Project Title:

DIGITAL ASSIGNMENT 4

Cryptography and Network Security

Lab
(BCSE309P)

Submitted by:
Prakshaal Jain
21BCE2735

Submitted to:
Prof. Dr. N. Balaji
Q1. Develop a simple client and server
application using SSL socket
communication.
SSL/TLS is a cryptographic protocol designed to provide
secure communication over a network. It ensures the
confidentiality and integrity of data transmitted between a
client and a server. SSL/TLS operates by establishing a
secure connection between the client and server through a
process called the handshake, which involves the following
steps:
1. Client Hello: The client sends a message to the server
indicating which cryptographic algorithms and
protocols it supports.
2. Server Hello: The server responds with its own
message, selecting the highest version of SSL/TLS
supported by both parties and choosing a cipher suite
for encryption.
3. Key Exchange: The client and server agree on a
method to exchange cryptographic keys securely. This
could involve asymmetric encryption (such as RSA)
for key exchange, or Diffie-Hellman key exchange.
4. Certificate Exchange: The server sends its digital
certificate to the client, which contains the server's
public key and other identifying information. The
client verifies the certificate to ensure the server's
authenticity.
 5. Session Key Generation: Both parties generate a
shared session key based on the exchanged keys,
which will be used for symmetric encryption and
decryption of data during the session.
6. Encrypted Data Transfer: Once the handshake is
complete, data transmission occurs securely using
symmetric encryption with the shared session key.
Algorithms:
Server Side:
1. Key Exchange Algorithm: Common key exchange
algorithms used on the server side include:
• RSA (Rivest-Shamir-Adleman): Used for both

encryption and digital signatures.

• Diffie-Hellman (DH): Used for secure key

exchange without directly transmitting the key.

2. Cipher Suites: The server selects a cipher suite during
the handshake, which includes algorithms for
encryption, integrity, and authentication. Common
cipher suites include:
• AES (Advanced Encryption Standard): A

symmetric encryption algorithm widely used for

its security and efficiency.
• HMAC (Hash-Based Message Authentication

Code): Used for integrity checks.

• RSA or ECDSA (Elliptic Curve Digital Signature

Algorithm): Used for digital signatures.

3. Digital Certificate: The server presents its digital
certificate during the handshake, which includes:
• Public key for encryption and key exchange.

• Server's identity information (e.g., domain name).

 • Digital signature from a trusted Certificate
Authority (CA) to verify authenticity.
Client Side:
1. Key Exchange Algorithm: The client must support
the key exchange algorithm chosen by the server (e.g.,
RSA or Diffie-Hellman).
2. Cipher Suites: The client also supports various cipher
suites, and during the handshake, it agrees on a cipher
suite with the server based on mutual support.
3. Certificate Verification: The client verifies the
server's digital certificate during the handshake to
ensure the server's authenticity. This involves:
• Checking the certificate's validity period.

• Verifying the digital signature with the CA's

public key.
• Checking the certificate's chain of trust.

CODE:

SERVER’s Application:
import socket
import ssl

# Server settings
HOST = 'localhost'
PORT = 12345
CERTIFICATE = 'server.crt'
PRIVATE_KEY = 'server.key'

# Create SSL context

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=CERTIFICATE,
keyfile=PRIVATE_KEY)

# Create socket
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as
server_socket:
server_socket.bind((HOST, PORT))
server_socket.listen(1)
print("Server listening on {}:{}".format(HOST, PORT))

# Wrap socket with SSL

with context.wrap_socket(server_socket, server_side=True) as
ssl_socket:
conn, addr = ssl_socket.accept()
print('Connected by', addr)
with conn:
while True:
data = conn.recv(1024)
if not data:
break
conn.sendall(data)
CLIENT’s Application:

import socket
import ssl

# Server settings
HOST = 'localhost'
PORT = 12345
CERTIFICATE = 'client.crt'
PRIVATE_KEY = 'client.key'

# Create SSL context

context =
ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
context.load_cert_chain(certfile=CERTIFICATE,
keyfile=PRIVATE_KEY)

# Connect to server
with socket.create_connection((HOST, PORT)) as client_socket:
# Wrap socket with SSL
with context.wrap_socket(client_socket,
server_hostname=HOST) as ssl_socket:
message = b"Hello, server!"
ssl_socket.sendall(message)
data = ssl_socket.recv(1024)
print('Received:', data.decode())

INPUT / OUTPUT:
Q2. The goal of this task is to give you a
better understanding of Certificate
Authorities
(CA) and certificates.
Take a look at the CAs certificates that your
computer trusts.
● Windows: Control Panel -> Search
‘Internet Options’ -> Content -> Certificates
Answer these questions:
1. How many root CA certificates does your
computer have?
2. What is something that you found
interesting from looking at the root CA
certificates?
3. Go to google.com using your favourite
browser, and find a way to look at the
certificates for google.com. List the chain of
certificates your browser sees.
4. What is a possible risk of trusting a CA?
Solution:

1. There are in total of 39 Root CA

Certificates in my system.

