Week 5 Assignment
Due Sunday, October 8, 2006
Cryptography
The Lesson
First, a brief review of terminology. When you wish to send a message to someone in a secure fashion, you first take the plaintext message (the original message without any cryptography), and encrypt it using a cryptographic algorithm and a cryptographic key. This process generates the encrypted message, also known as the ciphertext. This message is unintelligible, so you may safely transmit it across an open communications circuit (such as the Internet) to the intended recipient.
When the recipient receives the ciphertext message, he or she uses the same cryptographic algorithm with either the same (for a symmetric cryptosystem) or different (for an asymmetric cryptosystem) cryptographic key to decrypt the ciphertext into the original plaintext.
All of these terms should be clear to you. You should also have an understanding of the different types of keys (e.g. public/private, secret, etc.) and their uses. If not, please review the week’s reading assignment again or post a question here in the discussion forum.
One of the most important technologies to web developers/administrators is digital signature/certificate technology. Remember that a digital signature is used to prove the origin of a message. If you’re using a public key cryptosystem and would like to digitally sign a message, you first use a hash function to generate a message digest. You then encrypt the message digest using your private key. When the recipient of a message wishes to verify its validity, they use the same hash function to generate a message digest and put it aside. They then use your public key to decrypt the digital signature and compare the decrypted signature with the independently generated message digest. If the two match, the message is authentic.
Digital certificates are used by web servers and computer users to securely exchange public keys. In the case of a web server providing its public key to users, the server first registers its public key with a trusted certificate authority (such as Verisign or Thawte). The certificate authority verifies the authenticity of the key (using some offline method, such as verifying a credit report) and then encrypts the key using the CA’s private key. This encrypted key is returned to the web server to use as a certificate. The web server then transmits this certificate to end users who wish to communicate with the server. Those users decrypt the certificate using the CA’s public key and can then be assured that the CA is putting its support behind the key and that they are actually communicating with the web server they seek to communicate with.
In the reading, you also learned about how technologies like SSL and HTTPS implement these cryptographic algorithms.
The Assignment
For this week's assignment, I’d like you to gain some experience using a cryptosystem. Unfortunately, it’s not possible to do this in a web server environment, as most basic web hosting services do not provide you with the capability to install your own certificates. Therefore, we’ll experiment with cryptography using the popular Gnu PGP package. You’ll be using this forum to send a private message to me that no other student will be able to read.
First, visit the website: http://www.pgpi.org/download/gnupg/ and download the Gnu PGP version appropriate for your operating system and install it on your computer. Use the documentation located at http://www.gnupg.org/gph/en/manual.html#AEN26 to generate your own public/private keypair. Use the default options offered by the generation routine.
Important Note: The GPG program is a command-line program and should be run through a command shell. To do this, choose Run from the Start menu , type "CMD.EXE" in the Open box and click OK. Then navigate to the directory where you installed GPG and type your commands there. It will not work if you attempt to double-click on it in Windows.
