IT 4823 – Assignment 2 Complete Solution

IT 4823 – Assignment 2

Parts of this assignment will require research. Be sure to attribute the words and ideas of others that you will use in your answers. Use quotation marks for direct quotations, and always include a citation, whether you quote or paraphrase. If you have questions about this, please ask me. Do not copy the homework text into your answers; I already know what the questions are, and putting superfluous filler into your answers just makes more work for me.

Remember: No citations implies no research. No research implies no learning. No learning implies no credit!

There is only one thing to do for this assignment, but that "one thing" has several pieces. Please read the assignment all the way through so that you know where you're heading before you set out. Failure to do that is quite likely to result in your having to start over. You should set aside at least a couple of hours for this assignment.

Overview: You are going to do the following things

Prepare a word processing document with the answers to several questions and name it <user ID>_a2 with the appropriate extension for the word processor you're using (Example: My user ID is bbrown, and I use Word 2010, so my document file would be bbrown_a2.docx)

Install the Gnu Privacy Guard, also called GnuPG or GPG, on your computer

Determine a passphrase to guard your private key

Generate a public/private key pair for yourself

Import my public key into your copy of GnuPG

Encrypt the document from step 1 with my public key and sign it with your private key

Export your public key to an ASCII document file, sometimes called "ASCII armored." (There is no real armor or other security advantage and besides, this is your public key; it doesn't need security.) Name the key file <user ID>_a2_key.asc

Place the encrypted document and your exported public key in a zip file named <user ID>_a2.zip where <user ID> is your D2L user ID (Example: My user ID is bbrown, so my zip file would be bbrown_a2.zip)

Upload the zip file to D2L.

Optional steps: I won't be able to verify that you've done these things, and they have no effect on your grade, but when you've finished the required parts, you'll be a long way toward setting yourself up to use public key encryption. You may want to do the following:

·         Generate a revocation certificate (You will probably have to use the command line interface to do this.)

·         Upload your public key to a public key server. (Key servers talk to each other, so one is usually enough.)

·         Set up both digital signature and encryption for your preferred email program, if supported.

·         Export your private key and revocation certificate to a backup medium and encrypt it with something like TrueCrypt (before the end of the TrueCrypt project; you can find TrueCrypt 7.1a here: https://github.com/AuditProject/truecrypt-verified-mirror?files=1

·         Have your public key digitally signed by two or three other people, beginning a "web of trust" for your key. Note: you should only sign the public key of someone you can absolutely identify; similarly, only people who know you or can identify you should sign your key. For a counter-example, see this. (Contains vulgar language, so be warned.)

The assignment doesn't contain instructions for doing these things, but you will have learned enough to figure most of them out by the time you've completed the assignment. GnuPG does work as a command line program in all operating systems. In general, you must be "in" the directory containing the gpg binary. For actions not supported by the GUI interface, check http://www.gnupg.org/gph/en/manual/book1.html (This was written in 1999; remarks about the encryption algorithms are out of date, but the procedures are correct.)

Beware: If you start to use GnuPG, and one hopes you will, you will need to guard both your private key file and your passphrase. If you lose either, you will lose access to everything encrypted with your public key. If your revocation certificate is compromised, Evil Eve can revoke your public key. Be sure to take appropriate precautions.

Some terminology: You're going to be doing some research on the web. The terminology used in some web articles is a bit confusing. Here are definitions to help you.

OpenPGP

OpenPGP is a standard describing a mechanism for both encrypting and digitally signing files. Those files may be email messages or, as in this exercise, a "plain" data file. There is no "OpenPGP" program; two programs that implement the OpenPGP standard are described below.

PGP

PGP is a company and also the name of that company's products. The PGP products implement the OpenPGP standard. They're commercial products; they cost money. People pay PGP Corp. money to get technical support, regular product upgrades, etc. There was a free version of PGP, but it is now very out of date and should not be used.

