hw05

advertisement
ITEC 345 – Project 2
Title: Creating public/private keys, generating digital signatures and using secure hash functions.
GOAL: Generating Public/Private keys and using them for encryption and digital signatures (non-repudiation)
with the software: GPG. Also, generating secure hashes on files using the software MD5sum.
PROJECT TYPE: Group project – you can work with the same group member as you had for first homework. Only
one of you needs to submit the homework.
LAB TO USE: For this lab you can either install the software on your personal computers (including Macs) or use
the department Linux server (rucs.radford.edu). Instructions on how to use these systems are given below.
1.
2.
Department server: The department has a linux server called rucs.radford.edu. You can login to this
server using your RU account. To login follow these steps:
a. Start an SSH client (for Windows):
i. If you are working from an on-campus lab, then look for either SSH client or Putty SSH.
ii. If you are working from home (on or off campus), download the following SSH client on
your computer (this requires administrative privileges to install):
http://sce.umkc.edu/~cotterr/SSHSecureShellClient.exe
b. Start an SSH client (for Linux or Mac)
i. Start a terminal.
ii. On the terminal type: ssh -l username rucs.radford.edu
1. Here “-l” is “dash followed by lower case l”. Note of a common error: You may
by mistake type “-1” (i.e., dash followed by 1, then you will get an error).
2. Username is your Radford username.
iii. When prompted enter password. Skip to step (d).
c. Enter the machine name (for Windows):
i. Start up the SSH client.
ii. In the host name field: enter rucs.radford.edu
iii. Enter the username in the username field (this is your Radford username).
Installing software on your home computer: If you want to work from home, you can do so by using the
following software. Please note that the instructions provided in the labs below have been customized for
the rucs lab. You should be able to export these instructions for your home machine. Software you will
need on your home computer:
1. GPG (Gnu privacy guard) – the most widely used public key generator. For Linux/Mac/OS: the best
known is the gpg available at www.gnupg.org. This is the most widely used public/private key
generator software.
2. MD5Sum (Linux) or MD5Summer (Windows/Mac):
a. For Linux: md5sum is available through yum or apt-get.
b. For Windows/Mac: md5summer (http://www.md5summer.org/)
Time estimated for the labs: On rucs – it is estimated to take not more 1 hour if you are well prepared and
working on the rucs lab.
Lab 1: Generate public/private keys for yourself and send me an encrypted message with MY (Prem’s) public
key.
DELIVERABLE: See step 5(a) (iv) below.
Use gpg to generate public/private keys. Login to rucs.radford.edu (
i. Read the section: “Generating a new keypair” from the manual:
http://www.gnupg.org/gph/en/manual.html and run the commands at the command
line (after you login to rucs). (e.g., the command gpg --gen-key should be run on the
command line).
b. Select Option 1 (DSA and ElGamal algorithms).
c. Select a keysize of 1024 bits.
d. Set the key validity to at least 1 month (so I have time to grade!). Default option is fine for this
lab.
Export your public key with the “—armor” option. Read the section: “Exporting a public key”
(http://www.gnupg.org/gph/en/manual.html#AEN65).
a. Make sure to use the “--armor” option (that is: 2 dashes followed by the word armor)
b. Save your public key in a file such as teamName.public (here Name is the name you can give to
your team so I can distinguish it).
a.
2.
E.g., If I was generating a public key with my email id, this is how I would do it:
gpg --armor --export puppuluri@radford.edu > prem.public
To generate keys, GPG needs to
generate random numbers which
it does by using the workload on
the computer. If your computer is
not doing a lot of work – it will
take quite a bit of time to
generate the keys. Hence, a
message such as “ … not enough
entropy to generate random
numbers….”., shouldn’t cause you
panic! Instead, simply do other
tasks such as web browsing ! Or
move the mouse on the terminal
window quite a few times.
4.
5.
Go ahead and open your public key file once you have created your
public key (You can use “more” command in UNIX/Linux). You should
see something like this:
-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
…
-----END PGP PUBLIC KEY BLOCK-----
Congratulations! That is your public key.
3. Download MY (Prem’s) public key from D2L (see the file
prem.public on D2L in the homework 2 section).
Import my public key into your public key ring. Recall: a public key ring is a ring that contains all the
public-key of others that you have collected.
Encrypt a text file containing the message: “Hi! This is TeamXY whose team members are Alice and
Bob” (replace XY with your team name and the names Alice and Bob with the names of the teammembers) with my public key. * you can create a text file using notepad and sftp it into rucs.radford.edu.
Or you can use vi or pico or emacs editors to create one directly on rucs.
a.
E.g., if the text file containing the message is the file: example.txt, you can encrypt this using MY
(Prem’s) public key as follows:
i. gpg --out encrypted.txt --encrypt example.txt
ii. You will be prompted to enter the userid of the person whose public key you want to
use. Use my public key by entering my email id: puppuluri@radford.edu
iii. The file “encrypted.txt” will now contain the text message encrypted with my
public key. So it is now confidential. Only I can decrypt it.
iv. (Deliverable for Lab1) Upload the file encrypted.txt onto WebCT. Once I decrypt it
using my private key, I will know if your encryption has worked.
v. Self-test: You can test whether your public private keys are working using this method:
1. Encrypt the same file “example.txt”, but this time using your own public key.
2. Next decrypt it using your own private key. You can decrypt it with the “—
decrypt” option as follows:
a. gpg --output secretsareout.txt --decrypt encypted.txt
3. With this you should have gained hands on experience in being able to encrypt
or decrypt any message.
vi. Have some fun: Share your public key with other teams (friendly teams) and send
appropriate messages encrypted with their public key (This won’t be graded).
Lab 2: Digitally sign your message.
Deliverables: Your public key and the digitally signed message.
1. To generate a digital signature on a document, refer to the following section of the manual:
http://www.gnupg.org/gph/en/manual.html#AEN136m,
a. E.g., if the document to sign is example.txt, then you can sign it using your private key as
follows (example.txt.sig is the signed document):
i. gpg --output example.txt.sig --sign example.txt
ii. Since digital signatures involve encrypting the text document with your private key, you
will be prompted for the passphrase you used during the creation of your public/private
key pair. If you do not remember this phrase, you will need to go back to Lab 1 and start
from scratch.
b. Deliverable: submit the document example.txt signed with your private key on WebCT. Also
submit your public key (so I can verify your signature).
c. Self-test: You too can verify if your signature was created correctly. Simply decrypt the
document using your public key as follows:
i. gpg --output example.txt.verify --decrypt example.txt.sig
Lab 3: On D2L, you will find three files with ego-killing names: a.txt, b.txt and c.txt along with their secure
hashes (MD5 sum) (a.txt.md5, b.txt.md5 and c.txt.md5). However, something foul is afoot: at least one of those
files has been tampered with. Your goal is to compute new md5 sums for each file, compare it with the md5’s that
came along with each file and determine which file(s) was (were) tampered with by an international gang of file
tamperers. You can use a command such as md5sum a.txt to generate the md5 sum on a file.
Download