Lab – Digital Certificates

I recommend using the Windows 10 vm for this lab. Alternatively, you can install gpg onto your [Windows](https://www.gpg4win.org/) or [Mac](https://gnupg.org/download/), but you're on your own if you do.

Part 1

Part 1a. Sign some public keys from the key signing party

First, make sure that Kleopatra is set to point to keys.gnupg.netnot pgp.mit.edu .

  1. Kleopatra > Settings > Configure Kleopatra > Directory Services. You should have only one entry here: keys.gnupg.net – and it should be set for OpenPGP (the default). If this is not the case, delete all entries, then press new. You should get the correct default.

Then, repeat the steps below for at least three classmates, not including myself.

  1. Verify their keys (i.e., witness the person show his/her government ID and attest that his/her key-id or fingerprint is correct)
  2. Sign the public key that you have verified.
    1. Get their public key into your keyring.
      1. I bundled many keys into a class keyring – find it on Canvas > Files > download and import the .asc. file there.
      2. If their key is not in the keyring,
        • you can use the Lookup Certificates on Server button within Kleopatra,
        • or you can manually navigate to keys.gnupg.net from a webbrowser, find their key,
          • select-all and copy to your clipboard, then Kleopatra > Clipboard > Certificate Import
          • select-all and paste into a blank notepad document, save with a .asc extension, then Kleopatra > Import Certificates
          • sometimes, the server is responsive via the protocol that Kleopatra uses, but not the web browser protocol. Try one if the other isn’t working.
          • While testing, I experienced the frustrating situation where https://keys.gnupg.net search-by-key-id-or-fingerprint did not work unless I opened “advanced options’ and deselcted all options on the left. Don’t forget to append 0x to your query.
        • You can make them do all this for you on your machine if you want, since they didn’t get their key in to me in time ;-)
    2. In Kleopatra, right-click the key > Certify Certificate.
    3. Check each of the key IDs that you have verified.
    4. Check “I have verified the fingerprint” (assuming that you have!)
    5. Choose which of your private keys you will use to sign/certify their key. Change the radio to “Certify for everyone to see”. Leave the “Send certified certificate to server afterwards” checked.
    Factoid: In pgp culture, it can be considered rude to upload someone else's key to a public server. They might not want your signature on their key, or they may not want their key on a keyserver. In practice, you could alternatively export their key after you have certified it, and send it back to them. But for this assignment, we will be rude. Upload the certified keys to a keyserver.
    1. Send the key to the keyserver.
  3. At this point, the signed-key owner should be able to redownload their own public key from the server, and see the new signature.

    1. Kleopatra > Lookup Certificates on Server > search for their key… reimport
    2. Double-click the key > User-IDs & Certifications > Load Certifications (may take a while) > check it out!

Part 1a deliverable

Question: What are the names, email address(es), and fingerprints or key-ids of the three people whose keys you signed?

Part 1b. Have at least three people sign and upload your key.

Follow the steps above, and make sure that your key is discoverable on keys.gnupg.net.

  1. Ensure that your public key is uploaded to a PGP key server like http://pgp.mit.edu. (In Kleopatra, you can upload it to OpenPGP by highlighting your key, right-clicking it, and selecting “export certificates to server”. Other key-management software should have similar easy-to-use functionality.)
  2. Ensure that your public key available on public key servers has been signed by members of the class. To do this, you can re-download or refresh your public key from the key server, then view your key details.
Question: What is your key-id or fingerprint? (Tell me again even if you submitted this before. It's possible that some of you lost your key and had to create a new one.)
Question: What are the names, email address(es), and fingerprints or key-ids of the three people who signed your key?

Part 1c. Send and receive an encrypted email via PGP

For this, use GPA (gnu-privacy-assistant), which is installed on the Windows 10 VM. GPA has access to the same keyring on your machine as does Kleopatra.

You will send an encrypted and signedemail to Leeds Information Security Management ([email protected]) (Key-id: 20E0A236).

Q: But how can we trust this key?

A: Download it and look at the signatures (refresh from the keyserver to see it). It was signed with key-id `8DC01F3A`, which I verified in during the key party belongs to me. Do you trust me? If you trust me, and you trust me to only sign keys that I have verified, then can you trust this unknown key?

You will receive a response encrypted with your key which contants a secret code. This secret code will be the deliverable for this question. You will not receive the code if:

  1. Launch GPA on the Windows 10 vm. It opens with the Clipboard view.
  2. In this view, type a funny joke for the Leeds Info Sec Mgmnt account.
  3. Click “Encrypt”. Choose at least the public key for `[email protected]
    • If you also want to be able to decrypt what you encrypt, then also select your public key.
  4. Check the box for Sign. Select with which key you will sign the message.
    If you are curious what a signed-but-not-encrypted message looks like, write a message, then press the `Sign` button within GPA. Observe the result -- the original message in plaintext, and a block with a signed hash. If you applied your public key to this signed hash, you would obtain a hash against which you could compare your own hash of the plaintext. Cool, isn't it? (The correct answer is "yes".)
  5. Copy-paste the output of the previous step into a gmail.com window or whatever. Just send it from an email address associated with your public key.
  6. Make sure that the recipient has access to your public key. You can provide a link to your key on the keyserver, or attach your public key.
  7. If you encrypted and signed your funny joke, then you will receive an encrypted response back, encrypted with your public key. Decrypt this response. This response is the answer to the next question in this lab.
    1. If you missed a step, you will receive back a plaintext message saying as much.
Question: What is the plaintext of what you received back?

Part 2. Overall Questions

Read the following article.

Question: Compare and contrast the trust models used by PGP public key versus X.509 certs used by websites.

Part 3. Communicate Securely with Signal

  1. Read about WhisperSystem’s Signal app here and here

  2. Also read about the cryptographic primities that the Signal protocol uses, here

Question: What attacks does Signal protect you against? Which does it not protect you against?
Question: On a high level, how does the Signal protocol work?
  1. Install the app “Signal” on an iOS or Android device (if you don’t have an iOS or Android device, borrow one from a friend). Ask a partner (friend or classmate) to do the same.

  2. Using Signal, call or send a text message to your partner.

  3. Reflect: How does your experience using Signal compare to using encrypted email with PGP?

Question: Visit this Slack channel and vent your frustration with pgp, or laud the accolades of Signal.