* 3 *

PGP/GPG

Self-test problems

None this week.

Graded problems

The purpose if this week's exercises is

If you experience problems carrying out these exercises, try them on a GNU/Linux machine with version 1.0.4 or greater of GPG. Some versions of GPG have known bugs.

Note: everyone must complete this exercise in person. You will use the techniques here to identify your contributions to the exam later.

  1. Think of a phrase which is easy to remember, then make yourself a public-private key pair with
    gpg --key-gen
    
    Choose all the default values. If you make a mistake, delete your keys cd; rm -r .gnupg and start again.
  2. If anyone gets hold of your private key, they have the digital equivalent of your fingerprints and DNA! Draw a vulnerability tree for your private key. Bear in mind that the key is stored in a file on your disk. How would your tree be different if you were working on a Windows machine?
  3. Download my public key, by typing
    gpg --import filename
    
    If you are complete certain that this key is mine, you could sign it, to indicate that you trust that they key is mine. If you are not sure, you could ask me for my key in a more secure way.
    gpg --edit-key mark
    command> sign
    
  4. A slightly more secure way for me to distribute my key is for me to sign my key like this:
    gpg --clearsign markskey 
    
    This results in a file called markskey.asc. Save this to a file and type
    gpg --verify markskey.asc 
    
    or simply
    gpg markskey.asc 
    
    You can now verify that the owner of the private key for "Mark Burgess" is the same person as the owner of the public key that you have received, because the signature was made with the private key. For these exercises we are using "cleartext" keys and signatures, so that you can see what they look like. These cleartext forms are useful for sending by E-mail, but it is also possible to save in binary format..
  5. Ask yourself how you know that the key you have collected is mine? Do you trust it? If so why? Is there anything stopping you from making a keypair for Bill Clinton or Mickey Mouse? Do you see why PGP does not solve the problem of trust?
  6. Make your public key available to others as a file in your home directory, by doing this:
    gpg --export -a loginname > ~/www/pubkey; chmod 644 ~/www/pubkey
    
    Check that the file is readable, and that it appears on the web page of local public keys, so that others can see your public key, and you can see theirs.
  7. This part must be done with your group, and documented for your project. This problem is about a trust attack on these encryption and sign mechanisms. For several years it was believed that, if a message was encrypted and signed, then it was secure because In this problem you will see that, based on what PGP/GPG normally tells you about a message, you can be fooled about who wrote what to whom! You will need three users, each with their own key-pairs in order to do this problem.
  8. Think of some more examples of how these attacks could be used in commerce.

Mark Burgess
Last modified: Sat Aug 4 15:44:33 MET DST 2001

Back