IT543-4: Design an implementation of cryptographic methods for an organization.
Assignment Instructions:
Perform the lab described in the zip folder Wireshark — Capturing SSL Packets.
Follow the directions, perform the indicated instructions, and provide the requested information.
Take screenshots of each step to show that you are working through the steps.
Instructions are
IT 543 Encrypted Email.pcapng
[email protected] (0xD62BE570) rev.asc
—–BEGIN PGP PUBLIC KEY BLOCK—– Version: GnuPG v2 Comment: A revocation certificate should follow iQIfBCABAgAJBQJUMsW/Ah0CAAoJEP5DV7HWK+Vw4P4P/2aK0GvQrfGfu+wpT6Gv xjTfiL3L2u1OuIAK/xiNF/Q8l2896XymAEimNbpGY+TbgCcRuV7+yWL8iFU6mkBk 3T+1MheGuuM/zN3SqQiqcqsuKfyXY5UYqqqKecrzkAubGtCwnLSbCJYw1OoBY/U1 +NRNJaKxN7bjfhYAkBMxSTuPrDU7dtLzKQnNAruP/2eCmBLHkHxPWvINSd4Hxytc MQ4nM8uS6Xal2o4ptVh0I/tdaUlUytKAWkoqPRK3kZ4M61WAQG2MX7fUZh+CCl0u AvOo0GAmrXsd22ERUCoCaok9S72IIC1Rd0tR8zRDnhixFCMDbSGb+X19/No4js0v 8TfrcA7fRbJCp5x42HVzwMQMVAWQpzRZcIhOtWQdWJPRwOlgoUrmf9gtTyhTCVc6 7RBz46IGJywUmlW4CQVny3f7lYVmmQTknjEuToRxfMpXK3jXH/RwYMnm+Ln+RzpD VITq3IyNfMm8UKbWO1zRMhUFtmm70LMCzXTYCJ6SFsKks7LoZi5XxButbEAL+cMb hIlWK0S4fdtIlfT6TgaxkHmcAzx5zHOFZ0WdamtCjjj2/lQHR1rTP3TuOmzc6nhX ZVy8UYm5CzRT+QFDQEq/39c7qksFcysGOiPm/KJr83vOO++sewATKVU1rD3WHDdA s3OfuBCXF4eNkUs+CrbwFepM =Ity2 —–END PGP PUBLIC KEY BLOCK—–
Wireshark – Capturing SSL packets.docx
Analyzing SSL packets with Wireshark
Section 1: Analyzing an SSL connection
1. Obtain and install the latest version of Wireshark ( https://www.wireshark.org/download.html).
2. If you aren’t sure which version of Wireshark is compatible with your own operating system, please go to the Technical Support Center (the link is on the left-hand side of the courseroom in the navigation links) and ask them to walk you through the process.
3. DO NOT INSTALL WIRESHARK ON A SYSTEM AT YOUR WORKPLACE WITHOUT WRITTEN PERMISSON FROM YOUR SUPERVISOR.
4. Once you have Wireshark properly installed, start the software:
Figure 1 . Selecting the interface
Figure 2. Start the capture
5. Point your browser at https://www.httpsnow.org/ and count to three.
6. Stop the capture:
Figure 3. Stop the capture
7. Filter the packets:
Figure 4. Filter the packets
8. SSL works by setting up an encrypted connection by performing a “handshake” between a client and a server. The handshake begins with a “Client Hello”:
Figure 5. The SSL Handshake Process
9. Click once on the first Client Hello packet:
Figure 6. The Client Hello Packet
Figure 7. Examining Packet Contents
10. In your packet capture, does the first Client Hello packet provide information on the cipher suites that your system can support?
11. Select the first cipher suite; what is the public-key algorithm? What is the symmetric-key algorithm? What is the hash algorithm?
12. Find the first Server Hello packet:
Figure 8. The Server Hello Packet
13. From the set of cipher suites “offered” by the client during the handshake, which cipher suite has the server in your capture selected?
14. Note the Random field in the Server Hello packet. The Random Bytes sub-field contains an arbitrary set of numbers; this is called a “nonce”. What purpose does a nonce serve during the handshake process? Does the Client Hello packet that you examined previously also contain a nonce?
Section 2: Examining encrypted e-mail
For this section of the lab, the stream of an encrypted email exchange was captured and saved in a trace file. The email client is Mozilla Thunderbird. The email stream is encrypted using GnuPGP and Enigmail (which is an add-on for Thunderbird).
1. Download the “IT 543 Encrypted Email.pcapng” trace file, also available in this zipped folder.
2. Double-click the IT 543 Encrypted Email.pcapng trace file to open the file in Wireshark.
3. Select the first Client Hello packet in the trace file.
a) How many cipher suites are supported by this email client?
4. Select the first Server Hello packet in the trace file.
a) Which cipher suite did the remote email server choose for the exchange?
5. Select the first Certificate packet. Expand the Secure Sockets Layer section in the center of the Wireshark screen. Expand the Diffie-Hellman Server Params section within the Secure Sockets Layer section.
a) What is the length of the Public Key?
b) What Signature Hash Algorithm is used?
c) What Signature Hash Algorithm Signature is used?
d) What is the length of the signature?
6. Select the first Application Data packet. Find the Transmission Control Protocol section.
a) What is the SRC (source) port for this packet?
b) Which protocol is used by this port?
7. Decrypting encrypted email with Wireshark is possible if a number of requirements are met.
Wireshark can only decrypt SSL/TLS packet data if RSA keys are used to encrypt the data. If a Diffie-Hellman Ephemeral (DHE) or RSA ephemeral cipher suite is used, the RSA keys are only used to secure the DH or RSA exchange, not to encrypt the data.
a) If DHE or RSA ephemeral cipher suite is used, even if you've got the correct RSA private key, you won't be able to decrypt the data with Wireshark.
b) When checking the Server Hello packet, if the cipher suite specified begins TLS_DHE or SSL_DHE, you will not be able to decrypt the data.
c) If the server sends a ServerKeyExchange message, you won't be able to decrypt the data.
Given these parameters, would you be able to decipher the e-mail message captured in the IT 543 Encrypted Email.pcapng trace file? Why or why not?
image4.png
image5.png
image6.png
image7.png
image8.png
image1.png
image2.png
image3.png
