Part 1: running an RSA cipher

Demonstration
Objectives
summarize the basics of cryptographic concepts.
Activity Estimated completion time: 30 minutes
Description
The steps for encryption using rsa can be illustrated in a Java applet on a
website. In this project, you will observe how RSA encrypts and decrypts.
1. Use your web browser to go to
https://people.cs.pitt.edu/~kirk/cs1501/notes/rsademo/
2. Read the information about the demonstration.
3. Click key generation page.
4. Change the first prime number (P) to 7.
5. Change the second prime number (Q) to 5.
6. Click Proceed.
7. Read the information in the popup screen and record the necessary numbers.
Close the screen when finished.

By entering two primes, P and Q, the computer will generate N, E and D. E and
N are the public key pair, while D and N are the private key pair. It is very
important that you write down those numbers ( N,E and D.) You will need E
and N for encryption, and D and N for decryption. After that, I will choose first
prime number (P) to 7 and second prime number (Q) to 5

N is equal to sum of P*Q

PHI is the Euler function, calculated by multiplying (P-1) by (Q-1)
E is a public exponent: E is chosen such that E and PHI are coprime
(D) is the inverse of E
N and E are public keys
Thus, N = 35 ; E = |D| = 5

8. Click the Encryption Page.

9. Next to Enter Alice’s exponent key, E: enter 5 as the key value from the
previous screen.
10. Next to Enter Alice’s N Value: enter 35.
11. Click Encrypt. Read the message and record the values. Close the screen
when finished.

Letter ‘E’ is converted to number 5. The encryption formula used is

C=ME mod N where M=5

(the numerical representation of ‘E’), E=5 , and N=35

12. Click the Decryption Page.

13. Next to Enter the encrypted message enter 1.
14. Next to Enter your N value: enter 35.
15. Next to Enter your private key, D: enter 5.
16. Click Proceed. Note that 1 has been decrypted to A.
17. Close all windows.

Because the letter ‘E’ is converted to number 5. The encryption formula used is

C=ME mod N where

M=5

(the numerical representation of ‘E’), E=5 , and N=35

Thus, the encryption was 10

Then, You decrypt the encrypted message using the RSA decryption method.
The formula M=CD mod N, Where
C =1
(the encrypted message), D = 5
(the private key) N = 35
The result of the decryption was 1

Exercise
Now you can try it with your friends. Each of you generates a public key and
private key. Then, you can send the public key to your friends in the group and
keep the private key secret. Each one can try to send a secret message to a
friend. Can he/she decrypt the massage? Can you read the message without
knowing the private key?
First, I will choose P is 7 and Q is 11 and after that we have N = 77
PHI = 60 , because PHI is the greater common divisor of E , E = 7

The private key, D is 43

I choose Letter B is convert to number 2
=> C = 51
and the encrypted message is 51
I sent my friend the public key which is (E,N) = (7,77), the entropy is 51 => and
my friend can't solve them.
Conclusion, I can not find the answer if there is no private key. This is the basic
principle of public key cryptography. Even though the encryption process is
public and the encrypted message is sent over an insecure network, only the
intended recipient with the corresponding private key can decrypt and read it.
So without knowing the private key I won't be able to understand the encrypted
message.

Part 2: Blockchain tutorial

Objectives
Summarize the basics of cryptographic concepts.
Activity Estimated completion time: 30 minutes
Description
Understanding how blockchain functions can best be accomplished by
performing a hands-on tutorial. In this project, you will use an online tutorial to
learn about blockchain.
1. Use your web browser to go to https://andersbrownworth.com/blockchain
2. Watch the video Blockchain 101 – a Visual demo and Blockchain 101 –
Part 2 Public/Private Key signing.
3. When the videos have completed click Hash.
4. In the Data: box, enter This is data set 1 and note how the hash changes as
you enter each letter.
5. Now change the 1 to 2. What happens to the hash?

