Dell Latitude D600 Nr 1 (tybble) - gentoo base system - harddisk: 1G swap (hda1), 20G system (hda2) - ip eth0: 10.1.1.2, hostname: tybble - ntp, emacs, screen, xorg-x11, openssh, pciutils, lynx, firefox - wlan card: Intel Corporation PRO/Wireless LAN 2100 3B Mini PCI Adapter 2.6.22.9: Device Drivers -> Network device support -> Wireless LAN -> Wireless LAN (IEEE 802.11) -> Intel PRO/Wireless 2100 Network connection - wireless-tools - download firmware of wlan card from http://ipw2100.sf.net and untar it to /lib/firmware - if iwlist does not work, press fn - f2 to enable the card Dell Latitude D600 Nr 2 (korsby) - gentoo base system - harddisk: 1G swap (hda1), 20G system (hda2) - ip eth0: 10.1.1.3, hostname: korsby - ntp, screen, emacs, openssh, pciutils, lynx, firefox - wlan card: Intel Corporation PRO/Wireless LAN 2100 3B Mini PCI Adapter 2.6.22.9: Device Drivers -> Network device support -> Wireless LAN -> Wireless LAN (IEEE 802.11) -> Intel PRO/Wireless 2100 Network connection - wireless-tools - download firmware of wlan card from http://ipw2100.sf.net and untar it to /lib/firmware - if iwlist does not work, press fn - f2 to enable the card Dell Latitude (old) (kulla - gentoo base system - harddisk: 1G swap (hda1), 10G system (hda2) - ip eth0: 10.1.1.4, hostname: kulla - wlan card: 3c59x - ntp, screen, emacs, xorg-x11, pciutils, lynx, firefox, wireless-tools, pcmciautils, ndiswrapper - enable pcmcia support in the kernel (modules pcmcia_core, pcmcia, yenta_socket) ++++++++ not needed anymore +++++++++++++++++++++++++++++++++ - download driver TrueMobile 1300 (BCM4306 - 802.11b+g) from http://www.linuxant.com/driverloader/drivers.php - unzip it and install it: ndiswrapper -i bcmwl5.inf - update-modules - modprobe ndiswrapper +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Lenovo R61 (basisk) - ubuntu server - ip eth0: 10.1.1.5, hostname: basisk - wlancard: iwl4965 - manually: openssl-tpm-engine, tpm-tools, trousers, wpa_supplicant oooooooooo Setup FreeRADIUS oooooooooooooooooooooooooooooooo - emerge freeradius - http://gentoo-wiki.com/Freeradius - all the certificates can be found in /etc/raddb/certs -> mv all the old file into a new directory called no-use (for backup reasons) - cp cacert.pem and kullkeycert.pem into certs with the following permissions: ======================== kulla certs # ls -la total 16 drwxr-xr-x 3 root radiusd 60 Nov 15 14:40 . drwxr-x--- 3 root radiusd 4096 Nov 14 14:24 .. -r--r--r-- 1 root users 3050 Nov 15 14:40 cacert.pem -r-------- 1 radiusd users 1847 Nov 15 14:40 kulla_keycert.pem ======================== - change to /etc/raddb/certs and create Diffie-Hellman parameters file =================================== kulla certs # openssl dhparam -check -text -5 512 -out dh Generating DH parameters, 512 bit long safe prime, generator 5 This is going to take a long time .......................++*++*++*++*++*++* DH parameters appear to be ok. kulla certs # ==================================== - change to /etc/raddb/certs and create a file that contains a random bitstream ==================================== kulla certs # dd if=/dev/random of=random count=2 0+2 records in 0+1 records out 46 bytes (46 B) copied, 66.4183 s, 0.0 kB/s kulla certs # ===================================== - rights of new files: ===================================== kulla certs # ls -la total 24 drwxr-xr-x 3 root radiusd 82 Nov 15 16:02 . drwxr-x--- 3 root radiusd 4096 Nov 14 14:24 .. -r--r--r-- 1 root users 3050 Nov 15 14:40 cacert.pem -r-------- 1 radiusd users 466 Nov 15 15:59 dh -r-------- 1 radiusd users 1847 Nov 15 14:40 kulla_keycert.pem drwxr-xr-x 3 root root 4096 Nov 15 14:38 no-use -r-------- 1 radiusd users 46 Nov 15 16:03 random kulla certs # ======================================= - change to /etc/raddb and modify eap.conf: =========================================== ... default_eap_type = tls ... #tls { tls { # private_key_password = whatever # private_key_file = ${raddbdir}/certs/cert-srv.pem private_key_password = private_key_file = ${raddbdir}/certs/kulla_keycert.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # certificate_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/kulla_keycert.pem # Trusted Root CA list # CA_file = ${raddbdir}/certs/demoCA/cacert.pem CA_file = ${raddbdir}/certs/cacert.pem # # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 1024 # # dh_file = ${raddbdir}/certs/dh # random_file = ${raddbdir}/certs/random dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random ====================================================== - go to /etc/raddb and change clients.conf: ===================================================== client 10.1.1.10/24 { secret = IrgendeinSchlechtesPW shortname = linksys } ===================================================== start FreeRADIUS on foreground: radiusd -X oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo IBM CA - make sure, openssl is installed - become root and change to /etc/ssl - edit openssl.cnf: ==================================================================== [ CA_default ] dir = ./eaptlsCA # Where everything is kept ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CH countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Fribourg localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = University of Fribourg ======================================================================== - change to /etc/ssl/misc and modify CA.sh: ========================= CATOP=./eaptlsCA ========================= - change back to /etc/ssl - from there, run /etc/ssl/misc/CA.sh -newca: ============================================================ diufpc272 ssl # /etc/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .