Get yourself a key for secure email

This aim of this exercise is to enable you to use secure email (signed and/or encrypted). There are two systems, and you can pick either one, but e.g. if you use a standard/commercial email program such as Thunderbird, Outlook etc, the S/MIME system is easier to use.

NOTE that you need to use a mail program, rather than webmail, for this assignment. Thunderbird is the standard mail program at the department computers.

This assignment is done individually, but you are free to ask for and receive help from others (for this assignment only).

Note that there are TWO parts in this assignment (headings 1 and 2 below). Do either 1.1+2.1 or 1.2+2.2.

Do one of the following:

Get an S/MIME certificate

  1. Go to http://www.thawte.com/secure-email/personal-email-certificates, read the sections in the left margin, and then click "Join" in the right margin.
  2. If you accept the smallprint terms, click "Next"
  3. Fill in the forms truthfully - otherwise there is no chance of getting your name in the certificate.
  4. NOTE!
    • you can only use ASCII characters in the form where you fill in your name, due to a bug in the server software. (So write "Björn" as "Bjorn"!)
    • it is preferrable to write all your first/given names (förnamn) in the name form, to make the certificate verify you more specifically
    • the email address you enter will be used as your identity at Thawte. You can get additional certificates if you use several email addresses. When using your student email address, use the long form (e.g. Lisa.Lagom.4711@student.uu.se) rather than the short (e.g. lila4711@student.uu.se).
    • Use a good password, 8-20 characters long. Don't forget it!
    • You must choose 5 question/answer pairs, to be answered in case you forget your password (cf. "something you know"). Consider not giving truthful answers (to make it harder for a cracker), but make sure you remember the answers you supplied!
  5. You will receive further instructions to the email address you supplied above.

Please email me any practical questions, and I will put the answers here. See also the FAQ, which contains several questions and answers related to this.

Note specifically the FAQ about forged and invalid signatures.

Now skip to part two below.

Get a PGP key

If you use a Unix-style system (Solaris at the IT department, Linux at home), PGP (either the program pgp or gpg (the GNU version)) is (probably) already installed. If not, or if you use Windows:

  1. Go to http://www.pgpi.org/download/ and find either GPG (GNU Privacy Guard) or PGP 8 (recommended for Windows)
    • For GPG, follow instructions on the GPG Mini-HOWTO to create a key.
    • For PGP 8, read the included documentation.
  2. Remember to use a good passphrase! And remember it!

Please email me any practical questions, and I will put the answers here or in the FAQ.

When you have the keys

Try sending and receiving signed and encrypted emails to a few friends in class. (If you have no friends, send it to me.)

For S/MIME certificates:

  1. Find out
    1. between which dates and times your certificate is valid
    2. the SHA-1 or MD5 fingerprint (hash value) of the certificate
    3. the certification trust chain for your certificate (who signed your cert, up to "top level")
  2. Send an email properly signed with your certificate, containing the information above to Bjorn.Victor@it.uu.se,
    • including your experiences from installing the cert, and sending and receiving signed and/or encrypted email

For PGP keys:

  • Get (at least) two other students to sign your key
  • Send your signed key to a keyserver (e.g. www.keyserver.net), and try searching/fetching it to verify that it's there.
  1. Find out the fingerprint (hash value) of your key
  2. Send an email properly signed with your key, containing the following information to Bjorn.Victor@it.uu.se:
    1. Your key fingerprint
    2. The key server you sent your key to
    3. Your experiences from getting your key, and sending and receiving signed and/or encrypted email
  • If for some reason you cannot get your email program to sign your email:
    • send the information above and an explanation of your problem as a signed attachment
    • consider using the S/MIME solution