CS 2550 - Foundations of Cybersecurity

Project 1: Cryptography

This project is due at 11:59pm on Tuesday January 23, 2018.

Description and Deliverables

Every self-respecting infosec person should have a PGP (Pretty Good Privacy) keypair, so that other infosec people can send them strongly encrypted messages. In this project, you will generate a keypair for yourself, and learn the basics of how to generate, sign, and manage PGP keys, as well as encrypt and sign messages.

To receive full credit for this project, you will turn in the following two files:

  1. A file named key.pub which includes your public key in ASCII format. Your public key must (1) use RSA encryption and be 4096 bits long, (2) be signed by at least two of your classmates, and (3) include your picture.
  2. A file named message.txt.asc that is encrypted for me (Christo Wilson) and signed by you. The unencrypted message.txt file should be in plain ASCII format (no Word or PDF docs), and contain (1) your first and last name, (2) your NUID, and (3) the string "CS2550".
For example, a valid message.txt might look like this:
Christo Wilson 12345678 CS2550
Note that the message must be encrypted for me, which means you will need my public key. Where might you find that?

Tools

There are many tools that support the PGP standard. In the remainder of this document I will provide a brief tutorial for using GNU Privacy Guard (GnuPG, or simply GPG), which is a free, open-source, command line implementation of PGP. You are welcome to use other tools if you wish, so long as they offer the necessary features to complete all the requirements of the project.

To install GPG under a Debian-based Linux distro, simply run:

$ sudo apt install gnupg
On some Linux distributions, such as Ubuntu 16.04, a slightly more up-to-date version of GPG can be installed via the "gnupg2" package instead (note that this method also changes the command to invoke GPG from "gpg" to "gpg2"). Other installation options for Linux, Windows, and macOS are available on the GnuPG homepage.

GPG Tutorial

There are a number of useful command line arguments for GPG that you will need to complete this assignment. If you ever get stuck, you can always type

$ gpg --help
to see a list of common command line arguments, or
$ man gpg
to open up the manual page for GPG. Alternatively, you can Google "man gpg" to find an online version of the manual page.

$ gpg --gen-key
is the command to generate a new keypair. Note that on some versions of GPG (>=2.1), this command will not let you select the desired key length or encryption algorithm, in which case you should try the "--full-gen-key" command instead. Note: you are welcome to choose an expiration date for your keypair if you want to, but make sure your keypair will not expire until the end of the semester at least!

$ gpg --edit-key <UID>
allows you to change aspects of the key with given UID. This commands drops you into an interactive mode with many commands, which can be listed by typing "help". Commands that might be useful for this project include "addphoto" and "sign". When you're done editing a key, type "quit". You'll probably want to edit your key before you export it and get it signed by your classmates.

$ gpg --list-keys
$ gpg --list-sigs
$ gpg --check-sigs
all show the keys in your keyring. The first mearly shows the keys, the second also shows their signatures (if they have any), and the last attempts to verify the signatures. Of course, you can only verify a signature from user X if you have imported a copy of X's public key.

$ gpg --import <file>
is the command to import key material from the given file. This will be very useful, since you'll need to import my public key, as well as public keys from your classmates (so you can sign them).

$ gpg --armor --export <UID>
is the command to export the public key with the given UID from your keyring. You'll need to export your public key so that you can give it to your classmates and receive their signatures. You'll also need to export your classmates' public keys after you sign them. Strangely, GPG prefers to output things in binary format, which is not particularly useful, so you almost always want to add the ASCII "armor" command line option.

$ gpg --armor --export-private-keys
is the command to export all of your private keys. YOU SHOULD NEVER SHARE YOUR PRIVATE KEYS WITH ANYONE. THAT IS WHY THEY ARE CALLED PRIVATE KEYS. However, backing up your private keys is a good idea, possibly to a removable USB drive that you keep in a locked safe, or to a Yubikey.

$ gpg --armor --sign <file>
is the command to sign the given file using your private key. By default, GPG creates a new file with a ".asc" extension containing the ASCII armored, signed message.

$ gpg --armor --recipient <UID> --encrypt <file>
is the command to encrypt the given file for the given recipient. Obviously, you can't encrypt something for someone if you don't have their public key. Just as with signing, GPG produces a new file with a ".asc" extension containing the ASCII armored, encrypted file. Note that in this assignment you will need to sign and encrypt a file for me, which means you may need to combine some command line arguments to produce the correct output.

$ gpg --decrypt <file>
is the command to decrypt the given file (and verify its signature, if one is present). Obviously, you can only decrypt a file if you hold the corresponding private key.

$ gpg --default-key <UID>
By default, GPG always uses the first private key in the keyring for signing, encryption, and decryption. If you have multiple private keys, this is the optional command line argument you need to select one other than the default when performing operations.

Submitting Your Project

Before turning in the project, you must register yourself for our grading system using the following command:
$ /course/cs2550/bin/register-student [NUID]
NUID is your Northeastern ID number, including any leading zeroes. This command is available on all of the CCIS lab machines.

To turn-in your project, you must submit exactly two files:

the format and specification of which are described above. Both files should be placed in a directory. You submit your project by running the turn-in script as follows:
$ /course/cs2550/bin/turnin project1 <project directory>
where <project directory> is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing a public key or message file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.

At any time, you can run the following command to see all of your current grades for projects, essays, quizzes, and tests.

$ /course/cs2550/bin/gradesheet

Grading

This project is worth 7% of your final grade, broken down as follows (out of 100): Points can be lost for turning in files in incorrect formats (e.g. not ASCII), failing to follow specified formatting or naming conventions, having signatures that do not verify, encypting messages using the wrong keys, etc.

Tips