Lab2: Pretty Good Privacy

Goal

The goal of this lab is to provide hands on experience with PGP (Pretty Good Privacy), which can be used to provide confidentiality, integrity and authentication of messages transferred across insecure networks, e.g., sending email on the Internet. The lab uses the Gnu Privacy Guard (GPG), which is a free software implementation of the OpenPGP standard (RFC 2440).

Laboratory Work

In order to sign data and participate in key distribution (by signing other users' keys) you will need to generate a public/private key-pair. gpg supports different cryptographic algorithms and different key lengths, so you have to choose a combination to suit your needs. Use your name and email address for your key label and include your student number in the comment field.

In order to verify other peoples signatures, you will need to know their key. We have defined a user "k02230" who administrates this lab. The public-key of "k02230" can be found in the file k02230.asc. You need to download this key, import it into your gpg key-ring and sign the key, so that gpg will recognise it (a fingerprint of the key will be written on the blackboard in the "ebar").

The following quotation from Oscar Wilde´s "The Happy Prince" is included in this file. It has been signed by "k02230" in the file hp.txt.asc (the signature has not been separated from the data, so this file contains both). You need to verify the signature in order to check integrity and authenticity of the data. 

High above the city, on a tall column, stood the statue of the
Happy Prince.  He was gilded all over with thin leaves of fine
gold, for eyes he had two bright sapphires, and a large red ruby
glowed on his sword-hilt.

He was very much admired indeed.  "He is as beautiful as a
weathercock," remarked one of the Town Councillors who wished to
gain a reputation for having artistic tastes; "only not quite so
useful," he added, fearing lest people should think him
unpractical, which he really was not.

By signing other peoples keys, you state that you have verified that the specified key belongs to the specified user. These signatures allow you to authenticate messages when you are unable to verify somebody´s key yourself. If you know and fully trust one of the people who signed the key, gpg allow you to verify signatures made with that key. Moreover, if you know and marginally trust a number of the people who signed the key (the default is three marginally trusted signatures), gpg allow you to verify signatures made with that key. In this way, gpg is able to build a web of keys that you trust to a greater or lesser extend.

In order to test this Web of Trust, you need to exchange your key with four other students in the class. You should import three keys into your key-ring and define them as "marginally trusted". The owner of the fourth key should get the three other students to sign his key, before he gives it to you. You should then import this key into your key-ring, but do not sign it. The owner of the fourth key should also sign a message and send it to you. Knowing three marginally trusted keys, which have been used to sign the fourth key, should allow you to verify the signature without signing the fourth key yourself.

The laboratory work should be conducted Wednesday 14 September and Wednesday 21 September. The lab must be documented by a short report described in the next section. The report should be handed in (i.e. placed in one of the "letter boxes" for course 02230 in the entrance to B.322) before noon on Friday 30 September.

Documentation

The lab is to be documented by a short report in two separate sections, which respectively documents the practical work in the lab and the understanding of key management issues which are pivotal to the successful implementation of an authentication mechanism.

The first section of the report should document all decisions made during the lab work (e.g., choice of cryptographic algorithms and key lengths), results of operations using gpg (e.g., through copying output from the monitor and pasting it into the report) and name, uid and keys of students who have been used to establish a minimal web of trust.

The second section should compare and discuss the hierarchical approach to key distribution and key management used in PKI (Public Key Infrastructures) and CA (Certificate Authorities), and the peer-to-peer approach used in the PGP Web of Trust.

Useful Links

René Rydhof Hansen rrh@imm.dtu.dk
Last modified 12 September 2005.