https://drive.google.com/file/d/1L1DX7YAhKpV2i-u1K9o1-zol9r5jCFqI/view?
usp=share_link
There are distinct differences between the two hashes in the data they represent.
For example, when I enter data "This is data set 1" and "This is data set 2". The
hash function will change the data to
"3949ce15eb64fdb1ca43f6fd6fbcbc4be93028c2deff0e7e200a548446e31ed6"
and
"e0b7fb4350895288ed7d8bd4eeab26bd7cbf76a33b327154e8927338daaa7bfc"
respectively. If we look at the text, the only difference is 1 and 2 in the data
stream, but when it comes to the hash function, we see that the data will change
completely when we change the data differently. Therefore, changing just one
character in the data set will result in a completely different hash function. I
think that's one of the aspects that helps hash functions in integrity checking,
digital signatures and in blockchain technologies.

6. Click Block.
7. What new fields have been added?
When I set the nonce to 0 with the data "This is data set 1", the Block displays
in red and the hash function changes to a different value than the hash function
in the previous data item, we are “
2453e18612ab73d12dcc60c179cdf8067fdf119954bb9327d691828edb393cf2”

Then I press mine and the nonce changes to 45040 and the hash also changes.
Nonce runs the data to find the number that matches the data I'm given and I see
that the hash function forces their output to start at 4 zeros.
Similar to data is "This is data set 2"
The hash function also changes and the value string starts with 4 zeros

8. Click Blockchain. scroll to the right to see all the blocks in the chain. look at
the Prev: for Block #5. compare that with the hash: of Block #4. are they
identical? Why?
That’s right, they are the same. In blockchain technology, each block contains a
field called "Prev" or "Previous Hash", which is the hash of the previous block
in the chain. This creates a link between blocks, forming a "chain" of blocks

Therefore, the “Prev” of Block #5 will be the hash of Block #4. This helps
ensure data integrity and immutability: if I tried to change the information in
Block #4, its hash would change and thus the "Prev" in Block #5 would no
longer exist. match again. This allows us to detect changes and reject it.

9. Compare the Prev: and hash: of each block with the former block.

For Block 1, the value in Prev is a string of 0 values. I think this is a

hypothetical value chain to serve as a premise for the following values. After
comparing the next value, the hash function of the previous value will be the
next value of Prev. As I said in the previous sentence, this is the value chain of
the blockchain and this allows us to detect change and reject it, which helps
ensure data integrity and immutability.

10. Return to Block #5. enter This is data set 5. What happens to the color of
the block? Why is this block now invalid?

Block #5 turns from light green to pink when you type "This is data set 5" into
the block. Typically, when the block's color changes, the block has become
invalid.
When the data contained in a block is altered, the block becomes invalid on the
blockchain. In this instance, updating the data to "This is dataset 5" modifies
Block #5's hash. However, the field Their 'pre-hash' in later blocks in the chain
still has the previous hash of Block #5. Block #5 and all succeeding blocks are
invalid due to this discrepancy.
One of the reasons blockchain is thought to be secure is that to restore Block
#5's validity, you must recalculate the hashes for all succeeding blocks.

11. go to Block #4. enter This is data set 4. What happens to the color of
Blocks #4 and #5? Why?
When you change the data in Block #4 to "This is data set 4", it changes the
hash of Block #4. This new hash doesn't match the 'Previous Hash' field in
Block #5, which was based on the original data in Block #4.

Because of this mismatch, the link between Block #4 and Block #5 is broken,
making these blocks and all subsequent blocks invalid. This is typically
represented by a change in color to green or pink.

12. return to Block #5. click Mine to correct the information in the block.
13. return to Block #3. enter This is data set 3. What happens to Blocks #3, #4,
and #5? Why? how does this illustrate that the blockchain resists change?

The system recalculates the hash for Block #5 based on the updated information
and the 'Previous Hash' column from Block #4 when you go back to Block #5
and click "Mine". Block #5 becomes legitimate again through this process,
which is called mining. This is usually signaled by a shift in hue from pink to
blue.
This now modifies Block #3's hash when you go back to it and type "This is
data set 3". The 'Previous Hash' column in Block #4, which was based on the
original data in Block #3, does not match this new hash. Blocks #3 and #4, as
well as all following blocks (including Block #5), are invalid because of this
mismatch, which also breaks the connection between them. Usually, a shift in
hue to pink or green signifies this.
This conduct demonstrates how resistant blockchain is to change. A block
becomes invalid after it is uploaded to the blockchain, and this invalidation
affects all following blocks as well. It would be computationally demanding to
recompute the hashes for each of the impacted blocks in order to restore their
validity. Because of this, data that has been put to the blockchain is impossible
to alter.

