Homework 2

Homework 2 is due Tue Oct 04 on or before 11:59:59pm EDT. The assignment parts will be submitted via GradeScope. If your GradeScope account was not automatically created and linked, click on one of the “HW1” assignments in Moodle and it should set up. Contact the TA and Instructor if you are having trouble.

Points: HW2 has a maximum of 100 points with an possible points for extra credit.

Acknowledgements: This assignment was derived with permission from assignments created by Adam Doupé.

Web of Trust

Who do you trust? How do you know they are who they say they are? Your goal in this project is to learn about public key cryptography, gpg, verifying identities, and the web of trust. You will need to:

1. create a gpg public/private keypair,
2. register your public key with the submission server,
3. get your key signed by 30 of your fellow students in this class, and
4. avoid signing any fake keys (you will need to verify your classmate’s identity).

I recommend reading the entire assignment before getting started. You may wish to think about a strategy that will help you convince others to sign your fake key.

Important: Do not upload either of your keys to any public keyserver. It would be unethical for this class assignment to pollute the information on these public resources. We will search the keyservers for your public keys, and if we find them, you will receive zero points. If you upload your key to a public key server by accident, you must contact the instructor and TA immediately.

Part 1: Generate a GPG Key

Create a public/private GPG keypair specifically for this project with the following requirements:

1. The name is exactly what your name is in NC State’s system
2. Has an email address (it doesn’t matter what the email address is)
3. does not have a comment

Other students will need to verify your identity, so the name part must be exact. This will be automatically checked by GradeScope in Part 2, so for the purposes of this assignment, your name is what GradeScope thinks your name is.

There are many guides for creating a GPG keypair, including information in the man page for the command. I recommend GitHub’s guide for generating a new GPG key.

Important note for existing GPG users: Do not reuse an existing GPG keypair. Please create a new key for this assignment. If you already use GPG, I recommend setting the $GNUPGHOME environment variable before performing the work for this assignment. You could also use the --homedir command line option. See the man page for more information. Alternatively, you could just set up a virtual machine or create another user on your computer.

— DO NOT LOSE YOUR KEYPAIR —

I cannot stress this enough, due to the nature of the assignment, we cannot and will not sign multiple keys for you. This may result in you getting a zero on the assignment. Backup your keypair. If you lose the key once you’ve uploaded it to the server, then you will not be able to finish the assignment. Every NC State student has storage in Google Drive, so use that or some other mechanism to backup your keypair (including your secret key). Once your key is generated, backup your public and private key. Seriously, you’ve been warned.

— DO NOT LOSE YOUR KEYPAIR —

Part 2: Upload Your Public Key

Save your public key as a file called public_key.gpg and then upload your public key to GradeScope to the assignment “Web of Trust Upload”. The server will then check to see if your public key is valid, and only if it is, the server will sign your public key with the course’s keypair, which has a fingerprint of 065B01FA1FD9B928A141EF8CCF7782B44460AC88. You should download this key, verify the fingerprint, and import it into your GPG keyring.

The server will also generate an adversarial keypair with a random name of another student in the class and the same email as your key. You will be able to download this adversarial keypair (both the public and private key).

Part 3: Get Your Key Signed (45 points)

Here’s where the fun starts. You need to get your key signed by at least 30 of your fellow students’ public keys. The signatures must be from a valid key in this class: How will you know?

Note: For the purposes of this assignment, a “valid” key is a key created by one of your classmates and signed by the class signing key. The adversarial keys created by GradeScope are not “valid” keys. You will not lose points if your key is signed by adversarial keys (in practice, this cannot be avoided); however, you need to have signatures from at least 30 valid keys.

There are lots of resources on the Internet that describe signing public keys. Here are two:

• GPG manual
• Another guide

Part 4: Sign Other Keys (45 points)

Using what you learned from the above, you must sign at least 30 of your fellow students’ public keys. You are encourage to sign more, but only public keys valid for this class count: How will you know?

A big part of this assignment is figuring out how to determine if the key you are signing is actually the correct key for the person you think it is.

Note: We will only count signatures from your valid key on other students’ valid keys. That is, signing other students’ valid keys with your adversarial key will not count towards your required number if signatures. Similarly, signing someone else’s adversarial key with your valid key will not count toward your required number of signatures.

Part 5: Do Not Sign Invalid Keys (10 points)

Of course, the only way that the web of trust works is if keys are signed only when the identity is validated. If you do not sign any invalid keys that are not your own, you will recieve 10 points. The amount of (negative) points that signing an adversarial key is worth will be determined at the end (along with the postive amount of extra credit for tricking people). If you sign one adversarial key, it will not reduce all 10 points, so don’t freak out about it (and please learn from it).

If you trick people to sign your adversarial key, you will earn extra credit. The amount of extra credit will be determined at the end.

Part 6: Submit Your Public Keys

Finally, submit your public key (with the 30 signatures) and your public adversarial key (if you received any signatures).

Submission Instructions: Submit on GradeScope to the assignment “Web of Trust” your final public key (which you will need to export), called public_key.gpg, along with 30 valid signatures (this is included by default when you export your key), and (optionally) your adversarial public key, called adversary_public_key.gpg (if you tricked people into signing the adversarial key).

Also submit a README file that contains your name, your NC State unityID, and your thoughts on the usability of GPG and key signing, and how you tricked people to sign your adversarial key.

When you submit, you will see how many signatures are on your key. Again, this could be adversarial keys, which don’t count for points. Final grading will be done after the assignment is over.