[MIT Sloan]

15.566:
INFORMATION TECHNOLOGY AS AN INTEGRATING FORCE IN MANUFACTURING

SPRING 1998

 

Technology Exercise #2: SECURITY AND ENCRYPTION

THIS ASSIGNMENT IS OPTIONAL!

Due: Class #15 on March 9, 1998
Note: Tasks 1 and 2 must be completed before class #14 on March 6, 1998

 

Note: Due to the need to upgrade to a version of Eudora compatible with PGP, and due to the export control issues for strong encryption software, like PGP, we have decided to make this assignment optional. However, if you decide to turn in the assignment, you will earn points toward your class participation grade.

 

PUBLIC KEY ENCRYPTION WITH PGP (PRETTY GOOD PRIVACY)

You have spent the last three months working at VaporNet Communications Inc. You and members of your team are close to developing a communications chip that will revolutionize the communications industry. If everything goes according to plan, your chip will achieve speeds of more than 20Mbps over existing phone lines, obsoleting technologies such as ADSL and cable modems. However, you are not alone. There are at least 5 other companies working on similar devices, although none has succeeded as far as you know. You suspect that at least two of your competitors have hired hackers to break into your system in hopes of gathering confidential information or perhaps even sabotaging your technology.

Although a few working prototypes of the new chip have been manufactured, the production yield is unacceptable for commercial production. You know that Professor Bakos from MIT is working on solving this manufacturing problem at the Maui design lab, and you are hoping to receive word soon on how to improve production yields.

To provide security for the sensitive communications on this project, you will use public key encryption (PKE) software. In particular, all communications will be encrypted with the PGP 5.0 encryption program, available to MIT students. PGP 5.0 can be used with version 3 of the Eudora Pro email program, also available to all MIT students, or with some other email program. To use PGP with Eudora Pro, you must install the PGP plug-in for Eudora as explained in Task 1, which will make the PGP functions accessible through command buttons when you compose or receive messages. You can use a different e-mail program, but then you will need to start PGP on your own and manually cut and paste between PGP and your e-mail program.

For this assignment, you should install PGP on your personal machine. We have also installed PGP on machines GL01 and GL02 in the Group/Teamwork Lab.

Eudora Pro 2.x users: Version 2 of Eudora does not integrate with PGP. You can either upgrade to version 3.0 by following the instructions at http://web.mit.edu/is/help/eudora/version3.html, or use version 2, in which case you will need to start PGP and manually cut and paste between PGP and Eudora.

Eudora 4 users: The version of PGP available from MIT does not yet integrate well with Eudora 4. If you are using Eudora 4, you can either use PGP 5.5 (a 30-day trial version is available from http://www.pgp.com), or you can use PGP 5.0, in which case you will need to start PGP and manually cut and paste between PGP and Eudora.

Non-U.S. citizens/permanent residents: The U.S. government considers strong encryption software such as PGP an export-controlled item. To download PGP, you will need to state that you are a U.S. citizen or permanent resident, and agree not to export the software downloaded. If you are not able to satisfy this requirement or any of the other terms, you will need to either team up with a classmate that can satisfy these requirements, or you can use one of the Group/Teamwork lab machines that have the Eudora Pro PGP plug-in installed (GL01 and GL02).

 

Task 1 (You must complete this task before March 6, 1998)

  1. Select an email account and email program that you will use for this assignment. We recommend that you use your MIT "pop" email account (<user_id>@mit.edu) with Eudora email client.
  2. If you are using Eudora Pro version 3.0.2 or 3.0.3 and want to avoid updating to version 3.0.5:
  3. If you are using Eudora Pro version 3.0 or 3.0.1, have upgraded to Eudora Pro version 3.0.5 without PGP, or want to upgrade to Eudora Pro version 3.0.5 (which fixes several problems with earlier versions of Eudora Pro version 3)

Task 2 (You must complete this task before March 6, 1998)