14. In Block #3 click Mine. What happens to the color of this block?

When you click "Mine" on Block #3, the system recalculates the hash for Block
#3 based on the new data and the 'Previous Hash' field from Block #2. This
process is called Mining, making Block No. 3 effective again.
But Block 5 changed from green to pink. This shows that there has been a
change from the data from the previous blocks making block number 4 and
block number 5 invalid block data together.

15. go to Block #4 and click Mine.

16. go to Block #5 and click Mine.
All block values turn green and they link together making this valid

17. If you were to make a change to Block #5, on which block must you click
Mine to correct it? If you were to make a change to Block #3, on which blocks
must you click Mine? Why the difference?
18. Close all windows.

If you make a change to Block #5, you only need to click "Mine" on Block #5
itself to correct it. This is because the hash of Block #5 does not affect any other
blocks.

If you make a change to Block #3, you will need to click "Mine" on Block #3,
Block #4, and Block #5. This is because the hash of each block is used in the
'Previous Hash' field of the next block. So, when you change the data in Block
#3 and mine it, it changes the hash of Block #3.

Why the difference?

This distinction demonstrates how a blockchain's blocks are connected and
sequential. Adding data to a block and linking it to the chain necessitates
revalidating all blocks that follow, a computationally demanding process that
contributes to the blockchain's integrity and security.
Part 3: SSL server and client tests
Objectives
Explain the importance of security concepts in an enterprise environment.
Activity
Estimated completion time: 30 minutes
Description
In this project, you will use online tests to determine the security of web servers
and your local web browser.
1. Go to https://www.ssllabs.com
2. Click Test your server >>.
3. Click the first website listed under recent best.
4. Note the grade given for this site. Under Summary, note the Overall rating
along with the scores for Certificate, Protocol Support, Key exchange, and
Cipher Strength, which make up the cipher suite.
5. If this site did not receive an Overall Rating of A under Summary, you will
see the reasons listed. Read through these. Would you agree? Why?

Because my results when testing my server it shows A+ according to which it

also provides certificates like Certificate #1: RSA 2048 bit (SHA256withRSA)
which denotes that the website uses code method strong transformation. Based
on the information provided, the A+ rating appears to reflect the security
measures in place at the time of review. All positive indicators of a secure
website. So I agree
6. Scroll through the document and read through the Certificate #1 information.
Note the information supplied regarding the digital certificates. Under
Certification Paths, click Click here to expand, if necessary, to view the
certificate chaining. What can you tell me about it?
Based on the certificates I've seen, this is a certificate that represents the chain
of trust from the end entity certificate (in this case prodcas5.cloud.com) to the
root certificate (DigiCert Global Root CA). This chain of trust is important in
digital security because it ensures that entities involved in communications are
who they say they are.

7. Scroll down to Configuration. Note the list of protocols supported and not
supported. If this site were to increase its security, which protocols should it no
longer support? Why?
The error "The server sent a fatal warning: handshake_failure" usually indicates
that there is a mismatch between the server configuration for cryptography or
protocol and the client. This, I think could be due to a number of reasons such
as Unsupported Cipher Sets: The server and client need to have a common
cipher set to establish a secure connection. If the server supports a cipher suite
that the client does not support, or vice versa, a handshake failure may occur. Or
it could be, the SSL Certificate is invalid or expired

8. Under Cipher Suites, interpret the suites listed. Notice that they are given in
server preferred order. To increase its security, which cipher suite should be
listed first? Why?
Cipher suites that offer robust encryption and broad support ought to be the
standard. TLS 1.3 (suites in server-preferred order) is the number.

The {TLS_AES_256_GCM_SHA384} set could be a wise choice to mention

first for TLS 1.3. It offers a high level of security by encrypting data using the
256-bit Advanced Encryption Standard (AES).

