School of Computer Science and Communication

Department of Theoretical Computer Science

Secure e-mailing

Computer Security

DD2395 / HT2012

CONTENTS

Contents

1 Introduction 11.1 Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Key management 22.1 Importing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Creating keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.3 Submitting keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.4 Augmenting identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.5 Signing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.6 Re-submitting keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 E-mail management 53.1 E-mail reception and dispatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2 Message signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Message encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.4 Message signing and encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 Troubleshooting 94.1 Some common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2 Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5 History 12

I

1 Introduction

E-mail security is based on a set of cryptographic algorithms which ensure that only a legitimate recipient(s) canread a message (encryption) and prove that the message has not been changed in transit (signing). In this lab

you will use public-key cryptographic tools in which algorithms employ a public-private key pair to secure e-mailcommunication. You will get familiar with a very well known tool for these purposes GnuGP (http://www.gnupg.org),also known as GPG. GnuGP is a free implementation of the OpenGPG (http://www.openpgp.org) standard, whichis based on the commercial tool PGP (http://www.pgp.com), also known as Pretty Good Privacy.

This lab can be fully done remotely. All you need to do is to send five e-mails to a dedicated server that willautomatically check the submitted e-mails and notify if they are correct. You can, however, come to the availablescheduled lab sessions and get help.The lab should be solved individually, which means that you are not allowed to solve the lab for another student.

DeadlineThe deadline for the lab can be found on the course website. It applies for the steps you have to performagainst the automatic correction system.Do not wait till the very last minute to do the lab! Good luck!

1.1 Preparations

If you do the lab in Linux (Ubuntu), the command is gpg; if you use Solaris, type module add gnupg, andthe command is gpg2.

GPG itself is a command line application. You can test if it works correctly by typing gpg --version in thecommand line. The output should look similar to the following listing:

1 gurc@u3:˜# gpg --versiongpg (GnuPG) 1.4.10

3 Copyright (C) 2008 Free Software Foundation , Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html >

5 This is free software: you are free to change and redistribute it.There is NO WARRANTY , to the extent permitted by law.

7Home: ˜/.gnupg

9 Supported algorithms:Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA

11 Cipher: 3DES, CAST5 , BLOWFISH , AES, AES192 , AES256 , TWOFISH , CAMELLIA128 ,CAMELLIA192 , CAMELLIA256

13 Hash: MD5, SHA1 , RIPEMD160 , SHA256 , SHA384 , SHA512 , SHA224Compression: Uncompressed , ZIP, ZLIB , BZIP2

Listing 1: GPG version output

Some people prefer to use front-end applications such as EnigMail for Thunderbird, GPGMail for Apple’s Mail orGPG-Pine for Pine. You are free to choose any software or front-end you wish, however note that the lab has onlybeen tested with the basic GnuGP tool, Thunderbird and KTH’s webmail.

Please, be advised that many of the tools and front-ends found on the web are broken in various interestingways, including giving you limited, conflicting, or even completely wrong output. We are aware of some front-ends not reporting all keys used in signing and encryption, automatically importing keys and other bad stuff. Manyclients also mess up the formatting of e-mails, preventing correct decoding of the data, which in turn, will notallow you to successfully complete the lab; therefore, the course administration will not help you with software

2 KEY MANAGEMENT

issues you might encounter, except for those related with using modern versions of GnuGP.

You will find a checklist of questions to think about inside the informative yellow boxes at the end of somesubsections. This should help you to understand what is going on in more depth.

In the next sections, you will go through a series of tasks and interact with an automatic checking system.These tasks are sequential, you will get input for the next step once the current step is completed.

2 Key management

The following section will help you understand the quirks of key management, including key creation, signing,etc. You will need to import the course public-key from the course web site, generate your own pair of

keys, send your public key to the dedicated server for signing, get your public key signed additionally by anotherclassmate, and send this double signed public key again to the server for verification.

You need to complete all tasks described in the following subsections:

2.1 Importing keys

In the subsequent sections of the lab you will need to verify e-mails sent from the server. For this you willneed the course key (public-key) from the course website. Get the key, and import it (after verifying its fingerprint)giving it an appropriate trust level.