2. When exploring Root CA

certificates, you may encounter
certificates issued by well-known
companies and organizations such as
Google and GoDaddy. These entities
are renowned for their involvement
in providing internet services and
infrastructure.

For example, you might come across

the "Google Trust Services -
GlobalSign Root CA-R2" certificate
issued by Google Trust Services, a
subsidiary of Google LLC. This
certificate is part of Google's efforts
to ensure secure communication
across its various services and
platforms.

Similarly, you might encounter

certificates issued by GoDaddy, one
of the largest domain registrars and
web hosting companies in the world.
An example could be the "Go Daddy
Class 2 Certification Authority"
certificate, which is used to validate
 the authenticity of certificates issued
by GoDaddy.

These certificates issued by

prominent companies like Google
and GoDaddy serve as pillars of trust
in the digital realm, underpinning
secure communication and
transactions on the internet. They
highlight the role of industry leaders
in maintaining the integrity and
security of the online ecosystem.

Diversity of Issuers: Upon examining

the list of Root CA certificates, one will
notice a diversity of entities issuing them.
Some certificates are issued by well-
known companies or organizations, while
others may be from less familiar entities.
Trusted Entities: Regardless of
familiarity, all Root CA certificates are
trusted by the computer's operating
system or browser. This trust is essential
for establishing secure connections and
verifying the authenticity of digital
certificates presented by websites.
Digital Signatures: Each Root CA
certificate contains a digital signature
generated by the issuing CA. This
signature is used to validate the
certificate's authenticity and integrity.
Certificate Details: Root CA certificates
contain information such as the issuer's
name, the certificate's validity period, and
the cryptographic algorithms used.
Hierarchy of Trust: Root CA certificates
form the topmost layer in the hierarchical
structure of certificate chains. They are
used to validate the authenticity of
intermediate certificates, which in turn
validate server certificates presented by
websites.

3. Go to google.com using your

favourite browser, and find a way to
look at the certificates for
google.com. List the chain of
certificates your browser sees.

In your browser, navigate to

google.com.

Click on the padlock icon in the

address bar (usually located on the
left side).
Select "Certificate" or "Certificate
Information".
This will open a window showing the
certificate details. Look for the
"Certificate Chain" or "Certificate
Hierarchy" section to see the chain of
certificates.

Typically, you'll see the server

certificate (issued to google.com),
followed by one or more
intermediate certificates, and finally
the root certificate.
4. Trusting a Certificate Authority (CA)
is fundamental to the security
infrastructure of the internet.
However, this trust also poses certain
risks that must be carefully managed
to maintain the integrity of the
system.
Compromise of CA's Private Key:
One of the most significant risks is
the compromise of a CA's private
key. The private key is a critical
component used to sign digital
certificates issued by the CA. If an
attacker gains unauthorized access to
the CA's private key, they can
generate fraudulent certificates that
appear to be legitimate. These
fraudulent certificates can then be
used to impersonate websites or
services, effectively conducting man-
in-the-middle attacks. In such
scenarios, users may unknowingly
communicate sensitive information
 to the attacker, believing they are
interacting with a trusted entity.
Issuance of Fraudulent Certificates:
Another risk is the issuance of
fraudulent certificates by a compromised
or untrustworthy CA. If a CA's systems
are compromised, or if the CA itself is
coerced or manipulated by malicious
actors, it may issue certificates
illegitimately. These fraudulent
certificates can be used to create fake
websites or services that appear
authentic, deceiving users into
disclosing confidential information or
engaging in transactions with impostors.
Such incidents undermine the
trustworthiness of the entire certificate
system and erode confidence in online
security.
Coerced or Compromised CAs: CAs
operate within a complex ecosystem
that includes legal, regulatory, and
geopolitical factors. In some cases,
CAs may come under pressure from
governments or other entities to issue
certificates under duress. This
coercion can lead to the issuance of
certificates that compromise user
privacy or enable surveillance
activities. Additionally, CAs may be
targeted by sophisticated cyber
attacks aimed at compromising their
systems or personnel. These attacks
can result in the unauthorized
issuance of certificates and the
exploitation of trust relationships
within the certificate hierarchy.
Lack of Oversight and
Accountability: The trust placed in
CAs relies on the assumption that
they adhere to rigorous security
standards and practices. However,
 there have been instances where CAs
have failed to meet these standards,
either due to negligence,
incompetence, or malicious intent. In
such cases, there may be insufficient
oversight and accountability
mechanisms to detect and address
breaches of trust. This lack of
transparency can undermine
confidence in the entire certificate
ecosystem and raise doubts about the
reliability of digital certificates.
To mitigate these risks, it is essential for
CAs to implement robust security
measures, adhere to industry standards
and best practices, undergo regular
audits and assessments, and maintain
transparency and accountability in their
operations. Additionally, users and
organizations should exercise caution
when interacting with digital
certificates, verify the authenticity of
certificates before trusting them, and
employ additional security measures
such as certificate pinning and
certificate transparency to enhance their
resilience to attacks. By addressing these
challenges proactively, stakeholders can
uphold the trustworthiness and integrity
of the certificate infrastructure and
ensure the security of online
communications and transactions.