The set {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384} could be

favored for TLS 1.2. It employs AES with a 256-bit key for encryption, RSA
for authentication, and Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for
key exchange. Perfect Forward Secrecy (PFS) is a feature of ECDHE that
ensures that prior session keys remain uncompromised even in the event that the
private key is compromised.

9. Under handshake simulation, select the web browser and operating system
that you are using or that are similar to what you are using. Read through the
capabilities of this client interacting with this web server. Note particularly the
order of preference of the cipher suites. Click the browser’s back button when
finished.
10. Scroll to the top of the page, and then click Scan Another >>.
11. Select one of the recent worst sites. Review the Summary, Authentication,
Configuration, Cipher Suites, and handshake simulation. Would you agree with
this site’s score?
I see that the certificate's points are missing, so the error here is in the
certificate. Looking at the error, we can see that the Certificate has expired. It is
effective from Thursday, 20 July 2023 19:07:12 UTC until Wednesday, 18
October 2023 19:07:11 UTC. Expired 3 days, 15 hours ago)

12. If necessary, return to the SSL report page, and then click Scan Another >>.
13. Enter the name of your school or work URL and generate a report. For
example, you can generate a report for vnu.edu.vn or is.vnu.edu.vn. What score
did it receive?
Similar to step 11. The school's website has an error. My university’s website
got a T overall score. I see that the certificate's points are missing, so the error
here is in the certificate. Looking at the error, we can see that the Certificate has
expired. It is effective from Fri, 21 Oct 2022 00:00:00 UTC until Sat, 21 Oct
2023 23:59:59 UTC (expired 10 hours and 56 minutes ago)
14. Review the Summary, Authentication, Configuration, Cipher Suites, and
handshake simulation. Would you agree with this site’s score?
Because there are too many errors in the certificate that is a necessary condition
for system security, I agree with the analysis the website has given.

15. Make a list of the top five vulnerabilities that you believe should be
addressed in order of priority. If possible, share this list with any IT personnel
who may be able to take action.

I think that the top five vulnerabilities that should be addressed in order of
priority:

1. Expired SSL Certificate: The SSL certificate for the domain fsk.info-
lan.me has expired. An expired certificate can lead to insecure
connections and may cause browsers to show security warnings to users.
2. Untrusted SSL Certificate: The SSL certificate is not trusted. This could
be due to various reasons such as the certificate being self-signed, the
root certificate not being in the trust store, or the certificate chain being
broken.
3. Lack of OCSP Stapling: The certificate does not support OCSP
Stapling. OCSP stapling is a method for quickly and safely determining
whether or not an SSL certificate is valid.
4. No Extended Validation (EV): The certificate does not have an
Extended Validation (EV), which means it did not undergo a rigorous
validation process.
5. Cipher Suite Compatibility: Ensure that the cipher suites used are
compatible with all targeted clients to prevent handshake failures.
16. Click Projects.
17. Now test the capabilities of your web browser. Click SSL Client Test.
Review the capabilities of your web browser. Print or take a screen capture of
this page.
18. Close this web browser.
19. Open a different web browser on this computer or on another computer.
20. Return to www.ssllabs.com, click Projects, and then click SSL Client Test
to compare the two scores. From a security perspective, which browser is
better? Why?
21. Close all windows
When comparing the two websites, Microsoft Edge and Google Chrome, I see
that both websites return the same results and both have some weaknesses in
Cipher Suites such as
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK
 Part 4 Viewing digital certificates
Objectives
Given a scenario, implement public key infrastructure.
Activity
Estimated completion time: 30 minutes
Description
In this project, you will view digital certificate information using the Google
Chrome web browser.

1. Use the Google Chrome web browser to go to www.google.com.

2. Note the padlock in the address bar. Although you did not enter https://,
Google created a secure HTTPS connection. Why would it do that?

To protect the security and privacy of data sent between your browser and the
website you're viewing, Google establishes a secure HTTPS connection. This is
the reason:

Encryption: To make standard HTTP requests and answers safer and more
secure, HTTPS encrypts them using TLS (Transport Layer Security). When
transmitting sensitive data, it is especially crucial to use encryption to stop
hackers and other outside parties from seeing or altering the data.