Think about...• How did you import the keys?

• How did you verify that you got the right keys?Note: Verify the signatures but also that these have the right fingerprints.

• What level of trust did you decide to set up?

• What is the meaning of the output?

2.2 Creating keys

Public cryptography requires you to generate your own key pair. GnuGP lets you tune the cryptographic se-curity of the keys, depending on how slow you want key generation (including encryption, decryption, signingand verification) to be. The following website, http://www.keylength.com/, offers concrete recommendations forwhich key-lengths are suitable depending on the security required.

Key generation can take from a few seconds up to few minutes; if you get a message asking you to generatemore randomness, either type or move the mouse around, or you can also open new terminals and run commandssuch as ping kth.se or du -h /.

Do not forget to protect your key with a password when you generate it. This password will prevent anyonefrom using (or stealing) your keys without your authorization.

Important: when you generate the key do not forget to match the name of the key with your name. Thee-mail is your account at KTH(your-username@kth.se), this is important as otherwise the system will not rec-ognize your input in the following tasks. The comment field will have the course code DD2395. Make the key valid

2

2.3 SUBMITTING KEYS

for at most 3 months.

Think about...• How did you generate the keys?

• How long did it the key creation take?Note: What security settings have you chosen?

• Which identity did you create?Note: Can you find the fingerprints?

2.3 Submitting keys

Export the (public) key that you generated and send it, by e-mail, to gpg-key@dasak.csc.kth.se. Make sureyou send it from your e-mail address at KTH (@kth.se). There should only be a single identity in the key, withyour address at KTH (@kth.se). If the submission is successful, you will get your key signed with the course keyin return. Note that it might take up to an hour before you receive the response due to KTH’s grey-listing used.

While there are plenty of format schemes, it is usually a good idea to use ascii-armor. This is an encodingthat avoids characters known to cause problems with e-mails systems.

Think about...• How has your key changed after being signed?

Note: Do not forget to import the new signature which has been added to your key.

2.4 Augmenting identities

It is very common to have multiple identities and e-mail addresses. They all can be bound to the same key sothat your friends do not need to keep track of multiple keys to communicate with you.

The task is to add an additional identity to the key with a second e-mail address (i.e. your main address if it isnot the one provided by KTH).

Think about...• How can you check which second identity you created?

2.5 Signing keys

By now you have your key signed by the automatic correction system, but this system has not performed au-thentication (check if you are who you say you are) before signing your key. Therefore, you will have to prove thatyou are not an impostor. Find another classmate and get him/her to sign your key, setting the appropriate trust level.

3

2 KEY MANAGEMENT

Think about...• How did you sign your classmate’s key?

• What is the meaning of the output?Note: Think about the management of trust levels and key signing.

Atthis point you should have your key signed with the course key, but it is also now signed by your classmate andcontains multiple identities.If you want to have a look at the contents of your new key, use the following command gpg -v key-filename.

2.6 Re-submitting keys

You will now export your double signed public key, using ascii-armor, and submit it to gpg-key@dasak.csc.kth.se.Remember that the source e-mail address should be your address at KTH.

The server will check the submitted key and respond with an e-mail containing the status of the verification.The server will send three more e-mails for the next tasks.

4

3 E-mail management

The following section will help you understand the quirks of secure e-mail reception and dispatch by not onlysigning the contents but also encrypting them.

3.1 E-mail reception and dispatch

By this point of the lab you should have received four e-mails, one status e-mail saying that the double signedkey is accepted, one with signed data, another one with encrypted data, and the last e-mail with both signed andencrypted data. Do not lose these e-mails because if you do, you will have to send your public key again to get anew set.

These e-mails contain a few random strings (ex: listing 2) which are unique for each student (e-mail address).You will have to return the strings that were properly secured in order to prove that you have verified the signaturescorrectly, decrypted the strings correctly, or both.

Each e-mail contains several sections that are independent. These sections can be encrypted or/and signed.They are separated with lines equal to ============= separator =============. These are not part of thetext, but they are there to simplify your work. The reason for including several blocks in the message you get issimply to save you from getting about 30 e-mails in your inbox.