  1. Run PGPkeys (either by itself or through the Eudora plug-in) to create a private/public key pair. The "New Key" command is in the "Keys" menu. If you will use your key just to perform this assignment, we recommend that you select a key length of 768 bits. Keys of 1024 up to 2048 bits will provide more security, but will substantially slow down key generation and encryption/decryption functions. PGP normally saves your keys in the directory C:\Program Files\PGP\PGP50. Your secret key is saved in the secret keyring secring.skr and your public key is saved in the public keyring pubring.pkr. If you are using a shared machine for this assignment, copy these files to a floppy disk, so that you will be able to use your key again later. You can instruct PGP to use different keyring files by selecting "Preferences" in the "Edit" menu in PGPkeys, or "PGP Preferences" in PGPtray, and selecting the "Key Files" tab.
  2. Email your public key to Terd before 9am on March 6, 1998 and bring the “fingerprint” of your key to class. There is an icon in Eudora that will insert your public key in a message. If you are using another email program, you can extract your public key into a file (or "copy" it into the Windows Clipboard) and then insert it or paste it into a message.
  3. Terd will give you the fingerprint of his public key and will certify keys in the class on March 6. He will email to you your certified key soon thereafter. We will include all public keys in a class keyring 15566.pkr. This keyring currently contains a small number of public keys, including the Sloan Test Key (see below) and the public keys of Terd and Professor Bakos.

Task 3

  1. Familiarize yourself with the basics of PGP encryption. The best way to do this is by skimming through the manual and by sending a few encrypted and/or signed messages to yourself or a classmate. Browse through the PGP Reference Manual in Adobe pdf format, which can be found in the PGP directory on your computer.
  2. To understand how the "web of trust" works, get a classmate to certify your public key, and certify a classmate's public key.
  3. We have created a special test key for this assignment with ID "Sloan Test Key -- Spring 1998" that can be accessed by using the pass phrase "mit-sloan" (all lower case letters). If the test key is not in the keyrings on the computer you are using, you will need to download the keyring files s98test.skr for the secret key and s98test.pkr for the public key. Add these keys into your keyrings (one way is to double-click on the above keyring files after you download them). The fingerprint for the test key should be 5BC0 A447 2DFD 04AA B0E0 0E6B A40D 9D46 20A3 E742. Make sure to verify this fingerprint (e.g., select "Key Properties" in the "Edit" menu in PGPkeys), as somebody could have created a fake test key with the same user ID and pass phrase!
  4. Use this test key to decrypt the test messages sent to the class list with subjects "Test message #1 for Technology Exercise #2" and "Test message #2 for Technology Exercise #2". Both these messages have been encrypted with the public key, so that they can only be decrypted with the secret key. Test message #2 has also been signed with the secret key.

You do not need to turn anything in for this task.

Task 4

Despite all the precautions taken, the hackers hired by your competition apparently have succeeded to insert some fake keys for Prof. Bakos in the class keyring from Task 2.

Download the class keyring file and identify Prof Bakos' public keys that might be fake.

Hint: suspect public keys will not be properly certified.

Task 5

Finally, the message from Professor Bakos arrives. Make that several messages! These messages will be sent to the class discussion list, and they can be decrypted using the test key. Professor Bakos cannot be reached, but you should have a valid public key for him after completing Task 4 above.

Send an encrypted message to Terd (tputthis@mit.edu) that satisfies the following conditions:

a) No one but Terd can decrypt the message.

b) Terd can be sure that the message came from you, and not from someone else in the class.

c) Your message contains the following information:

  1. briefly explains how conditions a) and b) are met.
  2. states the action recommended in the authentic message by Professor Bakos.
  3. for each fake message seemingly received by Professor Bakos, explain why you think it was a fake.

You will receive extra credit if you can decrypt someone else’s message (send a copy of it in plaintext to Terd) or if you successfully impersonate someone else (i.e., convince Terd that your message really came from someone else.) You will be penalized if someone else impersonates you, or if someone decrypts your message. Both the penalty and the extra credit will be small, and for reasons that should be obvious, the penalty will be more than the extra credit!