Type of assignment: This assignment should be done in same groups as those formed for the term project, except those parts of problem on PGP, which are marked accordingly.

Note: The assignment submission should clearly list the student members of the group, their names, and student numbers on the first page.

Points: The maximum number of points for this assignment is 35, which will be prorated accordingly after all assignments are posted. Weight of each problem is in parenthesis.

Format:

1. Assignment submissions are accepted in the following formats only: HTML (extension .html), PDF (.pdf), ASCII text (.txt). Assignments submitted in any other format will be discarded. All text in the assignment submissions must be typed and figures plotted to be easy to read and understood. Spelling, grammar, and other language errors will result in fewer points credited to the corresponding problem solutions.
2. Your submission file should be named to reflect the names of the group members, and the assignment number, e.g., alice_bob-assignment_1.pdf.

Problems

1. (4) X.509 PKI
   The purpose of this assignment is to help you to understand the hiearchical system of publick key management employed in modern commercial Web infrastructure.
   Pick five publick key certificates of different certificate authorities (CA) that came preinstalled with the Web browser on the computer of one of your group members. For each certificate write an explanation to the following questions:

   1. What business does the certificate owner do?
   2. For which purposes can your browser trust this certificate?
   3. Which organization issued and signed this certificate?
   4. Does your group trust the signature? Explain why or why not?
   5. Are their other certificates in the same browser that are signed by the key from this certificate?
   6. What is needed for an organization to get a certificate issued by this CA?
      
      
2. (8) PGP
   

   This problem has both individual and group elements to it. Your group should turn in one write up answering each of the parts labeled [group], but all key pairs, emails, etc. should be created and sent individually.
   
   1. Read Alma Whitten's paper, "Why Johnny Can't Encrypt."
   
   2. Locate and install a fresh version of PGP or GPG. There are versions for Unix flavors, Windows, and Macintosh. http://www.pgpi.org/ may be of use.
   
   3. Find the PGP public keys for as many of the EECE 412 teaching staff as you can. Part of your assignment is figuring out how to locate PGP keys. Searching the Internet for PGP key servers may be of help. But beware; there may be fake keys out there. . .
   
   Here's what you do to submit your solution to this problem:
   (2) (a) [group] Reflections on Trust. PGP's "web of trust" model allows users to "sign" each others' public keys. Suppose Alice signs Bob's key; what, in effect, is Alice declaring when she does this? Why is it useful for people to sign each other's keys? What precautions should one take before signing someone else's key, and why are these measures appropriate?
   (3) (b) [individual] Getting started. Create a new public/private key pair for yourself (you may use an existing key pair if you already have one). Sign each of your group members' public keys, and have them sign yours. When all of your group members have signed your public key, email it to the TA in ASCIIarmored format, with the subject My public key.
   (3) (c) [individual] Encrypting email. Send an encrypted, signed email to the TA with the subject "PGP is fun". In the body of the message,
   · Tell us what operating system and version of PGP you are using.
   · Show us the public keys you found for the EECE 412 TA; PGP fingerprints are sufficient.
   · In a few sentences, explain why you do or do not believe that these keys do indeed belong to the EECE 412 TA. If you do not trust a public key, explain what would convince you otherwise. Your mail should be protected with PGP such that the EECE 412 TA, and only the EECE 412 TA, can obtain the plaintext contents. You must also sign the mail with your private key. We will only accept your first message, so make sure to get it right the first time. Are you able to finish the assignment in fewer than 90 minutes as in Whitten's experiment? Remember to cite all your sources (books, manuals, friends, etc.).

3. (6) PGP Alternative

   Consider the following scheme for "signing" messages:

   1. Alice uses some trusted way, e.g., via face-to-face meeting or by publishing an ad in a newspaper, to give Bob (and everybody else) the URL of the Web page H.
   2. Alice arranges that only she can modify H, e.g., by hosting H at some trusted Web hosting provider known for good security.
   3. Whenever Alice sends an e-mail message M to Bob, she posts M_h=hash(M) at H.
   4. If Bob wants to make sure that it was Alice who've sent M and the content of M has not been tampered in transit, Bob
      1. computes hash M'_hof the received message M',
      2. searches H for M'_h. If Bob can find M'_h in H, then Alice indeed sent M' to Bob. Otherwise, Bob is not sure.

   You need to do the following for this problem:

   1. Make sure your group assignment solutions are submitted as one file. If your assignment solutions are comprised of more than one file, create a zip archive.
   2. Once your assignment solutions file is submitted, via WebCT, the member of your group who submitted your group's solutions, should also post both MD5 and SHA-1 fingerprints of the submission file on his/her home page at the course WebCT site. The fingerprints should be posted no later than 1 hour after the assignment deadline in order for your group to receive any points for this problem.
   3. 
      
4. (7) SSH
   This problem has both individual and group elements to it.
   
   1. All member need first to install SSH on their personal computers and learn how to log in to ssh.ece.ubc.ca. ECE's Hot to page on SSH might be of help at this step.
   2. Next, each group member should create a public-private key pair and configure their ssh environment on ssh.ece.ubc.ca to login at that machine using authentication based on public key cryptography. For this step, this tutorial on OpenSSH key management might be useful.
   3. Finally, the group should pick one group member and set his or her SSH environment on ssh.ece.ubc.ca so that ALL the members of the group can log from their personal computers into ssh.ece.ubc.ca under the account of the chosen group member using authentication based on public key cryptography. Upon succesful completion of this task, screenshots (one per group member)---similar to the one below---of succefull logins under the account of the chosen group member should be created and inserted in the assignment document.

      
5. (10) Compare and contrast key management in X.509 PKI, PGP, PGP alternative, and SSH based on your experience with them. Limit your answer to one page.