For example, the e-mail with signed messages that you need to verify has the following form:

-----BEGIN PGP PUBLIC KEY BLOCK -----2 Version: GnuPG v1.4.10 (GNU/Linux)

4 mQENBE6tk1sBCADFTOlNAUZwl+jkb27PbEPLp6zQBtrDlTVvsoRHMipE2z0Vv3qdUHXaknDQ9xxOjKZSkMmaPQKNjVhQxpRfcmlIafRtgxX0CymqFBQNrZxa9ay22lqI

6 wggJpY2AZWpPmIvbJ13TZ8xFotO/nAsXAQFeprhK53RCvqoMFoy9z6iWTqFObCwmYfrem1uXX+SktBTkT16OpnC35jY9OyUU4DNHVOEY0T5YGxy7PUlv3JBl1YtKfX0z

8 ffXRUwzcHh/K0ZuFAPmqYH/8KtoWN3sFJu6iMdIAimDBiIykeQE05IRYk0F2UlZJ7FJ7uK5GKTevvwaBcq5x1dchZxcuN9VHZddRABEBAAG0OENvbXB1dGVyIFNlY3Vy

10 aXR5IChjb3Vyc2Uga2V5KSA8Z3BnQGRhc2FraDExLmNzYy5rdGguc2U+iQE+BBMBAgAoBQJOrZNbAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRC4

12 +uj6J2H//jhSB/9VGtQSh6WwjQVoxtJJ6J1x13Xv0mccImwFum5fuKrV5JZSYd5SwKG/MS+u3sN+2TpItMZBudpn6wX2u2GuWxu5Xvbs0tAuUT05KRQb30sayDDqclOB

14 3fdioIyX40HlC5120kgnm1ubWKQVak/4Am4aDRrxbxjINhXZkQnpZty9GN/uYss1kUJbI2PgQm940SDfmCh0tm3QgMqU+G+B61lixqMWxLKnuT5ytZ0kfZHJ0K2UQc4w

16 sMYXfY8y6WTgcEQ35zy+4pudrXhzflvL6L16eJ/ChjfNwJ4IXX+4i87BogVFZs3isO7mxiGumfTm1jiN03ah6I1negHsUA0nKwEOuQENBE6tk1sBCAC246INHzhntKT0

18 rJ7U7GshAjzj+mcO3DebYpmEc3BL0FiasDwQ+rTHegq3cEJIibBTzWfLmhntp2RlDH4k7r6MuTpRD0cgJlMvWO5uiOTo3qdouqW3uxRGy4hWxCn1OxSE3QBq1DErQsyf

20 IZR7d77h64O8rmhyhmaZwTuKkFMh1mEtdY7i9+M2r49StPQ2N69p9lVhST2Ps+qSN9b68WS7sW/pm2ekXbcs+UN927a3WUT5Uh/p+vi2BY3FwlE6yBTkYIlrmMHfzEvH

22 xaCvAbpvXhWUvn9cXEiI12CNxAtQ2Xe6rQtDCmOvXG85L4T8+fkfLQifqRtGf0mGi2gxBwnzABEBAAGJASUEGAECAA8FAk6tk1sCGwwFCQlmAYAACgkQuPro+idh//6r

24 Mwf+K9Tcn66bpKTlrPwo7RHMFQox4rwG9YypoDyzKlPtYQkY0PgOXd8K8bKqHZXG05lJjBei9xhZPH8yrc2sI9Z05im8/syRwyM9b/+NbyxiA7iw6yP6JHNQsB7mvWub

26 96vtLh4QXZZxYjImjyJsR35XgDWMHGoU1BkbUGKYPkLNDWOtHT/vUc+KsYCb0SHY7cLS5ocm3fPtB22SrrTsVy4YjJMEZ4XUbXjw7qKJxlFDUwDMW6/ko8Gh7yxw0TZ/

