Assignment 2

Background

To complete this assignment, you will need to have completed reading of chapter three of the textbook and completed the slides/lectures on Identification and Authentication and Storing and Using Passwords.

Assignment Instructions

Reminder: All work turned in for this class must prepared in a form that I can open with Microsoft Word 2016.  Do not copy the homework text into your answers; I already know what the questions are, and putting superfluous filler into your answers just makes more work for me.

For this assignment and any others that require research you must answer in your own words and cite your references correctly. A cut-and-paste answer will earn a zero for the entire assignment and may earn a course grade of F for plagiarism.

There is only one thing to do for this assignment, but that "one thing" has several pieces. Please read the assignment all the way through so that you know where you're heading before you set out. Failure to do that is quite likely to result in your having to start over. You should set aside at least a couple of hours for this assignment.

Overview: You are going to do the following things

1. Prepare a word processing document with the answers to several questions and name it <user ID>_a2 with the appropriate extension for the word processor you're using (Example: My user ID is rbrow211, and I use Microsoft Word, so my document file would be rbrow211_a2.docx)
2. Install the Gnu Privacy Guard, also called GnuPG or GPG, on your computer
3. Determine a passphrase to guard your private key
4. Generate a public/private key pair for yourself
5. Import the instructor's public key into your copy of GnuPG
6. Encrypt the document from step 1 with the instructor's public key and sign it with your private key
7. Export your public key to an ASCII document file, sometimes called "ASCII armored." (There is no real armor or other security advantage and besides, this is your public key; it doesn't need security.) Name the key file <user ID>_a2_key.asc
8. Place the encrypted document and your exported public key in a zip file named <user ID>_a2.zip where <user ID> is your D2L user ID (Example: The course developer's user ID is rbrow211, so the developer's zip file would be rbrow211_a2.zip)
9. Upload the zip file to D2L.

Optional steps: I won't be able to verify that you've done these things, and they have no effect on your grade, but when you've finished the required parts, you'll be a long way toward setting yourself up to use public key encryption. You may want to do the following:

• Generate a revocation certificate (You will probably have to use the command line interface to do this.)
• Upload your public key to a public key server. (Key servers talk to each other, so one is usually enough.)
• Set up both digital signature and encryption for your preferred email program, if supported.
• Export your private key and revocation certificate to a backup medium.
• Have your public key digitally signed by two or three other people, beginning a "web of trust" for y our key. Note: you should only sign the public key of someone you can absolutely identify; similarly, only people who know you or can identify you should sign your key. For a counter-example, see this. (Contains vulgar language, so be warned.)

The assignment doesn't contain instructions for doing these things, but you will have learned enough to figure most of them out by the time you've completed the assignment. GnuPG does work as a command line program in all operating systems. In general, you must be "in" the directory containing the gpg binary. For actions not supported by the GUI interface, check http://www.gnupg.org/gph/en/manual/book1.html (This was written in 1999; remarks about the encryption algorithms are out of date, but the procedures are correct.)

Beware: If you start to use GnuPG, and one hopes you will, you will need to guard both your private key file and your passphrase. If you lose either, you will lose access to everything encrypted with your public key. If your revocation certificate is compromised, Evil Eve can revoke your public key. Be sure to take appropriate precautions.

Some terminology: You're going to be doing some research on the web. The terminology used in some web articles is a bit confusing. Here are definitions to help you.

OpenPGP

OpenPGP is a standard describing a mechanism for both encrypting and digitally signing files. Those files may be email messages or, as in this exercise, a "plain" data file. There is no "OpenPGP" program; two programs that implement the OpenPGP standard are described below.

PGP

PGP is a company and also the name of that company's products. The PGP products implement the OpenPGP standard. They're commercial products; they cost money. People pay PGP Corp. money to get technical support, regular product upgrades, etc. There was a free version of PGP, but it is now very out of date and should not be used.

GnuPG

GnuPG, also called Gnu Privacy Guard or GPG, is a free and open-source implementation of OpenPGP. As with other free software, support consists only of forums, mailing lists, and web articles. Upgrades and fixes are contributed by a dedicated group of volunteers.

