1| Lab #7: Using Encryption to Enhance Confidentiality and Integrity

Introduction

As computers, tablets, phones and other “always on” digital devices become increasingly interconnected through unsecure public networks, threats against our privacy and digital security increase in kind.Threats like identity theft and credit fraud threaten our financial security.Digital stalking and online harassment threaten our physical and emotional security.Some suggest that digital surveillance, mass data collection, and data mining by government and commercial entities encroach on our right to free speech, our freedom of association, and our Constitutional protections against unlawful search and seizure.

The need to protect confidential and private information over “public” networks is an ancient one.The solution then, as now, is to encode private data using cryptography.Simply put, cryptography takes human readable information and makes it unreadable “cipher text” which can only be read if one possesses the correct key.Generally speaking there are three cryptographic standards: symmetric cryptography, asymmetric cryptography, and hybrid cryptography.

With symmetric cryptography the sender and receiver use the same key (or “shared secret”) to encrypt and decrypt a given message.Symmetric cryptography is quite fast and generally easier to implement than asymmetric cryptography.However, while symmetric cryptography does provide confidentiality and integrity, it does not guarantee authenticity.In other words, you do not know for certain who gave you the encrypted message.

With asymmetrical encryption, the sender has two keys: a private key and a public key.The sender encrypts with her private key and the receiver decrypts using the sender’s public key, which the receiver obtains from the sender or through a trusted third party, such as a certificate server.While asymmetrical encryption is slower and more complex than symmetrical encryption, it does guarantee the authenticity of the sender.

The hybrid approach is to have the sender encrypt the message with a symmetric key, and then send the message and a copy of the symmetric key using the sender’s asymmetric public key.The initial message and symmetric key are decrypted using the sender’s public key, and subsequent messages are then decrypted quickly using the symmetric key.The hybrid approach provides the same full CIA protection as asymmetrical encryption with nearly the same speed as symmetrical encryption.

In this lab, you will learn how cryptography tools can be used to ensure message and file transfer integrity and how encryption can be used to maximize confidentiality. You will use Kleopatra, the certificate management component of GPG4Win, to generate both a public and private key as both a sender and a receiver. You will use the sender’s keys to encrypt a file, send it to the receiver,and decrypt it using the receiver’s copy of the keys.

This lab has five parts which should be completed in the order specified.

1.In the first part of the lab, you will create a public and private key pair for the senders account on the vWorkstation desktop.

2.In the second part of the lab, you create a public and private key pair for the receiver’s account on the remote desktop, TargetWindows01.

3.In the third part of the lab, you will transfer and import the public key from the receiver, TargetWindows01.

4.In the fourth part of the lab, you will encrypt a file on the vWorkstation desktop using the receiver’s public key and the sender’s private key, send it to the remote machine, and then decrypt the file.

5.Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

1.Apply the concepts of common cryptographic and encryption techniques to ensure confidentiality

2.Understand public and private key pairs and basic asymmetric cryptography

3.Generate a public and private key pair

4.Encrypt a data message using a public and private key pair

5.Decrypt a data message using a public and private key pair

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

  • FileZilla
  • GPG4Win (Kleopatra)

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

  1. Lab Report file including screen captures of the following step(s): Part 1, Step 8 and Part 4, Step 25.
  2. secret-message.txt.gpg,transferred to your local computer in Part 4, Step 15;
  3. Lab Assessments file;
  4. Optional: Challenge Questions file, if assigned by your instructor.

Hands-On Steps

Note:
This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1.From the vWorkstation desktop, open the Common Lab Tasks file.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference.

Figure 1 “Student Landing” workstation

2.On your local computer, create the lab deliverable files.

3.Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps.

Part 1: Create a Public and Private Key Pair for the Sender

Note:
In the next steps, you will use Kleopatrato create a set of keys (private and public) that will enable you to encrypt and decrypta file later in this lab.Keys are also referred to as certificates.Your public key can be used by others to decrypt files that you have encrypted with your private key.You only need to provide your public key, never your private key.

1.Double-click the Kleopatra icon on the desktop open the Kleopatra component of the GPG4Win application.

Figure 2 Kleopatra

2.Click Fileand select New Certificate from the Kleopatra menu.

3.Click the Create a personal OpenPGP key pair option in the Certificate Creation Wizard.

Figure 3Create a new certificate using Kleopatra

4.Type the following information in the Enter Details screen and click Next to continue.