28 BruQIj3AebHHBZ2XuMTcbvnszxEuDLvFP2vzLuKANgo6apDVbPHgOC4oKmkbSM9wOEAUlxsmxkmVlaNa9CTAK63jig==

30 =cJDK-----END PGP PUBLIC KEY BLOCK -----

32 ============= separator =============4dc20e6a50ce08203e2d29fdb806cdbb91169a9b

34 ============= separator =============-----BEGIN PGP SIGNED MESSAGE -----

3 E-MAIL MANAGEMENT

36 Hash: SHA1

38 c2c4dba004abeae7cbee7ee37ffc42509e25b803-----BEGIN PGP SIGNATURE -----

40 Version: GnuPG v1.4.10 (GNU/Linux)

42 iQEcBAEBAgAGBQJOstHwAAoJEFf2Co+pBNejE7UH/iwkQhAr5WnR6xlYuKXjQWvtnxrLPS0JyK4PZvsuxZYiRZyH4yYDGgQg6gvesma2+X/rINMZGzCp6Yi6BQOgpimP

44 K4cmfHBWAC2yIcsFAKfU3LFJ7m4jqEz/6JD8bnxsKVkiQqMnOvJqQoQTzNuVWyUi0vyg+NvkDIG0Ic7oGrL2ZCQt6A7ukCol3XIh1Lj5+r0ytuZ61+rrKgvBZw/H1jMZ

46 kM/Lqma52n67dsbofXDVVJu3n4Ox/tNi6CxrgEQ6HFxAt0IsWGvJCpQllWKEagsnpBLar+gMM3szynp1SRgGJN6MEb9xw04a9mID9VMn50aa28wNw4eYT3Tx0GPUnWY=

48 =sEMB-----END PGP SIGNATURE -----

50 ============= separator =============3d8b2bb98d9adb541b1e4681ab22918abf583498

52 ============= separator =============-----BEGIN PGP SIGNED MESSAGE -----

54 Hash: SHA1

56 77b95b92b02541079b8b06dfdf0e58ea0c61d5f5-----BEGIN PGP SIGNATURE -----

58 Version: GnuPG v1.4.10 (GNU/Linux)

60 iQEcBAEBAgAGBQJOstHwAAoJEFf2Co+pBNejlPEH/0n3leNNqic8qOIgh3ZTI3cxZdLH+AGRCLIlyCgZAlH0I9oV7gg7hSnnCPU+5Px3LCp4QgAISgIdsnPudpHd6SBl

62 U/VQM0zxNfUl3auVz0+oItllH26lqSgdlZ7MLPWhTJxqAFf0L9HN4+A72UqIp4I6IgjjCanmkZ2L6HsBC5NBPmxnud48x/XyK+oVnIdzLoqVfvzZD1u8SZ48HTS1GXq5

64 tI3F7Cv8+rnelRV/0Dg/1AzQETbD8E5IWIe252PGd9GnrpPOHy6ix0B6a8/3gGVQcHuTeAW6JGhPsggXq9AqTP3NFyi7tbAjowrmN4j5/r2/3/yevdgqX4aQDi8ZTGg=

66 =Y1Fl-----END PGP SIGNATURE -----

68 ============= separator =============-----BEGIN PGP SIGNED MESSAGE -----

70 Hash: SHA1

72 44fc571ad1ff6be21e886ed50ba41c602b6c93c9-----BEGIN PGP SIGNATURE -----

74 Version: GnuPG v1.4.10 (GNU/Linux)

76 iQEcBAEBAgAGBQJOstHwAAoJEFf2Co+pBNejTEQH/j9IQmjBgopaOXy6534b5pOpDaBUEgX88SruqI3CotR4wPNDCKHO6UaSr69YbM3PpQ9Puo1fUUrG+gZ+9GWWNu/Z

78 fM81Ub6OKhf0AXICPpsjh5kbCZL8ZMeho1+rQyXi4cyaFQLF08c6QmVLfl7AUepjPdTiW/0H0OhyLLISjbhUI7KRQrv77UJwyIygYFV0XdO35b7DcW0qBaWlgT4U0czz

80 XRk5NdzZnuBd9bKqJ2+E3r/vi6eQMvDlzW7d2IcemwDO4rNTy/lryUlteeAkIc/7lQw3ueKy6CQzCZM+O450rnFA0gJ/8mEROlarcc4cuzKyBq8V8cdhb/0YEUwEEfo=