Certificate

GnuPG refers to your public key as a certificate because it is. What's produced is your public key with a digital signature signed with your private key. That's a self-signed digital certificate. While it doesn't provide any assurance of correct binding to an identity, it does provide protection against tampering.

Step 1: Prepare a Document

Prepare your document according to the style guidelines for the class. Be sure it has your name on it. Your document is going to contain the answers to three questions. Please identify them as A, B, and C.

1. Using web searches, determine whether there's a means to integrate GnuPG with your preferred email program. For example, you might search on "zimbra gpg gnupg." Make an honest effort at searching, but don't spend more than 10-15 minutes on it. If GnuPG integration is supported for your preferred email client, write a paragraph describing what support you found and where you found it. If not, write a paragraph describing any efforts you found to support it. (Note: Even if GnuPG is not supported by your preferred client, you will be able to encrypt and sign documents, then send them as attachments to email messages when you have finished this assignment.)
2. You are going to encrypt your work with my public key, and I'll decrypt it with my private key when I receive it. However, I've asked you to include your public key in the zip file. In one sentence, explain why I need your public key for this assignment.
3. Write a paragraph or so giving your opinion of this assignment. Tell whether there should be more assignments like this and why, or why not.

Name your document <user ID>_a2 with the appropriate extension for the word processor you're using. Be sure you use something I can open with Word 2007. (Example: My user ID is rbrow211, so my document file would be rbrow211_a2.docx because I use Word 2007.)

Step 2: Install Gnu Privacy Guard

Windows users: Download and install GPG4Win (http://www.gpg4win.org/) and go through the documentation at http://www.gpg4win.org/doc/en/gpg4win-compendium.html. Be sure to install and use Kleopatra. You can do everything needed for this assignment with Kleopatra.

Mac OS users: Download and install GPGTools (https://gpgtools.org/). You will find documentation at the same link.

Linux users: You can get binaries and documentation directly from the GnuPG page (http://www.gnupg.org/)

Please note: I cannot provide technical support for any of these tools. I've tested the things I have asked you to do using GPG4Win, but only in my own environment. You are upper division students of computing. I expect that you can use your operating system of choice, install software, and follow the directions published with the software. Failing that, please get help from a more accomplished user of your operating system.

If you work in the lab, but want to save your work, there's some pretty minimal information about moving GPG4Win files to a USB drive here: http://superuser.com/questions/246177/how-to-store-kleopatra-pgp-keys-on-usb-drive.

Step 3: Determine a Pass Phrase

When you generate a GnuPG keypair in the next step, your private key will be stored in encrypted form on your hard disk. Someone who gains access to your hard disk or a backup of it can unlock your private key if they can guess or otherwise determine your pass phrase. What is needed is a phrase that you will remember easily, but that would be difficult for most others to guess. An example might be: My paternal uncle's name was George. I won't forget that, and even someone who knows about my family is unlikely to guess exactly that.

Some password crackers have incorporated the rules of English grammar into their cracking programs. If you re-cast your pass phrase into "Yoda speak" or otherwise mangle the word order, it is just as easy to remember and type, but no longer follows the rules of grammar and sentence structure: George my paternal uncle's name was.

You can make guessing a lot harder by "lying" when you create a pass phrase. My actual paternal uncle is Bill, not George, although neither one appears in any of my pass phrases

If there's any chance you will use GnuPG after this assignment and the next one, spend some time and take some care with your pass phrase.

If you forget your pass phrase, you will not be able to decrypt information that others encrypt with your public key. Depending upon just how confidential your encrypted information is likely to be, consider writing down your passphrase and putting it in a safe place, such as within an infrequently used book. Or not, as the case may be.

Step 4: Generate a public/private keypair

Follow the instructions for your version of the software to generate an OpenPGP public/private keypair. You will use the pass phrase from step 3 to lock your private key, and you'll identify the keypair with an email address. Consider picking a reasonably permanent email address for this exercise. You do not necessarily need to use your SPSU address. Choose the maximum key size supported by the software you have, but at least 2,048 bits as the key size.

Caution: GPG4Win and possibly the other programs allow one to create more than one kind of keypair. For this exercise, only an OpenPGP keypair will do.

