Encrypting and signing e-mail



Similar documents
HW/Lab 1: Security with PGP, and Crypto CS 336/536: Computer Network Security DUE 09/28/2015 (11am)

WiMAX Public Key Infrastructure (PKI) Users Overview

1.2 Using the GPG Gen key Command

Signing and Encryption with GnuPG

Encrypting with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY BY FRAUKE OSTER

GPG - GNU Privacy Guard

Signing and Encryption with GnuPG

How to use PGP Encryption with iscribe

PGP from: Cryptography and Network Security

Introduction to Cryptography

INTRODUCTION TO CRYPTOGRAPHY

File and encryption with GPG4win & Enigmail

Ubuntu Open PGP IMPLEMENTATION. Dr. ENİS KARAARSLAN 2014

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

GPG installation and configuration

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

How To Encrypt A Traveltrax Report On Gpg On A Pc Or Mac Or Mac (For A Free Download) On A Thumbdrive Or Ipad Or Ipa (For Free) On Pc Or Ipo (For An Ipo)

The KGpg Handbook. Jean-Baptiste Mardelle Rolf Eike Beer

Open-Xchange Guard Major Release v Feature Overview V1.4

Tutorial: Encrypted with Thunderbird and Enigmail. Author: Shashank Areguli. Published: Ed (August 9, 2014)

Published : License : None

Chapter 6 Electronic Mail Security

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Ciphire Mail. Abstract

Sharing Secrets Using Encryption Facility

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Receiving Secure from Citi For External Customers and Business Partners

Security in Android apps

On-Core Software, LLC. 893 Sycamore Ave. Tinton Falls, NJ United States of America

The Handbook V 1.8 Adaptations by Ludwig Hügelschäfer Based on Version 1 by Daniele Raffo with Patrick Brunschwig and Robert J. Hansen.

Symmetric and Public-key Crypto Due April , 11:59PM

GPG Tutorial. 1 Introduction. 2 Creating a signing and encryption keys. 3 Generating a revocation certicate. Andreas Hirt July 12, 2009

How To Encrypt Data With Encryption

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Biography of Trainer. Education. Experience. Summary. TLS/SSL : Securing your website PGP : Secure your communication. Topic

Overview Keys. Overview

Cryptography and Network Security

How to Create and Maintain an Anonymous Identity Online

LiteCommerce Advanced Security Module. Version 2.8

Ciphermail Gateway Administration Guide

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Cryptography and Network Security Chapter 15

CLIENT DATABASE SECURITY

Unifying Information Security. Implementing Encryption on the CLEARSWIFT SECURE Gateway

SECURE USER GUIDE OUTLOOK 2000

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Network Security Essentials Chapter 7

HMRC Secure Electronic Transfer (SET)

Ciphermail Gateway Administration Guide

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

AS DNB banka. DNB Link specification (B2B functional description)

How to Setup Privacy Guard Encryption.

Accellion, Inc Embarcadero Road Suite 207 Palo Alto, CA Tel Fax

WS_FTP Professional 12. Security Guide

Internet Programming. Security

Electronic Mail Security

CIPHERMAIL ENCRYPTION. CipherMail white paper

GPG4win / Kleopatra Documentation. Secure file and encryption by using GnuPG for Windows

Is your data safe out there? -A white Paper on Online Security

Installing your Digital Certificate & Using on MS Out Look 2007.

Cryptography and Security

File Transfer. User Guide For Clients and Vendors. Last Revised: October

1 Step 1: Select... Files to Encrypt 2 Step 2: Confirm... Name of Archive 3 Step 3: Define... Pass Phrase

[SMO-SFO-ICO-PE-046-GU-

HMRC Secure Electronic Transfer (SET)

Encrypting your Communications using PGP

Using Your PGP Tool to Update Your Address Settings for Encrypted Messaging

ireadsmime User Guide For iphone, ipad, and ipod Touch

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Using Entrust certificates with Microsoft Office and Windows

WebApp S/MIME Manual. Release Zarafa BV

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Djigzo S/MIME setup guide

IBM Client Security Solutions. Client Security User's Guide

BCTextEncoder Help File

Project #2: Secure System Due: Tues, November 29 th in class

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

GNUTLS. a Transport Layer Security Library This is a Draft document Applies to GnuTLS by Nikos Mavroyanopoulos

Molina Medicaid Solutions EDI Unit sftp Companion Guide 9/5/2012

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Elements of Security

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Key Management and Distribution

isecur User Guide for iphone

PENN. Social Sciences Computing a division of SAS Computing. SAS Computing SSC. File Security. John Marcotte Director of SSC.

Quick Reference Guide. Online Courier: FTP. Signing On. Using FTP Pickup. To Access Online Courier.

SBClient SSL. Ehab AbuShmais

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Options for encrypted communication with AUDI AG Version of: 31 May 2011

Secure FAQs 1

WS_FTP Professional 12. Security Guide

Transcription:

Encrypting and signing e-mail V1.0 Developed by Gunnar Kreitz at CSC, KTH. V2.0 Developed by Pehr Söderman at ICT, KTH (Pehrs@kth.se) V3.0 Includes experiences from the 2009 course V3.1 Adaptation for DASAK, by Sonja Buchegger at CSC, KTH (buc@kth.se) V3.2 Adaptation for CSC hosting, some clarifications, by Sonja Buchegger E-mail security is based on a set of cryptographic algorithms ensuring both that only the holder of a specific key can read a message (encryption) and prove the message has not been changed in transit (signing). The goal of this lab is to familiarize yourself with e-mail security using the well known tool GnuPGP (http://www.gnupg.org/), also known as GPG. GPG is a free implementation of the OpenGPG (http://www.openpgp.org/) standard, which is based on the commercial tool PGP (http://www.pgp.com/), Pretty Good Privacy. This lab can also be done completely remotely. All you need to do is to send 5 e-mails, if you do everything correctly. If you need help with the lab, please come to the lab sessions. The lab shall be solved individually. You are not allowed to solve the lab for another student. Table of Contents Encrypting and signing e-mail...1 Step 1: Getting GnuPG...3 Some common problems when solving this lab...4 GnuPG and usability...4 Step 2: Importing the course key...4 Step 3: Creating your keys...5 Step 4: Submit your key for signing...5 Step 5: Add an extra e-mail address to the key...6 Step 6: Signing of keys...6 Step 7: Submit your key (again)...6 Receiving e-mail...6 Sending secure e-mail...7 Step 8: Signed messages...7 Step 9: Encrypted messages...7 Step 10: Encrypted and signed messages...8 Step 11: The report...8 Common error messages and how to solve them...10 ERROR: Could not import user id's. Typically caused by UIDs created in the future (wrong system time)...10 ERROR: Did not find any keys to import/verifying signature failed/decrypting message failed/decryption and verification failed...11 Page 1/12

ERROR: Did not see any signatures not made by course key...11 ERROR: Found # User-ID:s in the file. The initial submission should be with one User-ID. Generate a new key and try again...11 ERROR: Found more than one key in your submission...11 ERROR: Incorrect. I read your answer as:...11 ERROR: Key cannot be used for encryption...11 ERROR: Secret key was imported, please generate a new keypair and be more careful next time.../the secret key for this key was already imported. Please generate a new keypair and be more careful next time...11 ERROR: Signature was invalid (status xxxxxxx)...12 ERROR: Submission was encrypted with # keys, should be encrypted to exactly two keys/submission was only encrypted with a single key, should be encrypted to two keys...12 ERROR: Subkey expires in more than 3 months/subkey never expires...12 ERROR: Submission was not signed...12 ERROR: The User-ID found is "Foo Bar <Foo@Bar.com>". It should have an e-mail address in the @kth.se domain...12 ERROR: Tried to import something but failed. This can be caused by broken data, revocation certificates or broken UIDs (such as UIDs created in the future)...12 ERROR: Validation of your result failed. Key correctly signed by course key? I read your answer as:...12 Page 2/12

Step 1: Getting GnuPG If you do the exercise on the CSC Linux computers, the command is gpg. If you use CSC Solaris computers, just "module add gnupg" - depending on the version, the command for gpg can be gpg2. For working on other platforms: You can download GPG from http://www.gnupg.org/, or use a package manager. Typically the command in linux is something like aptitude install gnupg, yum install gnupg, apt-get install gnupg or similar. If the package is not found in your package system you can always do an install from the tarball on the GnuPG homepage. Under windows you use the installer from the homepage. It is very helpful to add the directory where the GPG application is located to your path, so you do not need to look it up to use it from the console. It is also possible to install it under MinGW (http://www.mingw.org/) Under MacOS X you can install it using GnuPorts or from the homepage. GPG itself is a command line application and you can test if it works correctly by typing gpg --version at the command line. The format of the output should look something like this: netsec:/# gpg --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Used libraries: gcrypt(1.4.1) Many prefer to use front-ends such as EnigMail (http://enigmail.mozdev.org) for Thunderbird, GPGMail (http://sourceforge.net/projects/gpgmail/) for Mail.app or GPGpine for pine. You are welcome to try them, but they are not needed to solve the lab. If you decide to continue using GPG they are very helpful. While you are free to choose any software or front-end you wish, please note that you will need the commands for the report and that the lab has only been tested with the basic GnuPG tool, Thunderbird and KTH webmail. Many of the tools and front-ends found on the web are broken in various interesting ways, including giving you limited, conflicting, or even completely wrong output. We are aware of some front-ends not reporting all keys used in signing/encryption, automatically importing keys and other bad stuff. Many clients also mess up the formating of e-mails, preventing correct decoding of the data. This will prevent you from successfully completing the lab. therefore the course administration will not help you with software issues you might encounter, except for usage of modern versions of GnuPG. Page 3/12

For the final report include: How to install GPG on your system How to install the front-ends (if any) you used Some common problems when solving this lab Note that every single mail you send MUST come from your e-mail @kth.se. No other source addresses will be accepted by the system. All e-mails must have the answers in the body of the mail as plain text. Word, openoffice, rtf, ps, dvi, pdf, html or other formats will fail. It is very common for e-mail program to send HTML or RTF by default. You will have to turn this functionality off. The system doesn't decode attachments. The system currently doesn't handle attachments, PGP/MIME, SMIME or similar, so if you use a front-end make sure it can do traditional in-lining instead. If you don't see something like ----BEGING GPG <TYPE>----- in the start of the body e-mail you should verify how you send encrypted mails. A common problem is to not ask GnuPG for all information and few front-ends prints all the information you need. The -vv (very verbose) switch is very helpful, as it prints extended information about what gpg is doing. The deadline for the lab can be found on the course website. Please note that the deadline is both for the upload of the final report and the work against the corrector system. Do not save the lab to the last day. GnuPG and usability GnuPG is not the easiest tool to use and combined with the complexity of the cryptography involved it can take some time to get used to. The documentation for gpg can be found at http://www.gnupg.org/documentation/index.en.html and is a good start. Obviously you can use google and man-pages to get additional help. Part of the task in this lab is to create your own manual for GPG. This will be in the form of a report, covering what you have done in the lab and how to use GPG correctly. For the final report, include: References Any other student that helped you with the lab Step 2: Importing the course key To verify signatures you will need the course key from the course website. Once you have imported and verified the key, give it an appropriate trust level. Page 4/12

For the final report The commands used to import keys The commands used to verify you get keys with the correct fingerprints The commands used to verify the signatures on keys The commands used to set trust levels for keys The interpretation of the output Step 3: Creating your keys To use public key cryptography you need to generate your keys. GnuPG lets you tune the cryptographic security of the keys, depending on how slow you want key generation (and encryption, decryption, signing and verification...) to be. http://www.keylength.com/ is one place that offers concrete recommendations for which keylengths are suitable depending on the security required. Key generation can take a few minutes, if you get the message to generate more randomness, type, click around, or open other terminals and run commands like ping kth.se, or du -h / Password protect your key when you generate it. This password prevents somebody with access to your computer from easily stealing your keys. When you generate the key make sure the name of the key matches your name, the e-mail is your @kth.se e-mail and you state the course code DD2395 in the comment field. Make it valid for at most 3 months. For the final report: Command used to generate the keys How much time it took to generate the keys Motivation for the security settings The identity you created for the key The fingerprint for the key Step 4: Submit your key for signing Now you get your key signed by the correction system. While a multitude of key formats exists, it is usually a good idea to use ascii-armor. This is an encoding that avoids characters known to cause problems with e-mail systems. So, export the (public) key you generated and e-mail it to <gpgkey@dasakh10.csc.kth.se>. Make sure you send it from your @kth.se address. There should only be a single identity in the key, with your @kth.se address. Once you have submitted your key you will, if the submission looks correct, get it in return, now signed by the course key. Due to the grey-listing used at kth.se it can take up to an hour before you receive the response. For the final report: Page 5/12

The signature added to your key Step 5: Add an extra e-mail address to the key It is very common to have multiple identities and e-mail addresses. These can all be bound to the same key, so your friends don't need to keep track of multiple keys to communicate with you. So add an additional identity to the key with a second e-mail address (for example your main address if it's not @kth.se). For the final report: Description of the second identity Commands to manage identities Step 6: Signing of keys While it's nice to get a signature for free, the correction system has not done very careful checking of your key (and that you are you). Therefore you will have to prove you are not an impostor by getting an additional signature for your key. Find another student and get them to sign your key, setting an appropriate trust-level. For the final report How to sign keys using GPG Description of the signature and the trust-level the other student gave you. The commands and interpretation of the output to Manage trust levels Signing keys Step 7: Submit your key (again) Now export your public key, using ascii-armor and submit it to <gpg-key@dasakh10.csc.kth.se>. The mail must come from your @kth.se address. At this point your key should be signed with the course key, another student key and have several identities included. Note: You can examine what you have exported using gpg -v <filename> Receiving e-mail If you have successfully sent in your key you will get 4 mail in return. One status mail, one mail with signed data, one mail with encrypted data and one mail with both signed and encrypted data. Do not lose these e-mails! If you lose them you will have to resend your public key to get a new set. The mails you receive contains a few cryptographic checksums (in the form of long strings). They are unique by e-mail address and you will have to return them to prove you have correctly Page 6/12

decrypted and verified the signatures. Each mail contains several sections that can be encrypted or signed. They are separated by ============= separator ============= This is not a part of the text, but only there to simplify for you. You should never send this separator back or use it as a part of the lab. Sending secure e-mail Now it's time to send secure e-mail back to the correction system. You shall send three e-mails, each mail containing the parts of the e-mail you received that were properly secured. The correction is very thorough. While we will accept some extra whitespace (outside strings) any extra data or missing data will get your submission rejected. You will have to prove you understand which parts of the messages you received are secure and which parts are not. While we will send you multiple blocks of data you shall only return a single block, properly secured. This is how you normally use PGP. The reason for including several blocks in the message you get is simply to save you from getting 30 emails in your inbox. So, the message you return shall look something like this: 52df87027fb5c969b86a70cbb75dff5694a351c0 b1fd51f50b438ae8a13d15a16a8cfbe60fc940e4 c8212761382d4063de3abc7615a4acb41b100b0b 1f24d96801984c6502e11116931296f82d032144 5d0be34c127d864a835f821c45963dd288149b10 (Before encryption and signing) Step 8: Signed messages You received one message from <gpg-sign@dasakh10.csc.kth.se> with signed data. Respond to this e-mail with all the parts of the mail that were properly signed using the course key in a single block. The block you send also has to be signed (using clear sign makes it easier to see what you are doing). Again, only send ascii text. For the final report: The commands used to verify signed messages Interpretation of the output from the commands A table with your analysis of each part of the original message where you motivate why it's correctly signed (or not) Which key do you use to sign the reply? Example output from GnuPG illustrating your analysis Page 7/12

Step 9: Encrypted messages You received one message from <gpg-crypt@dasakh10.csc.kth.se> with encrypted data. Respond to this e-mail with the parts of the mail that were properly encrypted and confidential. Note that it is very common to add yourself to the recipient list along with the real recipient. This lets you read your own e-mail after the encryption. For the correction to work correctly you will have to do this. Also note that only you and at most the course administration should be able to read the e-mail, nobody else. For the final report: The commands used to verify encrypted messages Interpretation of the output from the commands A table with your analysis of each part of the original message Motivate why it's correctly encrypted (or not) Which key do you use to secure the reply? Example output from GnuPG illustrating your analysis Step 10: Encrypted and signed messages You received one message from <gpg-both@dasakh10.csc.kth.se> with encrypted and signed data. This is a common usage of GPG, providing both confidentiality and integrity protection. Respond to this e-mail with the parts of the mail that were properly encrypted and signed. Make sure nobody else can read the messages you receive. Once again you will have to use both keys for the encryption. For the final report: The commands used to verify signed and encrypted messages Interpretation of the output from the commands A table with your analysis of each part of the original message Motivate why it's correctly encrypted (or not) Which key do you use to secure the reply? Example output from GnuPG illustrating your analysis Step 11: The report Once you have gotten e-mails showing you have correctly completed each of the previous tasks, you will have to submit the report. The final report shall have the following structure: 1) Your full name Page 8/12

Your personnummer Your e-mail address @kth.se Table of Contents 2) Installing GnuPG How to install GPG on your system How to install the front-ends you used (if any). 3) Importing and trusting keys The commands and interpretation of the output when Importing keys Verifying correct fingerprints Verifying key signatures Setting trust levels for keys Interpretation of the signature added to your key 4) Creating keys The commands and interpretation of the output when generating keys How much time it took to generate the keys Motivation for the security settings. The identity you created for the key The fingerprint for the key 5) Signing keys How to sign keys using GPG Description of the signature and the trust-level the other student gave you. The commands and interpretation of the output when: Manage trust levels Signing keys 6) Managing Identities How to generate a new identity for a key Description of the second identity 7) Signed The commands used to verify signed messages Interpretation of the output from the commands A table with your analysis of each part of the original message Page 9/12