82 =PkaP-----END PGP SIGNATURE -----

84 ============= separator =============-----BEGIN PGP SIGNED MESSAGE -----

86 Hash: SHA1

88 98874 ba66f5d84eb0262c76212b75b038dbdb574-----BEGIN PGP SIGNATURE -----

90 Version: GnuPG v1.4.10 (GNU/Linux)

92 iQEcBAEBAgAGBQJOstHwAAoJEFf2Co+pBNejShwH/i8X3m/UlMl7HPtbQtgXCMZq

6

3.1 E-MAIL RECEPTION AND DISPATCH

vHRnbHAebFqC9gWcEBD2zRZ+p0p2vomHMf2mKCPz9WFBTIg5FfMFWQxiG3bEAZdA94 svkWh1Qd0Ks9p+O9hGNdOUFiMr0aJ+t5nofxP3As6A2E4RLU5ZtT0xuuA5QQN/JE

hRVNHR4vbKWcXxGcUFzTEQbuFoqAF5OG0/yXF6/02PpesRM+tKJQphr3Xqm2kTlQ96 tRfTkfN8Fu5A2IwZvxi929Dx3oL4D/jRK+fm6eEb8MuSnmJUn9gYuaORGm3drKKm

L5lzNa52WF2VDlmq0afWbbfbNiVHlB0ZWqDtglshfEHVFUuvfFwWLQwE/iIChNE=98 =Te3j

-----END PGP SIGNATURE -----100 ============= separator =============

-----BEGIN PGP SIGNED MESSAGE -----102 Hash: SHA1

104 fc39f05607e925a82ec2c23d6103e265f03a2504-----BEGIN PGP SIGNATURE -----

106 Version: GnuPG v1.4.10 (GNU/Linux)

108 iQEcBAEBAgAGBQJOstHwAAoJEFf2Co+pBNejpW0H/idh5EaKIjEd/xms3jjhKS8q45TGUT6arKkUW84sjz3D6Y7lpXrKxFCjgB+BoosFP0oaoEBuToBA2a/xvZ9dexM3

110 2MAvkoeLtOLbC1VsdshKWs6lggB0M28ZBSsXvyQp1fV6Z+cVOsWGSjeihRcXeAEOlr2kjTqMPdQzW4Dzb+FQsdMdDR0NP8aYSfuvbKTDredFuJvm0K4SqwMsmX8aUde3

112 rOgZXtHMUnHdRjxkAWXT9/XxzmEQE40iO8yaHtqqe3vAxaPRRhpy7u0Uoe/uu4zkIqhZl05XngkFBA69kLgsO1Ptc6BaDpSJXnkuaG/r4UvV6TWJ1qMLahKSqn5wZ1Y=

114 =QFS7-----END PGP SIGNATURE -----

Listing 2: E-mail with GnuPG signed messages

You should check which of the random strings were signed correctly, and then return only these strings to theserver in the reply e-mail. In this example only three strings were signed correctly:

1 c2c4dba004abeae7cbee7ee37ffc42509e25b80344fc571ad1ff6be21e886ed50ba41c602b6c93c9

3 fc39f05607e925a82ec2c23d6103e265f03a2504

Listing 3: Correct strings (before signing)

Before returning the correct block of strings to the server, you should sign it as part of the task for the first e-mailwith signed messages (information about how to process other two e-mails, after finding correct strings, is givenfurther in the assignment). So, your response message should look like the following:

1 -----BEGIN PGP SIGNED MESSAGE -----Hash: SHA1

3c2c4dba004abeae7cbee7ee37ffc42509e25b803

5 44fc571ad1ff6be21e886ed50ba41c602b6c93c9fc39f05607e925a82ec2c23d6103e265f03a2504

7 -----BEGIN PGP SIGNATURE -----Version: GnuPG v2.0.17 (MingW32)

9 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

11 iQEcBAEBAgAGBQJOsxnTAAoJEBirngyjOjx6pNgIAI14+r9Elx8H27ede7oQ/bt2rFHj3Jqa1tOvPfrD5iKZV3BfMJbABme1eJGpOoiUHrOZ2Y96BfGAC1kaCvOn45Ci