GnuPG

GnuPG, also called Gnu Privacy Guard or GPG, is a free and open-source implementation of OpenPGP. As with other free software, support consists only of forums, mailing lists, and web articles. Upgrades and fixes are contributed by a dedicated group of volunteers.

Certificate

GnuPG refers to your public key as a certificate because it is. What's produced is your public key with a digital signature signed with your private key. That's a self-signed digital certificate. While it doesn't provide any assurance of correct binding to an identity, it does provide protection against tampering.

Step 1: Prepare a Document

Prepare your document according to the style guidelines for the class. Be sure it has your name on it. Your document is going to contain the answers to three questions. Please identify them as A, B, and C.

Using web searches, determine whether there's a means to integrate GnuPG with your preferred email program. For example, you might search on "zimbra gpg gnupg." Make an honest effort at searching, but don't spend more than 10-15 minutes on it. If GnuPG integration is supported for your preferred email client, write a paragraph describing what support you found and where you found it. If not, write a paragraph describing any efforts you found to support it. (Note: Even if GnuPG is not supported by your preferred client, you will be able to encrypt and sign documents, then send them as attachments to email messages when you have finished this assignment.)

You are going to encrypt your work with my public key, and I'll decrypt it with my private key when I receive it. However, I've asked you to include your public key in the zip file. In one sentence, explain why I need your public key.

Write a paragraph or so giving your opinion of this assignment. Tell whether there should be more assignments like this and why, or why not.

Name your document <user ID>_a2 with the appropriate extension for the word processor you're using. Be sure you use something I can open with Word 2007. (Example: My user ID is bbrown, so my document file would be bbrown_a2.docx because I use Word 2007.)

Step 2: Install Gnu Privacy Guard

Windows users: Download and install GPG4Win (http://www.gpg4win.org/) and go through the documentation at http://www.gpg4win.org/doc/en/gpg4win-compendium.html. Be sure to install and use Kleopatra. You can do everything needed for this assignment with Kleopatra.

Mac OS users: Download and install GPGTools (http://gpgtools.github.io/GPGTools_Homepage/). You will find documentation at the same link.

Linux users: You can get binaries and documentation directly from the GnuPG page (http://www.gnupg.org/)

Please note: I cannot provide technical support for any of these tools. I've tested the things I have asked you to do using GPG4Win, but only in my own environment. You are upper division students of computing. I expect that you can use your operating system of choice, install software, and follow the directions published with the software. Failing that, please get help from a more accomplished user of your operating system.

If you work in the lab, but want to save your work, there's some pretty minimal information about moving GPG4Win files to a USB drive here: http://superuser.com/questions/246177/how-to-store-kleopatra-pgp-keys-on-usb-drive.

Step 3: Determine a Pass Phrase

When you generate a GnuPG keypair in the next step, your private key will be stored in encrypted form on your hard disk. Someone who gains access to your hard disk or a backup of it can unlock your private key if they can guess or otherwise determine your pass phrase. What is needed is a phrase that you will remember easily, but that would be difficult for most others to guess. An example might be: My paternal uncle's name was George. I won't forget that, and even someone who knows about my family is unlikely to guess exactly that.

Some password crackers have incorporated the rules of English grammar into their cracking programs. If you re-cast your pass phrase into "Yoda speak" or otherwise mangle the word order, it is just as easy to remember and type, but no longer follows the rules of grammar and sentence structure: George my paternal uncle's name was.

You can make guessing a lot harder by "lying" when you create a pass phrase. My actual paternal uncle is Bill, not George, although neither one appears in any of my pass phrases

If there's any chance you will use GnuPG after this assignment and the next one, spend some time and take some care with your pass phrase.

If you forget your pass phrase, you will not be able to decrypt information that others encrypt with your public key. Depending upon just how confidential your encrypted information is likely to be, consider writing down your passphrase and putting it in a safe place, such as within an infrequently used book. Or not, as the case may be.

