James Madison University, Fall 2022 Semester
Lab05: Telnet vs ssh, encryption
Image source:
Sweet Design
Background
This lab ties together what you've learned over the past several weeks about operating systems, computer networks, and information security. We will review the basics of interacting with an OS and connecting to remote machines. Then we will explore how encryption works and optionally create your own public/private key pair.
There is no lab worksheet today, instead you will create a file to supply answers and to submit (nano will also create a file if it doesn't already exist)Your file must be named yournamesummary.txt and include your name at the top.There are two parts to the lab to include in your file:
- Write two paragraphs that summarize what you have learned. Discuss what was interesting or challenging about the lab.
- Answer the italicized questions below.
Part 1: Hello, Telnet!
For part 1, you will need to use telnet. Test if you have telnet on your machine.
Start a terminal on your machine and see if telnet is avaiable by typing telnet and return.
If available, you are now prompted from telent, you can type quit
to get out of telnet.
If you get the message "command not found" or something like unknown command, ssh
to student.cs.jmu.edu
, that would be ssh simmonsj@student.cs.jmu.edu
, where
simmonsj
is your eid and now you are on a machine that has telnet.
Telnet is an application for sending/receiving plain text over the Internet (see Wikipedia article). Many protocols including HTTP are built on top of plain text communication.
-
Enter the command
telnet google.com 80
from the terminal. What do the arguments for telnet mean? The link above to wikipedia may prove to be helpful, or search for telnet to learn more. 80 is called a port number, you can look up (aka google) "well-known port numbers". -
Now type the HTTP command
GET / HTTP/1.0
and press the enter key twice (i.e., HTTP requires a blank line at the end of the request.) What are the two arguments for a GET request? This is also a good time to perform an internet search, try a search on GET HTTP. -
Note the HTML response.
-
What happens if you
telnet student.cs.jmu.edu 22
using port 22? What type of server is running on port 22?
Although telnet is an option to communicate with a server process, it is a security risk and not recommended if any sensitive data is being transmitted on the network, e.g., password. The data that is exchanged between telnet and the server process in is all in plain text. We will now explore how to make data secure.
Part 2: AES Encryption
Advanced Encryption Standard is a symmetric-key encryption scheme used by governments worldwide. The mathematics of this algorithm are beyond the scope of this class, but let's take a look at how AES works.
-
For will need to convert messages into different numeric formats. Fortunately there is a nifty website that will convert converter automatically. Type in a text message and view all the different numeric representations of your text. What is the ASCII (remember this will be the same as the hexadecimal) for the text "Secret!"? What is the decimal (base 10) for this text?
-
Devglan provides an encryption and decryption tool on their website.
-
With Devglan, first, let's encrypt a message. You will also need to specify a "secret" that is 128, 192 or 256 bits long or 16, 24 or 32 bytes long. You need to make up your own "secret" key. Each character typed into the key represents a byte. Type a message, select mode
ECB
, enter your secret key. Specify output format to be hex. Now encrypt your message.Notice hex is generated. Go to converter to see what this hex may represent. It's ok if rubbish.
-
Now, let's decrypt the message. Copy the generated hex into the decryptin part of the tool, select hex, ECB mode, size 128 and enter your secret key. Notice your output is in base 64. Copy your output and go to converter and paste into the BASE64 box. Notice the text. Did you get back your original message? Notice that on the Decryption calculator there is a button to decode to plain text - check that out.
-
I have a secret message for you as well. Note the message is extremely long. You need to copy the entire line. The key is
ni893$q0p?dkfhie
and the message is:
I suggest copy the decoded BASE64 into converter to see the entire message. Which joke was your favorite?8DCB5875B00C421EEB2102BFC362A82C4B01517E2694614C90A3838EBB35E6285E68A36E24AA10EC1E539175927B15AE9AAEF6CD102F7ECCC2AC6A379DB481797CEDEA7A9388891080F4383A09C667E5556ECD9EE7BE379D8154072339CD8E8DEA4EF1171BE4F760371EA31D68323EC5131E207A34ABF0793FA270757F9DA1AA172B27A2B8C3E9ADEEECC3D15A0C13F8FB41495CFF153395221F26962988DFB4A38113B862E50E5DD98D73B55F122A52E2F110AA81FAEDF7172AA34BC3B09FBB
Part 3: SSH Using Keys
For this section to begin, you should have a terminal active on your own laptop or machine and not be ssh'ed onto another machine. If the command scp
is not available on your machine, you should log onto one of the lab machines.
In a later step, you will need to run ssh-keygen on your
own machine and this command should be available on Windowns, Linux and MacOS.
Recall, the first time you ran ssh
(see Lab04 ), you likely encountered the following security warning:
The authenticity of host 'l24802.cs.jmu.edu (134.126.20.102)' can't be established. ECDSA key fingerprint is e5:7f:6d:62:90:f8:11:e6:5a:04:80:af:d9:65:c6:3a. Are you sure you want to continue connecting (yes/no)?
-
If you typed the word yes, the ssh program created (or appended) the file ~/.ssh/known_hosts. Note this file is in a hidden .ssh directory under your home directory. What is currently in your .ssh directory? Using the command ls -lh (On windows OS, use dir ), what is the size of the known_hosts file (the number given in the listing)? You may not have this file yet.
-
Use the following command to "secure copy" the file /cs/shr/cs101/known_hosts on the student server into your ~/.ssh directory. This file contains the IP addresses and public keys of all lab machines in the CS department (ISAT/CS rooms 248, and 250). Note that you should be in a terminal on your local machine, not student.
scp student.cs.jmu.edu:/cs/shr/cs101/known_hosts ~/.ssh
Look in your (that is your local machine, not stu) .ssh directory, what is listed (use dir on windows) ssh to student.cs.jmu.edu, what is in the .ssh directory? Using the command ls -lh on student.cs.jmu.edu, what is the size of the known_hosts file (the number given in the listing)?
-
By default when you ssh to another machine, you must log in with your JMU username and password. Alternatively, you can authenticate using a public and private key pair. On your local machine, run the command
ssh-keygen
to create your own keys. Again, this command should be executed on your machine. Below is an example. You can simply press enter for each prompt.ssh-keygen -C "Generated YYMMDD"
where YYMMDD is the date. (Note: The -C flag simply inserts a comment that is useful when trying to identify key pairs.) By default, ssh-keygen will generate a key with 2048 bits. This can be changed using the -b flag.
Go to your .ssh directory, what files are in the directory now? Use ls -l (dir windows), who can read your priviate key? Who can read your public key?
This will create two files, one named id_rsa (your private key) and one named id_rsa.pub (your public key). As the name implies, you should not give your private key to anyone, but you can give your public key to anyone without risk.
-
In order to use your private key to log into a server, you need to place a copy of your public key on that server. Fortunately our lab machines all use the same network file system, so you can simply copy the public key to the student server. Run the following command on the machine that you generated the keys, replace
simmonsj
with your userid. This will copy the content of the public key to the file authorized_key in directory ~/.ssh on student.cs.jmu.edu. Go to student.cs.jmu.edu and check that authorized_key file has been created.ssh-copy-id -i ~/.ssh/id_rsa.pub simmonsj@student.cs.jmu.edu
Log out of all machines using exit. Now log onto the student server. What happens?