.151 58200
MI203 wrk1062920govt.academy.usna.edu 10.53.21.147 58203
MI206 wrk1062916govt.academy.usna.edu 10.53.21.224 58206
MI220 wrk1062911govt.academy.usna.edu 10.53.21.146 58220
MI294 wrk1062919govt.academy.usna.edu 10.53.117.254 58294

STEP 4: Testing

For the next phase, you need to partner up with someone. You'll test their page by trying to access it, while they test yours. So you'll need to get your partner's hostname and enter it in the form below:
← if you refresh this page, reenter partner's hostname and resubmit.  ← Worksheet Step 4. 
  1. Note: DO NOT ADD AN EXCEPTION when you try to open the following web page!
    Pull up your partner's page using the URL: ENTER PARTNER'S HOSTNAME ABOVE TO GET URL ← you must put "/index.html" on the end!
    Note: DO NOT ADD AN EXCEPTION.
    Does your browser accept its certificate? No! (What message do you get?)
    The problem is that the certificate is not signed by a certificate authority you actually trust! So while Firefox (and thus you!) trust the Hong Kong Post to certify identities, it (and thus you) don't trust the SY110 Certificate Authority.
  2. For the rest of this period, you are going to trust the SY110 Certificate Authority. You indicate this trust by adding its certificate to Firefox's list of trusted Authorities. To do this:
    • Download ca.crt, the SY110 Certificate Authority certificate, to your digCertLab directory.
    • In Firefox click on the 3 bars on the top right and choose Options, and from it choose Privacy and Security
    • Scroll to the bottom and click on the View Certificates button .
    • From the Authorities tab, click Import... and choose the file ca.crt from your digCertLab directory. (Check the "Trust websites" box.)
    • Check that the SY110 certificate authority is now in the list of trusted authorities.
  3. Now try pulling up your partner's page again. Note: It may take several seconds to load. It should appear in your browser with no warnings, and if you click on the little blue box or lock icon to the left of the address bar, you should see a pop-up message that tells you that you have a secure connection. Click on the More Information... button and verify that this site's certificate is indeed signed by the SY110 certificate authority. Thus, your browser trust your partner's site's certificate because it trusts the SY110 certificate authority.
 ↑ Worksheet Step 4. 

STEP 5: How does this stop bad guys?

What would a bad guy attempting a man-in-the-middle attack look like? He'd look like another host running a web server claiming to be ENTER PARTNER'S HOSTNAME ABOVE TO GET URL. Let's simulate that, and see what happens.
  1. Choose a third member of your class to serve as your Bad Guy, and enter IP address of his machine:
    ← if you refresh this page, renter the Bad Guy's IP and resubmit.  ← Worksheet Step 5. 

    We're going to trick your machine into thinking that the Bad Guy's computer is really your partner's.
  2. If you prefer Notepad++ (and we don't blame you), follow the below directions to edit your hosts file.
    1. Open Notepad++ and close all open tabs.
    2. Exit Notepad++
    3. Press the System key.
    4. Type in: notepad
    5. Right click on the Notepad++
    6. Select Run as Administrator
    7. Use the Open dialog (Ctrl-o, File → Open) and open C:\Windows\System32\drivers\etc\hosts
    In an Administrator shell give the following command, which will allow you to edit (Note: there is no .txt extension at the end of the filename hosts!)
    notepad \Windows\System32\drivers\etc\hosts
  3. If using your class mates IP address does not work, then change the IP address in the hosts file to 127.0.0.1 and attempt to access the web server running on the remote system (instructor's workstation, classmate's laptop).
    Add the following line to the end of the file:
    ENTER BAD GUY IP ABOVE TO GET LINE FOR ETC\HOSTS FILE
    ... and Save (not Save As), but do not exit Notepad.

    What this does is to tell Windows that the domain name ENTER PARTNER HOSTNAME ABOVE should resolve to ENTER BAD GUY IP ABOVE. and not to bother querying a nameserver.

  4. Now enter the URL for your partner's website again (or shift+refresh if it's still in the URL bar). What message do you get? (Be sure to check "Technical Details".) The Bad Guy doesn't have the proper certificate for the domain name, and your browser knows it!
    What other alternatives does the Bad Guy have? The Bad Guy can't make a fake certificate, because he can't even pretend-sign something as the SY110 Certificate Authority, because he doesn't have their private key. And he can't just use your partner's certificate, because he'd need their private key. So the Bad Guy's only option is to trick one of your trusted Certificate Authorities into signing a bogus certificate that claims your partner's domain name identity as his own. This happens! Check out this discussion.
 ↑ Worksheet Step 5. 

STEP 6: Lab Clean Up

  1. Remove the line you added to your C:\Windows\System32\drivers\etc\hosts file (You need to be an Administrator to modify the hosts file).
  2. Remove the SY110 Certificate Authority from your Firefox list of trusted Certificate Authority.
  3. Follow the below directions to turn on Windows Firewall:
    1. Press the System key.
    2. Type Firewall in the search bar.
    3. Select the Windows Firewall result in the top window
    4. Click the Turn Windows Firewall on or off link in the navigation panel on the left.
    5. Click Yes if the User Account Control dialog pops up.
    6. Select the Turn on Windows Firewall for all of the network profiles (Domain, Private, Public).
    7. Click the OK button.
    8. You should see a green shield next to each of the network profiles in the Windows Firewall window.
    9. Close the Windows Firewall window.
 ↑ Worksheet Step 6. 

STEP 7: Certificates at the Academy

  1. Using Chrome, go to: https://gozer.usna.edu.
  2. Open the Web Developer Console by pressing: Ctrl-Shift-J
  3. Select the Security tab.
  4. Review the connection information and answer the questions on your worksheet.
 ↑ Worksheet Step 7. 

OPTIONAL STEP : Your Personal Certificates

NOTE: THIS STEP CAN ONLY BE COMPLETED IF YOU KNOW YOUR CAC PIN. If you do not, then skip it.
Using Chrome, and without your CAC card, visit one or all of following sites: Did that work? What was the website looking for?

You need to use DoD issued personal certificates! To learn about your own digital certificates on your CAC card, perform the following steps.

  1. Insert your CAC card in the card reader slot on your laptop. Double click on the gray and blue ActiveClient Agent - Smart Card Inserted icon in the lower right portion of your screen. Click on My Certificates and then you should see your certificate. You probably only have one. When you are commissioned, you will probably have two more added to use with digitally signing and encrypting email. The one certificate you do have allows you to access protected DoD and Navy websites, like those above. Right click on the certificate and select View to see what information that certificate stores.
  2. Now that your CAC has been inserted to the card reader, your certificate has been loaded into the browser and is ready for use. To see this, Close Chrome, reopen, and try to visit any of the sites again (NOTE: The https://www.portal.navy.mil site can be finicky and slow). This time you should be prompted to select one of your digital certificates from your CAC card. Select one (EMAIL certificate is usually best) and you should be prompted next to enter your CAC PIN. If you know your PIN, type it, and you will get access to the sites. If you do not know your PIN, you cannot get to the site. The site requires two-factor authentication: something you have (your CAC card) and something you know (your CAC PIN)!
  3. To see your certificates in Chrome's certificate list, go to Chrome's Options --> Under the Hood. Scroll down to HTTPS/SSL and click on Manage certificates...select the tab for Personal and you will see your CAC certificates there. The Intermediate Certificate Authorities tab should show a bunch of DOD certificates - those are also needed to get to DoD sites and are part of the chain of trust from DoD root certificates down to your DoD issued personal certificate!