++++++ .........++++++ writing new private key to './eaptlsCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CH]: State or Province Name (full name) [Fribourg]: Locality Name (eg, city) []: Organization Name (eg, company) [University of Fribourg]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:10.1.1.1 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./eaptlsCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Oct 15 13:13:25 2007 GMT Not After : Oct 14 13:13:25 2010 GMT Subject: countryName = CH stateOrProvinceName = Fribourg organizationName = University of Fribourg commonName = 10.1.1.1 emailAddress = X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 66:03:C6:B9:93:5D:89:F8:75:D8:5D:78:DB:A0:F5:C9:AC:5C:32:CF X509v3 Authority Key Identifier: keyid:66:03:C6:B9:93:5D:89:F8:75:D8:5D:78:DB:A0:F5:C9:AC:5C:32:CF Certificate is to be certified until Oct 14 13:13:25 2010 GMT (1095 days) Write out database with 1 new entries Data Base Updated diufpc272 ssl # ============================================================================ - create the (RADIUS) server certificate (do this in this first version on the CA machine): ============================================================================ diufpc272 ssl # openssl req -new -nodes -keyout kulla_key.pem -out kulla_req.pem -days 730 -config ./openssl.cnf Generating a 1024 bit RSA private key .........++++++ ...........................++++++ writing new private key to 'kulla_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CH]: State or Province Name (full name) [Fribourg]: Locality Name (eg, city) []: Organization Name (eg, company) [University of Fribourg]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:10.1.1.4 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: diufpc272 ssl # ========================================================================== - sign the server request: ========================================================================== diufpc272 ssl # openssl ca -config ./openssl.cnf -policy policy_anything -out kulla_cert.pem -infiles ./kulla_req.pem Using configuration from ./openssl.cnf Enter pass phrase for ./eaptlsCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 15 16:03:42 2007 GMT Not After : Oct 14 16:03:42 2008 GMT Subject: countryName = CH stateOrProvinceName = Fribourg organizationName = University of Fribourg commonName = 10.1.1.4 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DA:60:B0:8B:58:2A:92:59:FE:B3:E8:9B:5C:C0:8F:90:47:47:2E:18 X509v3 Authority Key Identifier: keyid:D2:7B:1C:6B:B9:29:0B:7C:45:6F:A2:89:42:85:53:7F:F7:FA:24:38 Certificate is to be certified until Oct 14 16:03:42 2008 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated diufpc272 ssl # ========================================================================= - open kulla_cert.pem and delete everything before "-----BEGIN CERTIFICATE-----" - concatenate kulla_key.pem and kulla_cert.pem: diufpc272 ssl # cat kulla_key.pem kulla_cert.pem > kulla_keycert.pem - cp the server_* files to the RADIUS server and delete them on the CA - create the client certificates (2 in our setup) ========================================================================= diufpc272 ssl # openssl req -new -keyout tybble_key.pem -out tybble_req.pem -days 730 -config ./openssl.cnf Generating a 1024 bit RSA private key .........++++++ .....................................................................++++++ writing new private key to 'tybble_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CH]: State or Province Name (full name) [Fribourg]: Locality Name (eg, city) []: Organization Name (eg, company) [University of Fribourg]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:10.1.1.2 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: diufpc272 ssl # ============================================================================= - sign them: ============================================================================= diufpc272 ssl # openssl ca -config ./openssl.cnf -policy policy_anything -out tybble_cert.pem -infiles ./tybble_req.pem Using configuration from ./openssl.cnf Enter pass phrase for ./eaptlsCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Oct 15 16:07:34 2007 GMT Not After : Oct 14 16:07:34 2008 GMT Subject: countryName = CH stateOrProvinceName = Fribourg organizationName = University of Fribourg commonName = 10.1.1.2 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 01:BA:E2:29:07:26:F4:03:7B:74:C1:E5:97:8B:99:C2:F8:26:E1:9B X509v3 Authority Key Identifier: keyid:D2:7B:1C:6B:B9:29:0B:7C:45:6F:A2:89:42:85:53:7F:F7:FA:24:38 Certificate is to be certified until Oct 14 16:07:34 2008 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated diufpc272 ssl # ============================================================================= - delete everything before "BEGIN CERTIFICATE" in the *_cert.pem files - cp all files to the client systems Access Point Linksys: - wireless -> wireless security -> security mode: WPA RADIUS ++++++++++++ GENERAL WORKFLOW +++++++++++++++++++ 1) setup machines 2) setup AP 3) setup CA 4) setup RADIUS 5) setup AP 6) setup wpa_supplicant ++++++++++++WPA SUPPLICANT++++++++++++++++++++++ - config file: # This is a network block that connects to any unsecured access point. # We give it a low priority so any defined blocks are preferred. #network={ # key_mgmt=NONE # priority=-9999999 #} #testbed # Cleaned up example, see original wpa_supplicant.conf for comments. ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel eapol_version=1 ap_scan=2 fast_reauth=1 network={ ssid="dd-wrt" scan_ssid=0 mode=0 proto=WPA key_mgmt=WPA-EAP # pairwise=TKIP # group=TKIP eap=TLS identity="10.1.1.3" ca_cert="/root/cert/cacert.pem" client_cert="/root/cert/korsby_cert.pem" private_key="/root/cert/korsby_key.pem" private_key_passwd="PW" psk="IrgendeinSchlechtesPW" } how to start: wpa_supplicant -Dwext -ieth1 -dd -c/etc/wpa_supplicant/wpa_supplicant.conf on basisk: wpa_supplicant -Dwext -iwlan0 -ddd -c /etc/wpa_supplicant/wpa_supplicant.conf ++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++TPM+++++++++++++++++++++++++++++++++ Install TPM Emulator from SVN: svn checkout svn://svn.berlios.de/tpm-emulator/trunk follow README: make before doing make install, create new user: adduser -n -s /usr/sbin/nologin tss make install cd trunk/tmpd_dev modprobe tmpd_dev tpmd -f clear emerge trousers emerge tpm-tools activate TPM Infineon in linux kernel modprobe tpm_infineon start tcsd -f ========================================== ++++++++PCA clients++++++++++++++++++++++ 1) Java ./jtt.sh xkms_ekcert_create --auth secret --ekfile tybble_ek.cert -o PW --service "http://10.1.1.1:20000/ek" ./jtt.sh xkms_ekcert_validate --ekfile tybble_ek.cert ./jtt.sh xkms_aik_create -a carolin -l tybble -o PW --aikfile tybble_aik.cert --ekfile tybble_ek.cert --keyfile tybble_aik.tpmkey --service "http://10.1.1.1:20000/aik" Grazer Server: ./jtt.sh xkms_ekcert_create --auth ilikeiaikstuff --ekfile tybble_ek_graz.cert -o PW ./jtt.sh xkms_aik_create -a carolin -l tybble -o PW --aikfile tybble_aik_graz.cert --ekfile tybble_ek_graz.cert --keyfile tybble_aik_graz.tpmkey ./jtt.sh xkms_aik_validate --aikfile tybble_aik_graz.cert +++++++++++++++++++++++++++++++++++++++++ ++++++++openssl engine++++++++++++++++++++ install openssl manually: ./config shared make make test make install create /etc/env.d/01openssl: #created by Caro PATH="/usr/local/ssl/bin" ROOTPATH="/usr/local/ssl/bin" LDPATH="/usr/local/ssl/lib" env-update ldconfig source /etc/profile untar openssl_tpm_engine ./configure modify Makefile: change DEFAULT_INCLUDES = -I. -I$(srcdir) to DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(OPENSSL_INCLUDE_DIR) make make install following hint shows up (store it here for possible later use): ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib/openssl/engines If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,--rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- On Ubuntu server: - create symbolic links in /usr/lib/ssl/engines to /usr/local/lib/openssl/engines ++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++install wpa_supplicant manually++++++++++++++++++++ Makefile: replace CFLAGS += -I. -I../utils -I../hostapd with CFLAGS += -I. -I../utils -I../hostapd -I/usr/local/ssl/include furthermore, replace (every occurency of lssl and lcrypto) LIBS += -lssl -lcrypto with LIBS += /usr/local/ssl/lib/libssl.a /usr/local/ssl/lib/libcrypto.a make cp wpa_cli wpa_supplicant /usr/local/bin ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Very first prototype using verification service: 1) on basisk: tcsd -f (in one terminal) 2) on kulla: radiusd -X 3) on diufpc272: /home/latze/implementations/EAP-TPM-Testbed/verification-service/server 4) on basisk: wpa_supplicant -Dwext -iwlan0 -ddd -c /etc/wpa_supplicant/wpa_supplicant.conf (in 2nd terminal) ++++++++++++++verification service++++++++++++++++++++++++++++++++++++ certificates: ca.pem -> basisk.pem (in certs directory) latze@diufpc272 ~/implementations/EAP-TPM-Testbed/verification-service/certs $ cat ca.pem basisk.pem >> all.pem latze@diufpc272 ~/implementations/EAP-TPM-Testbed/verification-service/certs $ openssl verify -CAfile ca.pem all.pem all.pem: /O=privacyca.com/CN=Privacy CA Insecure/Unchecked AIK Certificate error 10 at 0 depth lookup:certificate has expired OK