Assignment 4

due: March 1.

50 points

part 1. using hash functions

To take the md5 or sha1 hashes of a file, you can use the commands that are already installed on any Linux box. The commands are simply, "md5sum filename", or "sha1sum filename"

  1. What is the MD5 of the phrase, "The semester is almost half over"
  2. What is the SHA1 of the phrase, "The semester is almost half over"
  3. What are the MD5 and SHA1 digests of the phrase, "The semester is almost half over." (Notice how the sentences are identical except for the '.', yet the hash is completely different.)

part 2.  using gnupg

reading

You can find a short HOWTO on using GnuPG here, and our classnotes are here.

using symmetric crypto

  1. Create a plain text file, called yourName_info.txt, which contains your name and email address, and encrypt it using GPG with symmetric encryption with the password cis4378.  Try decrypting it for yourself as practice.

using public key crypto

  1. Create a public-private key pair.
  2. Export your public key in ASCII format (for example, like mine)
  3. Publish your public key in ASCII format on your website. (If you don't already have a website, you can always create a simple site on one of Temple's servers.)
  4. Sign yourName_info.txt with an ASCII armor signature.
  5. Import my public key into your keychain, and also Liang's.
  6. Encrypt yourName_info.txt using Liang's public key.

part 3. gnupg thunderbird plugin

set up thunderbird to send and receive your Temple mail

Make sure that you have Thunderbird set up so that you can send and receive your TUMail. Instructions for setting up a GMail account using Thunderbird is available on Google's website.

Configure Thunderbird to use the public-private key pair that you created in part 2.

Send yourself some signed email messages. The output will look something like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's a test message.  I hope that it works right.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (OpenBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHMhB63y0VT92yb/8RAjvkAJ4/qvjf+qu9WdRGTnWQd4axapCXugCgkU5a
xXNQnN6IHYD2lWfcIQ4v1FI=
=Xbsc
-----END PGP SIGNATURE-----

deliverables

Copy all files that you signed and encrypted, etc., into a directory called yourName_pgp, zip the directory, and email the zip file to the TA.  Your email message should contain the link to the website where you've posted your public key, and your answers to the few questions asked.  The email message must be encrypted using the TA's public key, and it should be signed.

For an unnecessary additional thrill, if you'd like to encrypt the email that you send me, you can find my public key here.

try it out at home

GPG is free software and it runs on Windows, Mac and many other platforms besides Linux.  There are also plugins for several popular email clients, and GUI front ends so that you don't have to remember all of the commands at the command line.

It might not be a bad idea if you downloaded the software at home, and gave it a try. If you want a commercial tool which does the same thing, is probably a lot easier to use, and can even do things like encrypt entire hard drives, you could also check out this.

If you're using Ubuntu, the Thunderbird GPG Plugin is available through Ubuntu's package manager. You could also install it by downloading the appropriate XPI file.