  • Name: Desktop
  • EMail:

Note:
The Comment box can remain empty. While not required to create a key pair, it can be useful if you are creating a certificate for a specific purpose, such as testing or for a specific client. If you do add a comment, it becomes part of your login name, and will be visible to the receiver.

Figure 4Enter certificate details

5.Click the Create Key button.

A pinentry (pin entry) dialog box will pop up to complete the creation of a key. You need to enter a passphrase, or password.

6.In the pinentry dialog box, type ISS316Security and click OK.

As you type, notice that the Quality meter below the passphrase changes to indicate the degree of security offered by the passphrase. A password that includes upper- and lowercase letters as well as numbers is more secure than one that uses only numbers, such as a birthdate, or a recognizable word, such as password.

Figure 5Create a passphrase for the new certificate

7.In the passphrase box, type ISS316Securityagain to re-enter the passphrase and click OK to generate the key.

When the key is successfully created, you have several options for handling the key:

  • Make a Backup Of Your Key Pair. This option sends a copy of your private key to your computer where you can store it anywhere you’d like.
  • Send Certificate By EMail.This option will create a new e-mail and automatically attach your public key certificate.
  • Upload Certificate To Directory Service. You can store your certificate on a public Internet server.

Figure 6 Successful key pair fingerprint

8.Make a screen capture showing the fingerprint generated by the key creation process and paste it into your Lab Report file.

Kleopatra generates a unique 40-characterfingerprint each time a key pair is created.

9.Click the Make a Backup of Your Key Pair button.

10.In the Output file box of the Export Secret Certificate dialog box,type C:/Users/Administrator/Desktop/DesktopKey-private.gpg and click OK to send your private key to the vWorkstation desktop.

Figure 7 Export Secret Certificate

11.Click OK to close the Secret Key Export Finished dialog box.

12.Click Finish to close the Certificate Creation Wizard.

The new certificate appears in the My Certificates tab of the Kleopatra application.The Key-ID is the last 8 digits of the fingerprint associated with this certificate. Each new certificate is created with no expiration (valid until) date, but you can set an expiration date in the Certificate Details screen.

Figure 8The newly created certificate

13.In the Kleopatra window, double-click the Desktop certificateyou just createdto view all details related to the certificate:

Note that the key type is RSA. Kleopatra uses both RSA (Rivest, Shamir, and Adelman encryption algorithm) and DSA (Digital Signature Algorithm) for encryption. Kleopatra uses RSA as the default encryption algorithm, but you could select DSA while you create a new certificate by clicking the Advanced Settings button on the Enter Details.

Figure 9 Certificate details for Desktop

14.Click Close to close the window.

15.With the Desktop certificate highlighted in the Kleopatra window, click the Export Certificates button in the application’s toolbar to save a copy of yourpublic key.

16.In the Export Certificates dialog box, clickthe Desktop icon under the This PC folder, name the file DesktopKey-public, and click Save to send the public key to the desktop.

Figure 10Export thepublic key

17.Minimizethe Kleopatrawindow.

Part 2: Create a Public and Private Key Pair for the Receiver

Note:
In the next steps, you will use Kleopatrato create a set of keys on the remote TargetWindows01 desktop. You will use this key later in this lab to encrypt a file.

1.Double-click the RDP folder on the vWorkstation desktop to open the folder.

2.Double-click the TargetWindows01 file in the RDP folder to open a remote connection to the Windows machine.

Note:
Refer to the Common Lab Tasks.pdf file for more detailed instructions on opening and working with remote connections.

3.If prompted,type the following credentials and click OK to open the remote connection.

  • Username: administrator
  • Password: password

Figure 11 TargetWindows01 desktop

4.Minimize the FileZilla Server application.

5.Repeat the steps in Part 1 to create both private and public keys on the TargetWindows01 desktop using the following information.

  • Name: TargetWindows01
  • EMail:
  • Passphrase: ISS316Security
  • Backup/secret file name: C:/Users/Administrator/Desktop/targetwindows01-private.gpg
  • Export certificate file name: targetwindows01-public.asc

6.Close the Kleopatra window.

7.Minimize the TargetWindows01 window to return to the vWorkstation desktop.

8.Close the RDP folder on the vWorkstation.

Part 3: Transfer and Import a Public Key from the Receiver

Note:
In the next steps, youwill use the FileZilla Client application to transfer the TargetWindows01 public key to the vWorkstation desktop and import it into Kleopatra.

1.On the vWorkstation,double-click the FileZilla Client icon.

2.If prompted, click OK to close the Welcome to FileZilla pop-up.