If you find the documentation hard to understand, you might want to try this more user-friendly tutorial:
http://www.schwer.us/nblug/gpg/
Next, you will need to import my public key to your keyring. The key itself appears below. Copy and paste it to a file stored on your system and use the documentation located at http://www.gnupg.org/gph/en/manual.html#AEN84 to import it to your system.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.2 (MingW32) mQGiBD8G+5ARBADJsrs2cmkf/facNVlbnt/lEw+KJ9IxJs0n1IkTzqJFc7Z+q+7/ 4fFmunTtND0GAfnpPbFdBvi8rlhbQIPjbhGJOtvrAPesPdU+q0BeEAJRXj4i3JgG mbF2HiWRFWHD1mY6kmTA9iOCB53h3vd7U+NKFD/140bEIfaWVZZPICPdjwCgkS5u Nj0+8b4MgXCFph08qCyoYmcEAJKpsfklJ/fLwrnuvvetwSFSP/foqozs+z7MBMtb 0nkAIUwsXzNMySRdwYfSrYFXZLkh3plOFwp4UFgNbj57H6TxBR9HrSZmIw2obJ5u LedDKU7hQw6VN+LyOJqrSWqEgotTpmlDxMl0uIgJcgjRTJAO0wNZnyiOwXB5Nbol YkfaBACZHvGDjt7+orCey/fI0h/b8QEpWhABcUM+ltMB0DSK4MuuiIR3uHFTTbKR 6gFn3fZXTkv3mKvTBGqL8s+U8jg5wYQOjFHIK5q6kBCYUZCNHixr4ZS+llGRyz51 GxwDyhl6sMSA+Dwm1Ri70hBMlLr3SW6EowojKwUkOm+Qco6QI7QsTWlrZSBDaGFw cGxlIChJbnN0cnVjdG9yKSA8bWlrZUBjaGFwcGxlLm9yZz6IWwQTEQIAGwUCPwb7 kAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRAdRn4xDuazM6jeAJ9Nxtd3ZEVo5TkE z3Lj2qjZ50tJtwCeJdrOlKIBCiq+I8n8xWlX8HUZxr65AQ0EPwb7kRAEAMHLOA+w YuTR6EzmTHR4MIrHXrIQ5JTwGcYbsxS9og8RPSVi9Hh7BuT2NuJ6GhQ/1W1DzYl+ OjuVB9bB7jlv5FvyRZYG8aMmI4ViAiFGXMQ54/Hi31SKcX7+66xXap+Vq4J2Jstx SN9t7fdCdPyER56CupVPsR1WoOgppmY3ay1nAAMFBACRy59ru9GNORgGthdBGSRg Vk4JhOdOp+Azg+XfZ80KOEv4cbnBdUOn5AFjUqNLMOVCSPqmtXgenc8BmAJntvfZ QLBrpCjOjrB7JvxJDS1EFN64IhwX9P/KggtEn4RBeq0Dn8JX1YQivtJKmlKtvobu nJ/5ENlPXqG0cbnxW3JKDYhGBBgRAgAGBQI/BvuRAAoJEB1GfjEO5rMzwLoAn2WH oagjJ3HHMUg92vYSbySyKP2yAJ4sZ9q7VCLA8dVcSriuAYmFSiWbJA== =6lmS -----END PGP PUBLIC KEY BLOCK-----
Write a private message to me and store it in a text file on your hard drive. Then encrypt that message using my public key. If you’re encrypting a file called "tomike.txt" located in the same directory as your GPG program, you would use the following command:
gpg --armor --encrypt --recipient mike@chapple.org tomike.txt
The resulting file should be stored as tomike.asc in the same directory. That’s it! You’re done! Post the encrypted file in this forum and I’ll then post a decrypted version as a response to you. When you post the encrypted message, please be sure to use the HTML PRE.../PRE directive so that the message is formatted properly.
My Encrypted Message
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.2 (MingW32) hQEOA7EHnajeCfQ3EAQAnVgnoteDkQkhAucuD8tNYI7LPfMB+4aSfpLn8HLyJoH1 FQoAsGv/1C9OFSuag1pFXa5I6oWvuxtT3Vbzj8eraiWyTbtqvgl2jWDqLkSXnCRT soXrKxaQmmmuEh4gHXTkwzfJ3BcK9erphpbUPXGiWTTCo15QM/EmR+uPLvPOVRID /iMgaHO98wDDYLDHXBmqTX72nqJiVUL3sTwUyW1wTY2cEuSUlG/33juSBS1BxZJu O/m3WwS42E97J3Vm491FXV1h7KaSXvBTt6sf1qlwLN/Gc2fcsv63lUQg6Vvh+IbI HpcramyaS+W8fx2ZhsWusMiij6+4UN3pcl/ZsFVXyi/R0ukBDpQc9bouJKxgREE/ DI6JuRj+KuDU+wxv4L4Ls1CuRFlJg0Rl1jvrzSO/K9XTpMnA0QAoOeeffLzRwWn4 CMPNeP4AprlvkPvUswvWe/RPRptQtbTDZvEhs4Vt9vWiLymtPPmaaAL28y7JBNFw I+5ZpU/C65ZxUmoxI1HkvlscwUYO/Cs/0otavPQdT1qtsTZTkH5T8Kox27YaIy4F xi1kq3eD5cG2pvtXjuu81lXMBf2j+np07TUF1CXKEoCugnDJptJCHudEXUAF4nzS ZuFJcm5OlCQb2VzmNiZmeeKQvDW1CzAu5oR04BfHZq27Wls+6pjeKC+9lTcq9a3q JLlJGvG5zEONoiNVzp5g5iV9aSYfFL+Q/bhtmaT1d6x/KSwkx+i9lQL6Dv9d0dhN UA8d06TyRcaMuaDPz12HAtuzTkgVjcodDwWrriRXTyI7InH2x5GUpFCzO+OHLSec uUa/S0FTeWYy6KOlyJe6Qmj6fCIFf+gcvwF7plyCqcdHHV3gJNTzeyD8q8BBpGs7 omhJ13r4awuGx19wXnVwpnbny/liqfWeb2YyEEq71ak82SR6UQ5sgdFULvcZ/yTK v2ytYgHq6/A9qAVi/0WCMUl49n8v3mMWOq6+b9vIXMEUL5gH1jL1VJA1L/QxYa0+ 7hHayJ2baZzrWHocmB62QpxvRExJqP7ZgsjcgOlmml/L5/tdV3tYcr/M+h/RYlNt cFkYh1OQTgJVimr8N2Nyb0xKcQRPClvwwCJpd/8HBCnd1iQhUopgK8aai/TIadUx =HxDY -----END PGP MESSAGE-----