In this lab you will use the gnugpg public key utility program to create and distrbute keys for users and interact with the keys and messages cryptographically.
In so doing, you will be using an application to utilize public key cryptography, as we discussed in the second lectue of CSci530. You will also be performing some aspects of key management, a topic that is covered in Lecture 3 of CSci530.
While last years version of this lab used VirtualBox Virtual Appliances to run these programs, it is alos possible to install gnugpg directly on your personal computer. Given the significant differences in the ability of some students to install VirtualBox because of the new hardware architectures, I have recast this first exercise with instructions that will enable you to perform the lab through the GPG application which you will install directly on your computer.
For future labs, we will still be using the virtualization environment.
You can find some basic information about GPG from: https://gnupg.org/.
You will want to visit the Download page at https://gnupg.org/download/index.html
Where you will install the latest release and associated libraries for your hardware archiecture and operating system. Note that the section of this page labeled GnuPG BINARY RELEASE contains links to common distubutions for various platforms. While this is not the prefered way to install such software, it is the way that most users install the packages in the fewest steps. Note that the current version of GPG is 2.3.2.
If on windows, this is the "Command Prompt". If linux based, including MacOS, this will be a shell
Technically, what you are doing is generating a key pair for a public key cryptosystem. The key pair will consist of both a private key, which you will retain for your own use, and a public key which will eventually be sent to a public key repository.
Type "gpg --gen-key"
You will be prompted as follows:
You will also want to generate several movements with your mouse, based on which the GPG program will gather "random" data to use in key generation. GPG will generate a key pair, and it will store the private key from the key pair separately encrypted using the passphrase you enetered, so that someone finding your laptop is not able to easily determine your private key. You will be asked for this passphrase in the future when you attempt to perform an operation that requires your private key.
gpg --list-keys [optional: your email address]
If you have used GPG previously you may have other keys stored locally. You can add an argument with your email address at the end of the gpg --list-keys command to list only keys associated with your email address. Verify that a key has been generated for your name, and the key ID and expiration associated with the key.
Answer 1: Please save the output of the list keys operation (with your email address) above and submit as the first item in the solutions that you will upload.
To do this you must first convert your public key to a format that may be distributed to other uers, or uploaded to a keystore.
You do this with the command:
gpg --export -a -o keyfile.txt [your email addres]
which creates keyfile.txt containing a base64 encoded block of text embedding your public key.
You may upload this to the open PGP keystore by visiting the website:
Once you upload the key file, to make it discoverable using your email address, you must click the button to verify your email address, and a message will be sent to you through which you an approve the publication of the key as associate with your address. Note that this is not strong authentication of the identity of the submitter of a key, it simply enables search. For you to reliability assess the integrity of the key itself you should exchange the "fingerprint" of your key through external means with those that might use the key to send you messages. We are not taking this final step in this lab exercise.
to retrieve the public key for firstname.lastname@example.org.
ANSWER 2: Please record the full key fingerprint for this file (it is the last part of the link that is returned in the search you just performed), and include this as answer 2 of your lab submission.
Also, verify that the fingerprint is accurate by making sure that the last 6 characters are D83E47. You typically should verify the full fingerprint with the intended receiver out of band (i.e. in person, by phone, or through other means) to make sure that an imposter had not uploaded their own key to the keyserver in an attempt to impersonate the subject named in the key.
Load this key into your local keystor with the GPG command:
gpg --import [filename where you downloaded the key]
Encrypting and decrypting
A user encrypts for consumption by another user, by applying the other user's public key to the plaintext. The result is decryptable by that particular other user only.
So, you should create a file with a name of your choosing and with the content:
You can create an encrypted version of this message that will be readable only by email@example.com with the command:
gpg --recipient firstname.lastname@example.org -a --encrypt [the filename you used to create the file above]
(the -a option tells it to output in BASE64 encoding rather than binary)
Note the creation of the file [filename].asc which contains the encrypted data.
ANSWER3: Add the contents of
The command you will use is:
gpg --sign --recipient email@example.com -a --encrypt [filname]
Which will create [filename].asc
Containing all of the elements necessary for both confidentialy and the digital signature (integrity).
Please compose an email to firstname.lastname@example.org and include the [filename].asc in the body of your message.
I would prefer if you cut and paste the text from the .asc file into the body of your message, rather than have you attach it as a separate attachement, since this will make it easier for me to process the message within my mail reading program..
You will verify my signature using the email@example.com key and decrypt the message using your private key using GPG commands --decrypt and --verify (I will leave it to you to figure out the correct use if these options).
ANSWER4: Please include the text of my response and the output valdating the signature in the fourth submitted item for you lab.
The report must be submitted throuh the D2L Dropbox Folder for Lab Assignment 1.