Information Assurance - F17

CSE 465

Assignment 2

Assignment 2 is due 10/19/17 on or before 11:59:59pm MST.

Part 1 — Julius’s Test (20 points)

You’ve discovered the ciphertext, now it’s time to break the ciphertext and recover the key.

Your agents have found that the following Python encryption algorithm is used:

1
2
3
4
5
def encrypt(cleartext, key):
    to_return = bytearray(len(cleartext))
    for i in xrange(len(cleartext)):
        to_return[i] = ord(cleartext[i]) ^ ord(key)
    return base64.encodestring(str(to_return))

Break the encryption and recover the key.

Submission Instructions

You will need to submit a README file, the key, and all the code you used to break the ciphertext.

Your README file should contain your name, ASU ID, the plaintext, where the plaintext came from, how to use the code that you used to break the ciphertext, and a description of how you broke the encryption.

The key should be submitted in hexadecimal (starting with “0x”).

Part 2 — Alan’s Test (30 points)

You’ve discovered another ciphertext, now it’s time to break the ciphertext and recover the key.

Your agents have found that the following Python encryption algorithm is used:

1
2
3
4
5
def encrypt(cleartext, key):
    to_return = bytearray(len(cleartext))
    for i in xrange(len(cleartext)):
        to_return[i] = ord(cleartext[i]) ^ ord(key[i % len(key)])
    return base64.encodestring(str(to_return))

Break the encryption and recover the key.

Submission Instructions

You will need to submit a README file, the key, and all the code you used to break the ciphertext.

Your README file should contain your name, ASU ID, and a description of how you broke the encryption.

The key should be submitted in hexadecimal (starting with “0x”).

Submission Instructions

Your README file should contain your name, ASU ID, the plaintext, where the plaintext came from, how to use the code that you used to break the ciphertext, and a description of how you broke the encryption.

Part 3 — Web of Trust (50 points)

Who do you trust? How do you know they are who they say they are?

Your goal in this project is to learn about public key cryptography, gpg, verifying identities, and the web of trust.

You’ll need to: create a gpg public/private keypair, register your public key with the submission server, get your key signed by 20 of your fellow students in this class, and avoid signing any fake keys (you will need to verify your classmate’s identity).

1. Generate a gpg key

github has a good gpg key creation guide.

Create a public/private keypair for this project that has a name that is exactly what your name is in ASU’s system, has an email (doesn’t matter what the email address is, and does not have a comment. Other students need to verify your identity, so the name part must be exact. You can reuse an existing gpg keypair only if the names match, otherwise you’ll need to create a new key.

The submission website will show you exactly what we have for your name (this was taken directly from the course’s enrollment page).

Important note

DO NOT LOSE YOUR KEYPAIR

Backup your keypair, if you lose the key once you’ve uploaded it to the server then you will not be able to finish the assignment. Every ASU student has a Dropbox account, so use that or some other mechanism to backup your keypair (including your secret key).

2. Upload your public key

Upload your public key to the submission server.

The server will then check to see if your public key is valid, and if it is will sign your public key with the course’s keypair, which has a fingerprint of 479F866885D619CF67BE6F924F8D297EA8C3BB5D (you should download this key, verify the fingerprint, and import it into your gpg keyring).

The server will also generate an adversarial keypair with a random name but with the same email as your key. You will be able to download this adversarial keypair, (both the public and private key).

3. Have your public key signed by at least 20 fellow students

Use the Internet to search for great information signing public keys.

The signatures must be from a valid key in this class: How will you know?

4. Sign at least 20 of your fellow students public keys

Using what you learned from the above, you must sign at least 20 of your fellow students’ public keys.

However, an important note: if you sign an invalid (or adversarial) key, you will lose points (max 20% of the grade on this part), and the person who tricked you will earn EC.

5. Submit your public key and public adversarial key

Finally, submit your public key (with the 20 signatures) and your public adversarial key (if you received any signatures).

Submission Instructions

You will need to submit your final public key, along with 20 signatures (this is included by default when you export your key), and your adversarial public key (if you tricked people into signing the adversarial key).

Your README file must contain your name, ASU ID, and your thoughts on the usability of gpg and key signing, and how you tricked people to sign your adversarial key.

Submission Site

Create an account to submit your homework on the course submisison site.

Please don’t forget your password.