CY 2550 - Foundations of Cybersecurity
Project 1: Cryptography
Description and DeliverablesEvery self-respecting infosec person should have a PGP (Pretty Good Privacy) keypair, so that other infosec people can send them strongly encrypted messages. In this project, you will generate a keypair for yourself, and learn the basics of how to generate, sign, and manage PGP keys, as well as encrypt and sign messages.
To receive full credit for this project, you will turn in the following two files:
- A file named key.pub which includes your public key in ASCII format. Your public key must meet the following four requirements:
- Use RSA encryption and be 4096 bits long
- Include your name and Husky email address
- Be signed by at least two of your classmates
- Include your picture.
- A file named message.txt.asc that is encrypted using the class GPG public key and signed by your private key. The unencrypted message.txt file should be in plain ASCII format (no Word or PDF docs), and contain (1) your first and last name, (2) your NUID, and (3) the string "CS2550".
Christo Wilson 12345678 CS2550
ToolsThere are many tools that support the PGP standard. In the remainder of this document I will provide a brief tutorial for using GNU Privacy Guard (GnuPG, or simply GPG), which is a free, open-source, command line implementation of PGP. You are welcome to use other tools if you wish, so long as they offer the necessary features to complete all the requirements of the project.
To install GPG under a Debian-based Linux distro, simply run:
$ sudo apt install gnupgOn recent Linux distributions, such as Ubuntu 18.04, this will install GPG version 2, which is what this assignment will assume you are using. On older Linux distributions, such as Ubuntu 16.04, version 2 of GPG can be installed via the "gnupg2" package instead (note that this method also changes the command to invoke GPG from "gpg" to "gpg2"). Other installation options for Linux, Windows, and macOS are available on the GnuPG homepage.
There are a number of useful command line arguments for GPG that you will need to complete this assignment. If you ever get stuck, you can always type
$ gpg --helpto see a list of common command line arguments, or
$ man gpgto open up the manual page for GPG. Alternatively, you can Google "man gpg" to find an online version of the manual page.
$ gpg --full-gen-keyis the command to generate a new keypair. The --full modifier lets you choose your encryption algorithm and key length; if you use the abbreviated --gen-key command you will not be given these options and the default algorithm/key length will be used. Note: you are welcome to choose an expiration date for your keypair if you want to, but make sure your keypair will not expire until the end of the semester at least!
$ gpg --edit-key <UID>allows you to change aspects of the key with given UID. This commands drops you into an interactive mode with many commands, which can be listed by typing "help". Commands that might be useful for this project include "addphoto" and "sign". When you're done editing a key, type "quit". You'll probably want to edit your key before you export it and get it signed by your classmates.
$ gpg --list-keys $ gpg --list-sigs $ gpg --check-sigsall show the keys in your keyring. The first shows the keys, the second also shows their signatures (if they have any), and the last attempts to verify the signatures. Of course, you can only verify a signature from user X if you have imported a copy of X's public key.
$ gpg --import <file>is the command to import key material from the given file. This will be very useful, since you'll need to import the class GPG public key, as well as public keys from your classmates (so you can sign them).
$ gpg --armor --export <UID>is the command to export the public key with the given UID from your keyring. You'll need to export your public key so that you can give it to your classmates and receive their signatures. You'll also need to export your classmates' public keys after you sign them. Strangely, GPG prefers to output things in binary format, which is not particularly useful, so you almost always want to add the ASCII "armor" command line option.
$ gpg --armor --export-secret-keysis the command to export all of your private keys. YOU SHOULD NEVER SHARE YOUR PRIVATE KEYS WITH ANYONE. THAT IS WHY THEY ARE CALLED PRIVATE KEYS. However, backing up your private keys is a good idea, possibly to a removable USB drive that you keep in a locked safe, or to a Yubikey.
$ gpg --armor --sign <file>is the command to sign the given file using your private key. By default, GPG creates a new file with a ".asc" extension containing the ASCII armored, signed message.
$ gpg --armor --recipient <UID> --encrypt <file>is the command to encrypt the given file for the given recipient. Obviously, you can't encrypt something for someone if you don't have their public key. Just as with signing, GPG produces a new file with a ".asc" extension containing the ASCII armored, encrypted file. Note that in this assignment you will need to sign and encrypt a file for me, which means you may need to combine command line arguments to produce the correct output.
$ gpg --decrypt <file>is the command to decrypt the given file (and verify its signature, if one is present). Obviously, you can only decrypt a file if you hold the corresponding private key.
$ gpg --default-key <UID>By default, GPG always uses the first private key in the keyring for signing, encryption, and decryption. If you have multiple private keys, this is the optional command line argument you need to select one other than the default when performing operations.
Backing Up Your Private KeyIn the past, over 1/3 of students in the course lost access to their private key throughout the semester. This happened for a variety of reasons, including people choosing short expiration times for their keys, or because they used GPG inside a VM and the VM failed/became unbootable. You will need the keypair you generate during this project multiple times over the course of the semester. Thus, it is critical that you not lose your keys! You should make a backup of your private key, using the gpg --armor --export-secret-keys command, and store the backup in a secure, reliable location. Do not store your backup inside a VM!.
Submitting Your ProjectBefore turning in the project, you must register yourself for our grading system using the following command:
$ /course/cs2550sp19/bin/register-student [NUID]NUID is your Northeastern ID number, including any leading zeroes. This command is available on all of the Khoury College lab machines.
To turn-in your project, you must submit exactly two files:
$ /course/cs2550sp19/bin/turnin project1 <project directory>where <project directory> is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing a public key or message file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.
At any time, you can run the following command to see all of your current grades for projects, essays, quizzes, and tests.
GradingThis project is worth 6% of your final grade, broken down as follows (out of 100):
- 10 points - turning in a 4096 bit, RSA public key
- 10 points - having a picture in your public key
- 25 points each - having two valid signatures on your public key from your classmates
- 30 points - turning in a correctly encrypted, signed, and formatted message.txt
- A big part of this assignment is social, i.e. signing each others' public keys. Take the pain out of key signing by throwing a Key Signing Party (Google it)!
- The assignment clearly states that message.txt needs to be signed and encrypted. That does not mean signed then encrypted, or encrypted then signed. The difference here is subtle but substantial, and you will lose points if you turn in the wrong thing.
- How can you tell if your message.txt> is signed and encrypted correctly? You can't, obviously, because you don't have the class private key. Instead, I suggest signing and encrypting a message for one of your friends (you're going to have their public keys, right?) and having them verify that it worked correctly.