Authentication: When you visit a website that utilizes HTTPS, the website's
server authenticates itself to browsers such as Chrome 3 by using a certificate.
By doing this, you can make sure that the website you are interacting with is
legitimate and not malicious3.

Credibility: Users are more inclined to trust websites that employ HTTPS. Users
may feel confident knowing that their information is protected when they see
"https://" in the URL.

3. Click the three vertical buttons at the far edge of the address bar.
4. Click More tools.
5. Click developer tools.
6. Click the Security tab, if necessary. (If the tab does not appear, click the >>
button to display more tabs.)
7. Read the information under Security Overview.
8. Click View certificate.

9. Note the general information displayed on the General Tab.

10. Now click the details tab. The fields are displayed for this X.509 digital
certificate.
11. Click Valid to to view the expiration date of this certificate.
12. Click Public key to view the public key associated with this digital
certificate. Why is this site not concerned with distributing this key? How does
embedding the public key in a digital certificate protect it from impersonators?
Why is this site not concerned with distributing this key?

Since a public key is used for encryption or signature verification rather than
decryption or signing it is not considered sensitive information and is freely
distributable. It is a component of a key pair together with a private key. Data
encrypted with the public key may be decrypted using the private key, which is
kept secret. Similarly, data signed with the public key can be validated.

How does embedding the public key in a digital certificate protect it from
impersonators?

A digital certificate that has the public key embedded in it is safeguarded

against impersonators in many ways:

Identity Binding: A public key's owner's identity is linked to it by a digital

certificate. A reputable organization called a Certificate Authority (CA)
performs this binding; before granting the certificate, the CA confirms the
owner's identity.

Digital Signature: Using its own private key, the CA digitally signs the
certificate. Anyone with access to the CA's public key, which is widely used
and trusted, may validate this signature. This guarantees that the public key and
certificate are authentic and unaltered from the owner who is claiming them.
Trustworthiness: Reputable root certificates from leading CAs are typically
preinstalled on browsers and other devices. These are used by them to confirm
the signatures on further certificates. A website is deemed legitimate if it
displays a certificate that can be validated using one of these reliable root
certificates.

Private Key Necessity: Without the matching private key, someone else cannot
pretend to be the owner, even if they manage to obtain a copy of the certificate
and the public key. An imposter wouldn't have the ability to create a digital
signature or use the private key to decode data in order to try communication in
the role of the owner.

The distribution of a public key (via a digital certificate) does not pose a
security risk, it is important to keep the corresponding private key secure to
avoid impersonation.

13. Click the Certification Path tab. Because web certificates are based on the
distributed trust model, there is a path to the root certificate. Click the root
certificate, and then click the View Certificate button. Click the details tab,
and then click Valid to. Why is the expiration date of this root certificate longer
than that of the website certificate? Click Ok and then click Ok again to close
the Certificate window.
Why is the expiration date of this root certificate longer than that of the
website certificate?
Root certificates are at the top of the certificate hierarchy and are used to issue
other certificates. They are a trusted fulcrum for the entire certification process.
Root certificates are distributed with software such as web browsers and
operating systems. Updating these certificates in all client systems can be a
complex and time-consuming process, so they are designed to last. The root
certificate is kept as secure as possible. If a malicious party obtains the root
certificate and private key, it could lead to a serious security breach. Therefore,
these certificates are not regularly renewed. This gives you enough time to
prepare when they expire.

Site certificates have a shorter lifetime. This is because the security landscape
changes rapidly and shorter lifetimes allow for more frequent updates of
certificates' encryption algorithms and other parameters. It also limits potential
damage if a website's private key is compromised because the certificate will
expire sooner.

14. Click Copy to File.

15. Click Next.
16. Note the different file formats that are available. What do you know about
each of these formats?
17. Click Cancel to close this window.
18. Close all windows.