13 WBzh/1RY7cq39e4Hpnyu+PcY06jwZmyW+Zatt+HkVVX9YLCJRK/XIH8gfjgNo6Kp5YHQlsQoI9gLnbeM315wRjRWvklYkW2seO5Z80soy3nkZRfwAAdqcBZNWZ3RseX/

15 iaycutxs8D2M+UMsaG8QrDBrSzeiKpTxUrHGAh18MrNC9R2mdjDZjOApFiVX0HLO6KMVq87Q+c88eKqoDBwKaxDRM/7JAzd7S01ul7RHqfSMT+Ey08Y3UF6sKFXtshU=

17 =OEfH-----END PGP SIGNATURE -----

7

3 E-MAIL MANAGEMENT

Listing 4: Return message after processing (signing in this case)

You should send three e-mails to the automatic correction system, each one of them containing the correctblock of strings of each e-mail you received after proper processing. You will have to prove that you understandwhich parts of the messages you received are secure and which parts are not.

The correction is quite thorough. While the system will accept some extra whitespaces (outside strings), anyother extra or missing data will get your submission rejected.

Don’t forget...You will know that you are finished with the lab when you have received a ‘correct’ e-mail reply from theautomatic correction system for each one of the e-mails you send.That is, one ‘correct’ e-mail for successfully completing subsection 3.2, another one when you completesubsection 3.3, and a last one when you also complete successfully subsection 3.4.

3.2 Message signing

Since you have received one message from gpg-sign@dasak.csc.kth.se with signed data, respond to thise-mail with all the parts of the e-mail that were properly signed using the course key, in a single block.The block you send (do not forget to keep using ascii text) also has to be signed by you (using clear sign makesit easier to see that you are doing).

Think about...• What did you do to verify a signed message?

• Is the original message correct?

• Which key did you use to sign the reply?

3.3 Message encryption

Since you have received one message from gpg-crypt@dasak.csc.kth.se with encrypted data, respond tothis e-mail with only the parts of the e-mail that were properly encrypted and encrypt the response.

Note that it is very common to add yourself to the recipients list along with the aimed recipient because thiswill let you read your own e-mail after being encrypted.For the automatic correction system to do its job accurately you will have to do this (also for the next part).Do not forget that only you and at most the course administration should be able to read the e-mail, no one else.

Think about...• What did you do to verify an encrypted message?

• Is the original message correct?

• Which key did you use to make the reply confidential?

8

3.4 MESSAGE SIGNING AND ENCRYPTION

3.4 Message signing and encryption

A common usage of GPG is providing both integrity and confidentiality protection, such as the message fromgpg-both@dasak.csc.kth.se with signed and encrypted data, that you have received, respond to this e-mailwith only the parts of the e-mail that were properly signed and encrypted (only for you and/or the course admin-istrator, no one else).

Think about...• What did you do to verify a signed and encrypted message?

• Is the original message correct?

• Which key(s) did you use to make the reply secure?

4 Troubleshooting

Since GnuGP is not the friendliest tool (and combined with the complexity of cryptography), it can take sometime to get used to. A great start is the documentation for GPG, which can be found at the official homepage.

4.1 Some common problems

In this section we list some (common) problems previous years’ students have had trouble with.

• Source e-mail address domainEvery single e-mail you send must come from your e-mail account at KTH, that is, your-username@kth.se.No other source address will be accepted nor processed by the system.

• E-mail answerAll e-mails must have the answers in the body of the e-mail as plain text.No other format will work (such as Word, OpenOffice, RTF, PS, PDF, DVI, HTML,...). It is quite com-mon for e-mail programs (including web-based) to send HTML or RTF by default; therefore, you shoulddeactivate this functionality because the system does not recognize nor decode attachments, PGP/MIME,SMIME,... which means that in case of using a front-end you should make sure that it can do traditionalin-lining. If you do not see something such as ----BEGIN GPG <TYPE>---- at the beginning of the e-mail’sbody you should verify how you are sending encrypted e-mails.

• Extra outputIt is common not to ask GnuGP for all information and few front-ends print all information you need. Usingthe option -vv (very verbose) may be very helpful as it prints extended information about is going on.

