Project 11 (PGP and S-MIME)

Have you ever sent or received a signed and/or encrypted email message? Secure email has been available for many years, but the vast majority of users have never used it. This is primarily due to the lack of understanding about the security of our email systems, and the difficulty of using secure email technology.

• Learn about the usability challenges of secure email
• Gain experience sending a secure email message using S/MIME and/or PGP.
• Write a clear report on your experience to successfully use secure email technology

• Learn about PGP and S/MIME technology
  • You may refer to our prior lab assignments for pointers in how to get started, or find your own sources in how to setup secure email for your email platform.
  • Create the necessary keys and/or certificates in order to exchange secure email
• Send and receive signed and signed/encrypted email messages with a fellow student in the class
• Submit a 2 page report (2 page max, 1 page minimum – excluding screenshots) describing what you learned about secure email and how successful or unsuccessful you were in trying to use it.
• In addition to the 2-page written report, include your own self-grading of the points you think you earned on a separate page at the end of your report. This won’t count against the length limit.

• 20 pts - Well written report within the length guidelines
• 20 pts – Successfully exchanged both PGP and S/MIME messages
  • Max of 17 points if only one technology
  • Exchange both signed and encrypted/signed messages
• 10 pts – Successfully exchange email with a fellow student
  • Max of 5 points if you send messages to yourself instead
  • This lets you complete the assignment on your own, but full credit requires you to cooperate with a fellow student.
• 25 pts – If you are unable to send secure email after 2 hours of effort, you may describe in detail your experience and what problems you encountered
  • length limits still apply to your report
  • this lets you earn 45 points max even if you are unable to complete the task

• Explain the technical details of the keys and certificates you generated.
• What email platforms and tools did you use?
• What is the difference between PGP and S/MIME?
• What parts of the process were difficult to understand or use?
• Have you ever sent secure email in the past? Why or why not?
• Now that you know about secure email technology, will you continue using it in the future? Why or why not?
• Briefly explain who you worked with in the class and how easy/difficult it was to prepare to exchange secure email.
• What questions about secure email do you have after completing this assignment?

Here are the starting tips we gave students in the past for a different project involving secure email. This may help you get started, but you may be able to find better resources out there.

Once you have created your PGP key or obtained your certificate for S/MIME, you need to figure out how your email client supports either of these to protocols. Ideally you would use your current email client. You may need to obtain some other email client to complete the assignment.

S/MIME requires you to obtain an X.509 certificate. In the past, students used this Mozzilazine article describing how to obtain a free certificate. You don’t need to buy a certificate to complete this assignment.

• http://kb.mozillazine.org/Getting_an_SMIME_certificate

PGP uses a decentralized trust model, so there is no CA that signs your certificate. Users exchange keys and build up trust from the ground up. Before you can send and receive email using PGP you will need a PGP key. The linux machines on campus already have several tools installed to help you through this process. To create your key:

• Log in to the linux machines and open a terminal.
• In order to ensure enough CPU entropy during the key-creation phase, try running some programs in the background during the next steps. One good idea is to have a browser open and simply download a very large file during this process.
• Use GPG to create a PGP key by typing “gpg –gen-key”
• Choose the DSA and Elgamal key type, with a size of 2048 bits. You may choose how long you wish the key to be valid for (just make sure its valid through Friday).
• Finish creating the key by providing information about your name and email address. You may leave the comment blank if you wish.

Once you have performed the above steps you have succesfully created a PGP key.