Highly Secure Systems COMP716

Tutorial
Cryptographic Hashes & HMAC

1. In Linux create a directory called "testDir", change to the directory

$ mkdir testDir
$ cd testDir

Create a text file, e.g. open the text editor by clicking on the "edit" icon. Type something and
save with a name e.g. "test1.txt" in your testDir.
You also create a text file:
$ echo “This is some text file” > test1.txt
You can also use the pico text editor:
$ pico test1.txt

View the file:

$ cat test1.txt

(a) Obtain the md5 hash of your file:

$ md5sum test1.txt

(b) Make a small change in your file such as adding a space, dot, etc.
Save the file a with a new name, e.g. "test2.txt" and obtain the new md5 hash. Compare
them. Are they same, different, or very different? You can do this visually:
$ cat test1.txt
$ cat test2.txt

2. Use md5 to check for file integrity. Using your browser, go to https://156.62.140.124 to
download a file and its md5 counterpart in the software folder, e.g. putty-0.70-
installer.msi and putty-0.70-installer.msi.md5.txt

(a) Run the md5 sum on the downloaded file and save the output to a file called
putty.md5
$ md5sum puttyputty-0.70-installer.msi > putty.md5

(b) Now compare your new md5 with that on the server. You either view md5 manually.
$ cat putty.md5
and compare to what you see on the website by clicking on the .md5.txt file

3. Hash passwords.

Get the help for the password command.

$ openssl passwd --help

Obtain the hash of the password "myPass" using the -apr1 method.
$ openssl passwd -apr1
Identify the method, salt, and the hash.

Obtain another hash using of the same password "myPass". Is the hash the same as before?
 Try with other methods.

4. There are two files in http://156.62.140.124 info folder, notice1.txt and notice2.txtthe related
HMACs (and also in /home/pub/). One of the notices is fake because it did not use the correct
secret key which is comp607. Download and their HMACs into your direcrory.

$ cp /home/pub/notice*.* .

Use openssl tools to determine their HMACs and determine which is the authentic one.
$ openssl dgst -hmac comp607 notice1.txt > notice1.new.hmac

Compare notice1.new.hmac and original notice1.hmac.txt. Is it

authentic? Also create the HMACs for notice2.txt. It this message authentic?

5. Use HMAC to protect file authenticity and integrity.

In Openssl obtain the HMAC for your using a secret key, e.g. "secretKey"

$ openssl dgst -hmac secretKey test1.txt > test1.txt.hmac

Suppose you send the files: test1.txt and test1.txt.hmac to your friend. How
would he/she verify that the file test1.txt is authentic and intact?

Try with different hash algorithm, e.g. sha1, whirlpool, etc. see the options:
$ openssl dgst --help

6. Textbook problems: 11.2, 11.5

7. Textbook problems: 12.5