A file with the .crt extension is a security certificate file used by secure websites
to establish a secure connection from the web server to the browser. Secure
websites enable secure data transfers, logins, payment card transactions, and
provide protected browsing for the website.
Part 5: Sending a secure email
Objectives
Securing the email communications
Activity
Estimated completion time: 40 minutes
Description

In this lab, you will apply data encryption and digital certificate concepts to
secure a real-world problem, how to send an email securely and we can verify
the authenticity of the senders.
You will need to use PGP (Pretty Good Privacy) to encrypt and sign an email
which contains your report. After that, you must send it to my email address
(hieubd@vnu.edu.vn). My pubic key ID:
E4D9F579DBD90D3FEF59F52F9A5F7B5B51B7E3D5
You can download my Public Key by looking it up in
https://keyserver.ubuntu.com

Your tasks:
1. Generate a key pair (public key and private key) and upload your public key
to keyserver.ubuntu.com
2. Send a test email with your friends in your group and ask your friends to
verify and decrypt it. Ensure that your email will be decrypted correctly.
3. Each group sends an encrypted email to my email (hieubd@vnu.edu.vn).
Ensure that it can be decrypted.
Tools that you can use:
• Email clients that support PGP (you can find some email clients on the
Internet such as thunderbird, claws-mail)
• gpg4win: encrypt emails and file separately then attach these contents into an
email. Download link: https://www.gpg4win.org/
• You can use your own tools
Reports:
• Create a report that explain the steps you have done and how it works

Đầu tiên tôi phải tải gng phù hợp với laptop và hệ điều hành của mình đang sử
dụng trên website https://www.gnupg.org/download/index.html
1. Generate a key pair (public key and private key) and upload your public
key to keyserver.ubuntu.com

After downloading I will go to Command Prompt

Type the command line gng --full-generate-key to generate your own public and
private keys

As far as I know, RSA and RSA (1) or ECC (signing and encryption) (9) are
often widely used to create signing and encryption keys. So I choose number (9)
ECC (sign and encrypt) *default*
I then choose the appropriate elliptic curve so I choose the default and then
choose the time period for which the key is valid. I choose 0 = key does not
expire

Next I fill in my personal information which needs to be encrypted to generate a

public and private key.

Key created successfully!

Sau đó tôi gửi mã khóa của mình cho máy chủ https://keyserver.ubuntu.com

Then I need to export my public and private keys into a .txt file so I can send it
to my friends and teachers
For the private key, I need to enter the password I set up to be able to export this
.txt file

2. Send a test email with your friends in your group and ask your friends to
verify and decrypt it. Ensure that your email will be decrypted correctly.

Download my friend's public key: First, you need to download my friend's

public key from keyserver.ubuntu.com. I do this using the following command
in GnuPG:
gpg --keyserver keyserver.ubuntu.com --recv-keys
139277811DF49B5F66050D98ECCC3AD0FCFC0D7C
Email encryption: Next, I need to encrypt my email using my friend's public
key. You can do this using the following command:
gpg --encrypt --recipient 20070788@vnu.edu.vn hieuvickpublickey.txt
Sign emails: To ensure that an email comes from me, I should sign it with my
private key. You can do this using the following command:
gpg --sign hieuvickpublickey.txt.gpg
Send email: Finally, you can send an encrypted and signed email to my friend

3. Each group sends an encrypted email to my email (hieubd@vnu.edu.vn).

Ensure that it can be decrypted.

To send PGP encrypted emails to my teacher I need

Download the teacher's public key: First, I need to download the teacher's
public key from keyserver.ubuntu.com. You can do this using the following
command in GnuPG:

gpg --keyserver keyserver.ubuntu.com --recv-keys

E4D9F579DBD90D3FEF59F52F9A5F7B5B51B7E3D5

Email encryption: Next, you need to encrypt your email with your teacher's
public key. You can do this using the following command:

gpg --encrypt --recipient hieubd@vnu.edu.vn hieuvickpublickey.txt

Sign emails: To ensure that an email comes from you, you should sign it with
your private key. You can do this using the following command:
gpg --sign hieuvickpublickey.txt.gpg

Send email: Finally, you can send an encrypted and signed email to your
teacher.