Step 4: Generate a public/private keypair

Follow the instructions for your version of the software to generate an OpenPGP public/private keypair. You will use the pass phrase from step 3 to lock your private key, and you'll identify the keypair with an email address. Consider picking a reasonably permanent email address for this exercise. You do not necessarily need to use your SPSU address. Choose the maximum key size supported by the software you have, but at least 2,048 bits as the key size.

Caution: GPG4Win and possibly the other programs allow one to create more than one kind of keypair. For this exercise, only an OpenPGP keypair will do.

Step 5: Import the Instructor's Public Key

GnuPG provides a way to store the public keys of people with whom you will exchange encrypted communications. You can find my public key here: http://bbrown.spsu.edu/contact_pgp.html Be sure the page has a 2013 update date; use the refresh button if needed. Follow the instructions for your program for importing my public key so that you can encrypt messages to me.

If you decide to look for my key on a keyserver, which is probably unnecessary and the hard way to do it, be sure the key you use has a valid-from date of 2013. There are some old keys floating around. If you encrypt with an incorrect key, I won't be able to decrypt, and you'll get a zero.

Depending on the version of GnuPG software you're running, you may have to "certify" my key, i.e. sign it with your own private key, before you can use it for encryption. (I didn't need to do that when I tested with GPG4Win and Kleopatra.)

Note: A few people have reported trouble importing my public key. I've tested it and it works, at least with Kleopatra for Windows and GPGTools for Mac. My best guess is that the key got mangled in the copying attempt, possibly with leading or trailing spaces, etc. If that happens to you, configure the default key server in Kleopatra or the software you are using. In Kleopatra, it's Settings -> Configure Kleopatra -> Directory services. Click "New" and accept the default key server. You will then be able to use "Look up certificates on directory server" to search using the key ID from my key page. Follow the instructions within Kleopatra or the software you're using.

Step 6: Sign and Encrypt the Document

Sign the document with your private key and encrypt it with my public key. You will do both of these in one operation. Note: You are signing and encrypting a document file, not an email message. GPG4Win users can do this with the File menu on Kleopatra. I don't have a good way of testing either Mac OS or Linux. There may be a way to do this with the GUI interface. Otherwise, you can do it with the command line. You will find directions here: http://www.physics.purdue.edu/PCN/doc/wiki/wiki:procedures:encrypt:mac

Your document file should come out named something like <userID>_a2.ext.gpg where "ext" is the extension used by your word processor. Example: bbrown_a2_docx.gpg.

Step 7: Export Your Public Key

Export your public key to an ASCII file following the directions for the software product you are using. (Windows users: Use File -> Export Certificates. Others, see the instructions for the software you are using.) Name your file <user ID>_a2_key.asc, like bbrown_a2_key.asc. Be sure you have a dot-asc extension. Open the file with a text editor and be sure it looks similar to my public key, which is here: http://bbrown.spsu.edu/contact_pgp.html The content will, of course, be different, but it should be the same shape.

Be sure the file you get says "BEGIN PGP PUBLIC KEY BLOCK" because if you send me your private key a) you will have lost all confidentiality and b) you'll get a zero because I won't be able to validate your digital signature.

Step 8: Zip the Encrypted Document and the Key File

Using whatever zip program you like, create a zip file named <user ID>_a2.zip and containing the signed, encrypted document from step 6 and the public key file from step 7. Do not include a directory structure in your zip file; just zip the two documents. (If you include a directory structure, my automated script for unzipping the files will fail, and you'll get a zero.)

Step 9: Upload to D2L

Upload your zip file to the Assignment 2 drop box folder in Desire2Learn. Be sure you click the submit button and that you get the confirming email message.

IT 4823 – Assignment 2 Complete Solution

This is a good assignment for hands-on practice in using the relevant technologies in internet security. By choosing a real word example of use of the tec...

• IT 4823 – Assignment 2 Solution.zip 30 KB