4.2 Error messages

The following is a list of the common error messages you might get from the system and accompanied with abrief description on how to solve the cause related to these errors.

• Could not import user id’s. Typically caused by UIDs created in the future (wrong system time)The system parsed your key correctly but failed to import your UIDs. This is most likely due to the creationdate of the UID being in the future or too far into the past. Check your system time and generate a new key.

• Did not find any keys to import/verifying signature failed/decrypting message failed/decryption andverification failedThe system tried to verify or decrypt the message, but GPG returned a non-zero return code and no data.

9

4 TROUBLESHOOTING

This is commonly caused by formatting errors, such as HTML mail, the key in attachment, multiple GPGblocks and similar. Make sure you only include a single, properly armored, block and it is in the body e-mail.

• Did not see any signatures not made by course keyDid you really get another student to sign your key? Did you import that signature?

• Found # User-ID:s in the file. The initial submission should be with one User-ID. Generate a new keyand try againYour initial submission should not contain multiple UIDs. Follow the lab instruction and submit a key witha single UID first.

• Found more than one key in your submissionTypically caused by exporting multiple keys before sending the mail to the lab system.By specifying which key you want to export you avoid this error. You can also try importing the key youhave exported to make sure it contains what you think it contains using gpg --import -nvv.

• Incorrect. I read your answer as:This means the lab system correctly verified/decrypted the gpg block in your submission and failed whenit verified your submission against the expected answers. The lab system is doing a string matching of therows.Make sure there is no extra data in the output (compared to what you encrypted/signed). Then make sureyou have chosen the correct set of blocks as your answer.

• Key cannot be used for encryptionYou have generated a sign-only key. This key can not be used for the lab and you will have to generate a keyallowing both signing and encryption.

• Secret key was imported, please generate a new keypair and be more careful next time.../The secretkey for this key was already imported. Please generate a new keypair and be more careful next timeYou sent your secret key to the lab system. As it is no longer secure you will have to generate a new key pairand start over.

• Signature was invalid (status xxxxxxx)Your signature was parsed correctly but was found invalid. Make sure you don’t modify the data in transport.

• Submission was encrypted with # keys, should be encrypted to exactly two keys/Submission was onlyencrypted with a single key, should be encrypted to two keysYou have to make sure you use exactly two keys to encrypt the submission. That is your own key and thecourse key. Nobody else may read your submission.

• Subkey expires in more than 3 months/Subkey never expiresMake sure you set a correct expiry date on the key when you generate it. It is in the lab instructions.

• Submission was not signedYou did not sign the submission correctly before sending it to the lab system.

• The User-ID found is “Foo Bar ¡Foo@Bar.com¿”. It should have an e-mail address in the @kth.sedomainMake sure your primary UID is in the @kth.se domain. This is important as the lab system will only speakto @kth.se addresses.

• Tried to import something but failed. This can be caused by broken data, revocation certificates orbroken UIDs (such as UIDs created in the future)Catch all for parsing errors when importing keys. If you get this the key has been parsed but GPG failed toimport your keys.

10

4.2 ERROR MESSAGES

• Validation of your result failed. Key correctly signed by course key? I read your answer as:Catch all for validating submissions.If you get this, GPG returned something but also had an error. The answer part is what gpg returned.Typically caused by sending data to the gpg-sign/crypt/both before you have your key correctly signed bythe course key.

11

5 History

Version Contribution Author (Affiliation) Contact1.0 First development Gunnar Kreitz (CSC/KTH)2.0 Development continuation Pehr Soderman (ICT/KTH) pehrs@kth.se3.0 Inclusion of experiences from 2009 course3.1 Adaptation for DASAK Sonja Buchegger (CSC/KTH) buc@kth.se3.2 Adaptation and clarifications for CSC Sonja Buchegger (CSC/KTH) buc@kth.se4.0 Adaptation and simplifications for HT2011 Guillermo Rodrıguez Cano (CSC/KTH) gurc@kth.se4.1 Adaptation and clarifications for HT2012 Oleksandr Bodriagov (CSC/KTH) obo@kth.se