ITEC 345 2013spring ibarland

home—lects—exams—hws
D2L—breeze (snow day)

hw06
Encrypting, Signing, and Hashing messages
using gpg

Due Mar.03 (Wed) 23:59.

In this homework, you will generating your own pair of Public/Private keys, and use them to encryption a message, and to digitally sign a message. You will also check a file's hash using md5.

You may work with a partner for this homework. You only need to turn in one copy of the assignment; be sure both your names are clearly at the top of your submitted work. (Only groups of size ≤ 2, not more.)

To run this lab, you will need to be able to run gpg (“GNU Privacy Guard”), which is installed on rucs.radford.edu. You can connect via ssh or putty, as usual.

You can also download versions for your own computer, from www.gnupg.org; either version 1.4 or 2.1 should suffice. The provided links is for GUI versions; it's up to you (and the discussion boards) to interpret the (command-line oriented) instructions below¹.

1. Generate public/private keys for yourself. (You won't actually use it until Part III, but gpg likes one key to be already-created for Part II.)

   1. Login to rucs.radford.edu, and make sure you can run gpg (e.g. “gpg --help”)
   2. Then follow the instructions in the section “Generating a new keypair” from the manual www.gnupg.org/gph/en/manual.html, and follow those instructions on the command-line. (e.g. the command gpg --gen-key should be run on the command line).
   3. When prompted for inputs, you can use any of the defaults provided. If you choose a non-default expiration date, make sure your key doesn't expire before the end of finals week (≥ ~6weeks). Do use a name I'll recognize as yours, and use your RU email.
   4. If you get a message about “Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!” you can do spur the computer to do some busywork. You can copy large files to/from rucs. (For example, you can copy a linux-image, or the owasp disk image from hw03, to/from rucs’s /tmp directory. This triggers a lot of disk activity, which gpg can use as a source of reasonably-random bits.) Also, you can start a second shell on rucs, and run a command to like “nice find /usr |& grep dummyWorkLookingAtManyFiles” (re-running many times, necessary).
2. Export your public key; use the “--armor” option so that the key doesn't contain special (non-printing) characters. Read the section: “Exporting a public key” (www.gnupg.org/gph/en/manual.html#AEN65).
   1. Make sure to use the “--armor” option.
   2. Save your public key in a file named user1-user2.gpg (where user1 and user2 are the RU usernames of you and your teammate).
   3. E.g. if I was generating a public key with my email id, this is how I would do it: gpg --armor --export ibarland@radford.edu > ibarland.gpg Go ahead and look at the contents of your public key file once (using, say, “more”); You should see something like this:

       -----BEGIN PGP PUBLIC KEY BLOCK-----
      Version: GnuPG v1.4.6 (GNU/Linux)
      Comment: This is the comment I entered when creating the key
      
      Y93aV7dns0t1+ODms33koJuE3drtQ8z93sDmA+KrTm7EfWvZLu7LnXvpi3JvDBYJ
      /c+R2WcL+rnKn/l7ciAQ5hQRxOC3JDJzf4gVEE4SrQnoncVl/oJEzAEe0W4yceBN
      CMf3DOG4OcV97qITr6epiAvKUnDtGrtJDXiPpr2tkg9jcNTLGy+viBAbuHrTfEEA
      ⋮
      -----END PGP PUBLIC KEY BLOCK-----
      

      Congratulations! That is your public key.

3. Send me an encrypted message with MY (Ian's) public key.

   1. Download MY (Ian’s) public key from the hw06 files.
   2. Import my public key into your public key ring. A public key ring is a ring that contains all the public-keys from others that you have collected.

   3. Encrypt a text file containing a message like:

      Hi! This is Team user1-user2 (a.k.a. name1 and name2).

      (replace user and name with your RU username and your real-name (first and last)) with my public key.

      (You can create a text file using notepad and scp it to rucs.radford.edu. Or you can run an editor on rucs directly, as long as it runs within the text terminal window: for example, as pico or emacs or vi.)

      E.g., if the text file containing the message is the file example.txt, you can encrypt this using my (Ian’s) public key as follows:

      1. gpg --out encrypted.txt --armor --encrypt example.txt
      2. You will be prompted to enter the userid of the person whose public key you want to use. Use my public key by entering my RU email ibarland@radford.edu
      3. The file encrypted.txt will now contain the text message encrypted with my public key. So it is now confidential; only I can decrypt it.
      4. (Deliverable for Part III) Upload the file encrypted.txt onto D2L. Once I decrypt it using my private key, I will know if your encryption has worked.
      5. Self-test: You can (and should) test whether your public private keys are working using this method:
         1. Encrypt the same file “example.txt”, but this time using your own public key.
         2. Next decrypt it using your own private key. You can decrypt it with the --decrypt option as follows: gpg --decrypt encrypted.txt and the result should be identical to the original example.txt.
         With this you should have gained hands on experience in being able to encrypt or decrypt any message.
      Have some fun: You are encouraged to share your public key with other friendly teams and send appropriate messages encrypted with their public key. (This won’t be graded.) You can publish your public key on the D2L discussion boards, and/or on your web page.

4. Digitally sign your message.

   Deliverables: Your public key and the digitally signed message. To generate a digital signature on a document, refer to the following section of the manual: www.gnupg.org/gph/en/manual.html#AEN136m. E.g., if the document to sign is example.txt, then you can created the signed version (named example.txt.sig) as follows:

   1. gpg --output example.txt.sig --armor --sign example.txt
   2. Since digital signatures involve encrypting the text document with your private key, you will be prompted for the passphrase you used during the creation of your public/private key pair. If you do not remember this phrase, you will need to go back to Part I and start from scratch.
   3. Deliverable: submit the digitally signed document example.txt.sig on D2L. Also submit your public key (so I can verify your signature), user1-user2.gpg.
   4. Self-test: You too can verify if your signature was created correctly. Simply decrypt the document using your public key as follows: gpg --output example.txt.verify --decrypt example.txt.sig

5. With the hw06 files you will find three plain-text files (.txt) along with their secure hashes (.txt.sha256) . However, something foul is afoot: at least one of those files has been tampered with. Your goal is to compute new sha256 hashes for each file, compare it with the posted sha256's and determine which file(s) were tampered with by an international gang of file tamperers. You can use gpg --print-md sha256 filename.txt to generate the hash.

   Submit, on D2L, a file named fixed-hashes.txt which contains the (fixed) hashes for only the files which had had an incorrect hash. This file should have exactly 2 lines per tampered hash.

home—lects—exams—hws
D2L—breeze (snow day)

©2012, Ian Barland, Radford University Last modified 2013.Apr.03 (Wed)

Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu