INFORMATION

• This lab covers the material from unit G in our syllabus: Computer Security and Computation.
• The purpose of this lab is to give you an experience of working with encrypting, signing, and decrypting messages with PGP.
• You may find the pages on security in the Reed text helpful (pages 181 - 184). Lecture Notes G1 are useful as well
  
  

1. In this lab, we will see how public key encryption works by using the PGP software. There are many versions of PGP for Mac, Windows, and Linux. The version we will be using is called the GNU Mac Privacy Guard (called MacGPG).
2. For this lab you will be encrypting/decrypting messages using the GPGTools on the Mac in the lab. Be sure to e-mail me with your results where mentioned in the steps in the lab,
   1. My email address is: chipp@sci.brooklyn.cuny.edu
3. However, you will probably not be able to do this lab from home, because you probably do not have PGP software installed on your computer. (It can be downloaded free from www.pgpi.org. for the PC and MacGPG for the Mac)

Encryption Software - PGP

Step 1. Downloading GPG Tools

a. Check if the folder GPGLab exists in the Persistent Storage > Shared folder on your Mac. This is the same folder that Processing 0125 is installed in.

b. If the folder does not exist, download GPGLab.dmg (this file is called a DISK IMAGE, it's like a Virtual Flash Drive).

c. Double click on the .dmg file, this will open the DISK IMAGE

d. DRAG the folder named GPGLab from the DISK IMAGE to the Persistent Storage > Shared folder on your Mac.

e. Close the DISK IMAGE window.

a. In the GPGLab folder open the GPGKeychainAccess program. This program will manage your public and private key along with the public keys you receive from others.

b. Click on the New button (it will looke like a little key icon). Follow these steps through the "Make a new key" wizard:

1. Introduction: click Continue

2. Select the Kind of Key: (default is fine) click Continue

3. Select the Key Size: (default: 1024 is fine) click Continue

4. Set the Expiration Date: (default: keep everything unchecked), click Continue

5. Set Your Identity: Enter your Full Name, your E-mail Address, and any Comment you'd like. (keep Use my card from Address Book unchecked), click Continue.

6. Set Your Passphrase: Enter a passphrase - make sure you remember it for later! You'll have to enter it again Verify, click Continue

7. Confirm Your Selections: click Continue

8. Now making your key: wait and click Finish when ready.

9. You'll see the Key appear in the list of Public and Private keys in the list of the GPGKeychainAccess program.

Step 3. Using TextEdit, create a small text file (It can be just one or two lines long.) and save it in the GPGLab folder.

Step 4. Sign the File with you Private Key

a. Drag your text file onto the GPGFileTool program.

b. In the window that pops up, in the pull down menu, change Sign & Encrypt to Clearsign.

c. Check ASCII armored.

d. Click Do It.

e. Select your private key from the pop-up box. Click Ok

f. Enter your passphrase that you entered when you created your key. Click Ok

g. Rename your message and save it in the GPGLab folder. Click Ok. (Click on .asc if that option is presented)

Step 5. Open the signed file in TextEdit

Step 6. Verify the signed file

a. Drag the signed file onto the GPGFileTool program.

b. The pull-down menu should have Verify Signed Data option by default.

c. Click Do It

d. Is the signature status good?

Step 7. Change the signed file

a. Open the signed file again in TextEdit and change the message portion very slightly (maybe change just one word, or even just one letter).

Step 8. Verify the signed file again

a. Drag the signed file onto the GPGFileTool program.

b. The pull-down menu should have Verify Signed Data option by default.

c. Click Do It

d. Is the signature status now still good?

Step 9. Add a Public Key to the Key Ring

a. Download my Public Key, save it as a file in the GPGLab folder (it's call ChippKey.gpgkey by default)

b. Open the GPGKeychainAccess program.

c. Click on the Import button at the top righthand corner.

d. Open the Public Key file (called ChippKey.gpgkey by default)

e. The Public Key file should import successfully.

Step 10. Encrypt and Sign the File

a. Write a short message to me in a text file in TextEdit and save it in the GPGLab folder.

b. Open the program GPG Tools ( A window with 4 buttons should pop-up (it might take a moment) )

c. Click on Encrypt & Sign

d. Choose your short message text file from the GPGLab folder in the File Dialog box.

e. GPG Recipients: since we have not confirmed that my Public Key file is genuine, we need to check the Allow untrusted keys option. My Public Key should now appear as a User. If it does not: close this program, go back to the GPGKeychainAccess, and verify that my Public Key has been Imported correctly (You may have to Quit out of GPGKeychainAccess to update the Key Database)

f. Double click my Public Key in the list.

g. In the pop-up box that follows, choose YOUR Private Key from the pull-down menu.

h. Enter your passphrase for your Private Key.

i. There will be a message that the operation failed. Click OK, and Ignore this message!

j. The signed and encrypted file will be in the GPGLab folder, with the same file name as the message you created along with the file extention of .pgp

k. Take a look at the encrypted file in TextEdit. Don't change anything in the file!

l. Email the encrypted file to me as an attachement: chipp@sci.brooklyn.cuny.edu

Step 11 Verify the Authenticity of Files

a. For this part, you will need my Public Key from Step 9 above loaded in your KeyChain

b. Download these two signed messages and save them in your GPGLab folder

Message 1

Message 2

c. Open the files in TextEdit and read the messages.

d. Determine whether the files are legitimate or not by verifying them with the GPGFileTool (as in Step 8 above)

e. E-mail me with your results: chipp@sci.brooklyn.cuny.edu

Step 12 Give someone your Public Key

a. In order to send someone in the class an encrypted and signed message you need their Public Key.

b. Export your Public Key, but opening GPGKeychainAccess

c. Select your Public Key from the list. Click on the Export button in the top-righthand corner.

d. Check on the ASCII armored option in the dialog box.

e. Rename the Public Key with yourname-Key, save it in you GPGLab folder

f. Now give your Public Key file to someone else on a USB drive, or send it in an e-mail as an attachment.

a. Once you get someone else's Public Key, import it using the GPGKeychainAccess program as described with my Public Key above in Step 9.

b. Write a short message that the person who's Public Key you received in TextEdit.

c. Encrypt and Sign the message using the Gpg Tools as described above in Step 10.

d. Give your Encypted and Signed file to person who gave you their Public Key.

Step 14. Decrypting and Verifying the File

a. With the encrypted file you received from someone else, you can drag that file (the .pgp file) onto the GPGFileTool program.

b. A pop-up box appears with the Decrypt option in the pull-down menu. Click Do It.

c. Enter your passphrase to decrypt the file.

d. Save the decrypted message (possibly renaming it) in your GPGFile folder.

e. Open the decrypted file in TextEdit and read the message.

Read More about It! You can read more about the mathematics of public key encryption here, and you can look at an example with the arithmetic worked out.