CSCI 343 - Homework 3

Review questions

You should look over these questions and answer them, but you do not need to turn them in: Pfleeger 10.13, 10.14, 10.15, 10.20, 10.22..

Homework

This week, we'll be learning to use GnuPG, the Gnu Privacy Guard. It is a clone of the popular asymmetric cryptographic software PGP (Pretty Good Privacy) (see also the international PGP homepage). They both function in a similar manner, but only GnuPG is installed on the CS systems.

Collaboration

Note that you must work with other students in order to complete the assignment. You should still perform your own work and learn how to perform the steps on your own.

Details

1. You'll probably want to start out by looking through either the manpage or the Gnu Privacy Handbook. You might want to read How PGP Works from the folks at PGP International, or poke around in the GnuPG Documentation.

2. Use GnuPG to generate both a signing and encryption key (default selection) with a size of least 1024 bits. Set the validity of both to be no more than 120 days (be sure it lasts until at least the end of the semester, but is not permanent)

   Note that public computer labs are not a good place to store your private key. If you plan to use GnuPG to actually secure or authenticate information, you should probably create and keep the key on your own machine (or another trusted machine) and set the validity of the key to a longer period of time.

   Also, pick a good pass phrase. You should select something that would be difficult to guess, yet able to be memorized. You aren't restricted to 8 characters as you are on some systems, so phrases with mixes of words, letters, and symbols can be a good choice.

3. Generate a revocation certificate for your key.
4. Generate a fingerprint for your key.
5. Export your key to an ASCII (not binary) file.

6. Add someone else's key to your keyring by:

   1. Importing a key from a file (they must export it to a file, get the file to you, and then you can add it).
   2. By downloading a key from a key server. You should download my temporary GnuPG key from pgpkeys.mit.edu (Fingerprint: DA54 7BB2 8F3C 93EE 8BE7 6479 818F FD89 7259 1FED)
7. List all the keys in your keyring.
8. Encrypt and sign a file for someone else using their public key (before you've signed it).
9. Sign someone else's key and get someone to sign your key. Once your key has been signed, you have to get them to export the key and then you can re-import it. (Otherwise, how would you get their signature?)
10. Generate a detached signature for a file.
11. Verify someone else's detached signature.
12. See what is output for a failed signature check.
13. Encrypt and sign a file for someone else using their public key (once you've signed it).
14. Decrypt and verify the signature on a file from someone else using your private key.

To handin

Submit the following via handin: (All files must be in ASCII format not binary)

• A README file that contains the commands requested as well as an explanation of the accompanying files
• A listing of the keys in your keyring (using --list-keys)
• A file with an exported version of your signed key
• Commands that you use to generate your revocation certificate and the certificate itself
• Commands that you use to generate your fingerprint as well as the fingerprint itself
• Output of the --check-sigs command for your key
• Commands you used to generate a detached signature and check it, and that signature (with the original file too)
• Commands you used to encrypt and sign a file and both the plain and encrypted versions of that file
• Commands that you used to decrypt and verify the signature of a file someone else encrypted for you as well as both the original and decrypted versions of that file
• An encrypted file that only I can read
• An encrypted file that I and someone else can read

Last Modified: September 24, 2006 - Benjamin A. Kuperman