Motivate why it's correctly signed (or not) Which key do you use to secure the reply? 8) Signed examples Example output from GnuPG illustrating your analysis 9) Encrypted The commands used to verify encrypted messages Interpretation of the output from the commands A table with your analysis of each part of the original message Motivate why it's correctly encrypted (or not) Which key do you use to secure the reply? 10) Encrypted examples Example output from GnuPG illustrating your analysis 11) Signed-Encrypted The commands used to verify signed and encrypted messages Interpretation of the output from the commands A table with your analysis of each part of the original message Motivate why it's correctly signed and encrypted (or not) Which key do you use to secure the reply? 12) Signed-Encrypted examples Example output from GnuPG illustrating your analysis 13) References Any other homepage or resource you used to solve the lab Any other student that helped you with the lab Throughout the lab there have been instructions of parts that should be in your report. Make sure to include all these points. The report shall be mailed to buc@kth.se, subject DD2395. The document shall be correctly signed (with your key) and encrypted (remember to make sure you can decrypt it yourself!) using the course key and the key for buc. We will verify the report and that you have correctly completed the lab. You have to hand in the report and succeed in the outlined steps to pass this lab exercise. Common error messages and how to solve them This is a list of the common error messages you might get from the system and how to solve the problems related to these errors. Page 10/12

ERROR: Could not import user id's. Typically caused by UIDs created in the future (wrong system time) The system parsed your key correctly but failed to import your UIDs. This is most likely due to the creation date of the UID being in the future or too far into the past. Check your system time and generate a new key. ERROR: Did not find any keys to import/verifying signature failed/decrypting message failed/decryption and verification failed The system tried to verify or decrypt the message, but GPG returned a non-zero return code and no data. This is commonly caused by formatting errors, such as HTML mail, the key in attachment, multiple GPG blocks and similar. Make sure you only include a single, properly armored, block and it is in the body e-mail. ERROR: Did not see any signatures not made by course key Did you really get another student to sign your key? Did you import that signature? And then export the key again? ERROR: Found # User-ID:s in the file. The initial submission should be with one User-ID. Generate a new key and try again. Your initial submission should not contain multiple UIDs. Follow the lab instruction and submit a key with a single UID first. ERROR: Found more than one key in your submission Typically caused by exporting multiple keys before sending the mail to the lab system. By specifying which key you want to export you avoid this error. You can also try importing the key you have exported to make sure it contains what you think it contains (gpg --import -nvv). ERROR: Incorrect. I read your answer as: This means the lab system correctly verified/decrypted the gpg block in your submission and failed when it verified your submission against the expected answers. The lab system is doing a string matching of the rows. Make sure there is no extra data in the output (compared to what you encrypted/signed). Then make sure you have chosen the correct set of blocks as your answer. ERROR: Key cannot be used for encryption You have generated a sign-only key. This key can not be used for the lab and you will have to generate a key allowing both signing and encryption. Page 11/12

ERROR: Secret key was imported, please generate a new key pair and be more careful next time.../the secret key for this key was already imported. Please generate a new key pair and be more careful next time You sent your secret key to the lab system. As it is no longer secure you will have to generate a new key pair and start over. ERROR: Signature was invalid (status xxxxxxx) Your signature was parsed correctly but was found invalid. Make sure you don't modify the data in transport. ERROR: Submission was encrypted with # keys, should be encrypted to exactly two keys/submission was only encrypted with a single key, should be encrypted to two keys You have to make sure you use exactly two keys to encrypt the submission. That is your own key and the course key. Nobody else may read your submission. ERROR: Subkey expires in more than 3 months/subkey never expires Make sure you set a correct expiry date on the key when you generate it. It's in the lab instructions. ERROR: Submission was not signed You did not sign the submission correctly before sending it to the lab system. ERROR: The User-ID found is "Foo Bar <Foo@Bar.com>". It should have an e-mail address in the @kth.se domain Make sure your primary UID is in the @kth.se domain. This is important as the lab system will only speak to @kth.se addresses. ERROR: Tried to import something but failed. This can be caused by broken data, revocation certificates or broken UIDs (such as UIDs created in the future) Catch all for parsing errors when importing keys. If you get this the key has been parsed but GPG failed to import your keys. ERROR: Validation of your result failed. Key correctly signed by course key? I read your answer as: Catch all for validating submissions.. If you get this GPG returned something, but also had an error. The answer part is what gpg returned. Typically caused by sending data to the gpg-sign/crypt/both before you have your key correctly signed by the course key. Page 12/12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information