3.Type the following login credentials in the text boxes at the top of the FileZilla window to connect to the FileZilla Server on the TargetWindows01 desktop.

  • Host: 172.30.0.15
  • User name: student
  • Password: P@ssw0rd!
  • Port: 21

Note:
You are required to enter a mixed-case password. If you are not using the Citrix Receiver to access this lab, please use the CAPS LOCK button or the On-Screen Keyboard to input the password.

4.Click the Quickconnect button to complete the connection to the FileZilla Server.

5.Click OK when prompted to remember FileZilla passwords and close the pop-up.

6.Navigate to the Desktop in both the Local site and the Remote site panes:

  • Local site: (C:\Users\Administrator\Desktop\)
  • Remote site: (Users/Administrator/Desktop)

Figure12 Connecting to TargetWindows01 using the FileZilla Client

7.Right-click the targetwindows01-public.asc file in the Remote site pane and select Download from the context menu to download the file to the vWorkstation desktop.

Drag the Filename border to the right to see the entire filename and ensure that you are selecting the correct file. When the download process is complete, use the scrollbar in the Local pane to see the new file.

8.Minimize the FileZillaClientwindow.

9.Click the Kleopatra icon in the Windows Taskbar to re-open the application.

Figure 13Kleopatra icon

10.Click the Import Certificates button in the toolbar.

11.In the Select Certificate File dialog box, navigate to the Desktop and select the targetwindows01-public.asc file and click Open to import the file.

Figure 14 Import the receiver’s public file

12.Click OK to close the Certificate Import Result – Kleopatra window.

The targetwindows01-public.asc file is now listed as a new line item on the Imported Certificates tab of the Kleopatra application.

Figure 15 Imported Certificates Tab

13.Double-click the targetwinvm01_public line item in Kleopatra to open the Certificate Details dialog box.

14.Click the Trust Certificates made by this Certificate button in the Actions section of the dialog box.

Figure 16 Trust Certificates option

15.In the Change Trust Level dialog box, selectthe I believe checks are very accurate radio button.

Figure 17Confirm trust level

16.Click OK to close the dialog box.

17.Click OK when prompted to confirm the changes.

18.Click the Close button to close the Certificate Details dialog box.

Part 4: Encrypt and Decrypt a File from the Sender

Note:
In the next steps, youwill create a file on the vWorkstation and encrypt it using the keys created earlier in this lab. You also will transfer the file to the TargetWindows01 desktop(the receiver) and decrypt it.

1.Right-click the vWorkstation desktop and select New > Text Document from the context menu.


Figure 18Creating the New Text Document

2.With New Text Document highlighted, type secret-messageand press Enter to rename the new file.

3.Double-click the secret-message.txt icon to open the file in the text editor.

4.In the Notepad window, type I like information systems security.

Figure 19secret-message.txt file

5.Click File > Exit, and click Save when prompted to close the text file.

6.Close Notepad.

7.Right-click the secret-message.txt file on the vWorkstation desktop and select Sign and Encrypt from the context menu.

Figure 20 Sign and Encrypt option

8.Click the Remove unencrypted original file when done checkbox at the bottom of the Sign/Encrypt Files dialog box and click Next to continue.

Figure21Remove the Unencrypted File

9.Clickboth the TargetWindows01 certificate and the Desktop certificate to highlight them, and then click the Add button.

Selecting both certificates will tell Kleopatra to use the TargetWindows01 (receiver’s) public key and the Desktop(sender’s) private key to encrypt the message.Adding both keys will allow both the sender and the receiver to decrypt the file.

Figure 22Add sender’s and receiver’s certificates

10.Click the Encrypt button.

When the secret-message.txt is successfully encrypted, Kleopatra will delete the original file and replace it with an encrypted (.pgp) file: secret-messsage.txt.gpg.

Figure 23 Successful encryption

11.Click Finish.

12.Close the Kleopatra window.

13.Use the File Transfer button on the vWorkstation desktop to transfer encrypted secret-message.txt.gpg file from the C:/Users/Adminstrator/Desktop folder to your local computer.

Figure 24Transferring encrypted message

14.Close the File Transfer window.

15.Maximize the FileZilla window.

If the connection has timed out, repeat Part 3 Steps 3-5 to reconnect to the TargetWindows01 machine.

16.Right-click the secret-message.txt.gpg file in the left pane and select Upload from the context menu to transfer it to the TargetWindows01 desktop.

If you don’t see the file in the file list on the Local pane, click the Local site file path and press Enter to refresh the file list and repeat step 18.