CTS 2311 (Unix/Linux Security) Project #5
Using GnuPG and Crypto Tools

For this project you will practice using some of the crypto tools we covered in class, including SSL / TLS, GnuPG (gpg/pgp), OpenSSL, and other tools.

1. Using gpg (or Gnupg) and MD5 to verify downloaded software:
   1. Download the chkrootkit gpg signed tarball (chkrootkit*.sig) and the matching MD5 checksum file.
   2. Verify the signature.  This will require importing the appropriate gpg public key into your keyring.  What was the Key ID?  What exact command line did you use to import that key?  What was the exact command line you used to verify the file's signature, and what was the resulting output?
   3. Extract the tarball using gpg signed-tarball.  This should create chkrootkit.tar.gz.
   4. Verify the MD5 checksum.  What exact command line did you use, and what was the resulting output?
   5. Prepend a line of junk to the source tarball:

      cp tarball tarball-original
      echo 'yikes!' >> tarball

   6. Verify the MD5 checksum and the gpg signature again, using the same command lines as before.  What were the results this time?

      The MD5 checksum should fail but the gpg verify may succeed!  This is because the signed tarball is self-contained; changes to other files won't have any effect on it.  What would have happened if chkrootkit had used a detatched signature (a tiny *.sig file, and a separate tarball)?

      It is harder if you want to make a change to the signed tarball.  This is because of a feature of gpg: signed files have delimiters at the start and end of the actual signed stuff.  Anything that appears before or after that in the file is ignored, so appending some garbage to the end won't matter.  (This was designed to make it easy to save a signed file sent in the body of an email message, so gpg ignores the mail headers and signature block.)

      If you want to make an error in a signed binary file, you could tail the original file, deleting the beginning 10 lines or so.  Or you could use some binary file editor to make any change to the middle.  See wikipedia.org/wiki/Comparison_of_hex_editors for a list of binary/hex editors you could use.  An easy to use console editor is called hexedit.  (You just use the arrow keys to move over the part to change and start typing.  When done hit control-X to save and quit.)  Some GUI ones are bundled with KDE and gnome.

      Now if you verify with gpg you should see the error message it produces.

   7. Examine your yum repository configuration files.  Which repos (if any) are configured to required gpg signatures for packages?  Which ones (if any) don't require gpg signatures?  where does your system store the public gpg keys needed for your yum repositories?
2. Using md5sum, gpg to encrypt and sign a file:
   1. Create a short text file to encrypt, with the following exact text:

      echo 'Hello from Unix/Linux Security class.' > secret.txt
      echo 'Secret text file for crypto project, CTS-2311' >> secret.txt

   2. Generate an MD5 checksum for secret.txt in the file secret.txt.md5  Repeat with sha1sum, saving the checksum in the file secret.txt.sha1.  What were the two checksums?
   3. Next encrypt the file using gpg's symmetric encryption, saving the result as an text file.  Rename the resulting file as secret.txt-sym.asc.  Use the password secret.  What was the exact command line you used?  What is the default symmetric encryption algorythm used?  What would be the command line option to use AES encryption with gpg instead of the default algorithm?
   4. Add your instructor's public gpg key to your keyring.  (Hint: Look for my email address.)  What is the key ID?  Where did you obtain this key from?
   5. Using your instructor's gpg key, encrypt the file secret.txt, in text (ASCII) format, with the name secret.txt.gpg.  What is the exact command line you used top do this?
   6. Now generate a new gpg key for yourself.  Create a key of type DSA and Elgamal, with the default key length, with an expiration in 3 months, with your name, Hawkmail email address, and the comment CTS-2311 project - do not use.  (This will be a temporary key, just used for this project, and you don't want others using it!)  Select any passphrase you wish for this key.  What is the key ID and fingerprint for your new key?  Finally, export your (public) key as a text file named your name.key.
   7. Using your new key, digitally sign secret.txt, using a cleartext, detached signature in the file secret.txt.sig.  What was the exact command line used?
   8. Verify the signature and file.  What is the exact command line used?  Add a line of text to the end of secret.txt (say with echo oops >>secret.txt), and verify again.  What is the output this time?
   9. Include attachments for the following files when sending this assignment via email to your instructor:
      • secret.txt
      • secret.txt.md5
      • secret.txt.sha1
      • secret.txt-sym.asc
      • secret.txt.gpg
      • secret.txt.sig
      • your name.key
3. Using OpenSSL:
   1. Use OpenSSL to generate an MD5 hashed password of the word secret, suitable for use in the /etc/shadow file.  (That is, you can copy the output of the command, and paste it into the password field of /etc/shadow, and it should work.)  What is the exactly command line used?  What is the password hash generated?

Read the man pages for the commands (and file formats) used, and don't forget to search Internet resources on how to use these tools.

A description of each task you performed and the answers to the questions asked above, as well as the various files you created in part 2.  You can send as email to (preferred).  If email is a problem for some reason, you may turn in a hard-copy.  In this case the pages should be readable, dated, and stapled together.  Your name should appear on the first page. 

Don't turn in your whole journal, just a copy of the relevant sections.  It is common in fact to keep the journal as a text file on the system (with a paper backup of course).

Please see your syllabus for more information about submitting projects.