Step 5: Import the Instructor's Public Key

GnuPG provides a way to store the public keys of people with whom you will exchange encrypted communications. Beware: Be sure you use your instructor's public key. If you use someone else's, your instructor will not be able to decrypt your work, and you'll get a zero on the assignment. The instructions below assume Bob Brown is your instructor. If that's not the case, be sure to follow your own instructor's directions for finding the proper public key.

You can find your instructor's public key file export dtatum certificates.asc .  Right-click the link to download the public key file.  Follow the instructions for your program for importing my public key so that you can encrypt messages to me.

Depending on the version of GnuPG software you're running, you may have to "certify" my key, i.e. sign it with your own private key, before you can use it for encryption. (I didn't need to do that when I tested with GPG4Win and Kleopatra.)

Step 6: Sign and Encrypt the Document

Sign the document with your private key and encrypt it with my public key. You will do both of these in one operation. Note: You are signing and encrypting a document file, not an email message. GPG4Win users can do this with the File menu on Kleopatra.

Your document file should come out named something like <userID>_a2.ext.gpg where "ext" is the extension used by your word processor. Example: rbrow211_a2_docx.gpg.

Beware: Do this carefully and be sure you use the key for your instructor. If I can't decrypt your document, I can't grade it, and you'll get a zero.

Step 7: Export Your Public Key

Export your public key to an ASCII file following the directions for the software product you are using. (Windows users: Use File -> Export Certificates. Others, see the instructions for the software you are using.) Name your file <user ID>_a2_key.asc, like rbrow211_a2_key.asc. Be sure you have a dot-asc extension. Open the file with a text editor and be sure it looks similar to the instructor's public key, which you downloaded in an earlier step.  (You can open that one with a text editor, too.) The content will, of course, be different, but it should be the same shape.

Be sure the file you get says "BEGIN PGP PUBLIC KEY BLOCK" because if you send me your private key a) you will have lost all confidentiality and b) you'll get a zero because I won't be able to validate your digital signature.

Step 8: Zip the Encrypted Document and the Key File

Using whatever zip program you like, create a zip file named <user ID>_a2.zip and containing the signed, encrypted document from step 6 and the public key file from step 7. Do not include a directory structure in your zip file; just zip the two documents. (If you include a directory structure, my automated script for unzipping the files will fail, and you'll get a zero. Check this by opening your zip file before uploading. If you see folders, there's a directory structure!)

Step 9: Upload to D2L

Upload your zip file to the Assignment 2 drop box folder in Desire2Learn. Be sure you click the submit button and that you get the confirming email message.

Grading Rubric

This section describes how your assignment will be graded. Except in the case of plagiarism, cheating, or copying, you cannot lose more than 100 points.

This assignment is worth 100 points in the "Assignments" category of the course grading plan.

The Assignment as a Whole

Failure to follow instructions: Up to 20 points for the entire assignment.

Grammar, spelling, and organization: Up to 20 points for the entire assignment.

Incorrect citation or use of the works of others: Up to five points subtracted per part, 50 points for the assignment as a whole. When you use the words or ideas of others, you need a citation in the text that ties to an entry in your "References" section. When you quote another's work, you need quotation marks. For an example, see An Example of Proper Writing in the "Required Reading" module.

Plagiarism, cheating, or copying another's work: A zero on the assignment and referral to the Student Conduct and Academic Integrity office for other penalties.

Late work: Late work will not be accepted by Desire2Learn and will be recorded as a zero.

The Assignment by Parts

Criteria	Points Available
The submitted document can be decrypted: 40 points.  (Note: although you get 40 points for correct encryption, incorrect encryption will result in a grade of zero on the entire assignment because the rest of the assignment cannot be graded if the encryption is incorrect.	40
The answer to the question concerning encryption of email shows an understanding of the problem and is not superficial.	10
The explanation of why the instructor needs the student's public key is correct and is not superficial.	10
The student's evaluation of the assignment is complete and not superficial.	10
The student's public key is included in the zip file.	10
The document submitted by the student is digitally signed as well as encrypted.	10
The student submitted a zip file containing encrypted document and student's public key; the zip file does not have a directory structure.	10

---

• Quicklink to assignment submission folder