Komma Igång Labb Med Digital Forensics

Home task, Introduction to IT forensic technology and IT security, v11.1

Safe/secure Email

See labinstruktion.pdf for general instructions regarding laborations. Table of Contents Safe/secure Email...... 1 1 Example and explanation with The Bat!...... 2 The PGP algorithm...... 7 2 Lab task...... 8 Email part...... 8 Crypto part...... 9 Report...... 10 3 Addendum...... 10 Windows Live Mail ...... 10 MS Outlook cannot open PGP encrypted messages sent from The Bat!...... 11

We will in this laboration learn how to deal with crypto and digital signatures in Email.

You should use an Email client that supports PGP/MIME. PGP is also available as GNU Privacy Guard (GnuPG or GPG) at: http://www.gnupg.org. There is a GnuPG For Windows available at: http://www.gpg4win.org.

There is a list of secure Email clients here: http://www.bretschneidernet.de/tips/secmua.html. Mozilla Thunderbird and GnuPG are good choices since they are free.

It may also be possible to use your web browser (web mail) with some plugin if you search around. Usually they use GnuPG.

Webmail as Gmail etc. is often possible to use from your Email client if you configure it correctly. Do a search for example ”access gmail via pop” plus your Email client to get a how to for this.

Myself I use The Bat! Which is found at: http://www.ritlabs.com/en/products/thebat. It is a good alternative to Windows Live Mail which is part of the free downloadable Windows Live Essentials at: http://explore.live.com/windows-live-essentials. The Bat! Home or Professional Edition can be used for 30 days and Swedish language support is available.

Download the software you need to get going with safe/secure Email. Schools support is found here: http://du.se/sv/Student/Service-och-support/ where you can find valid Email settings. If not found search for it with “epost via www.du.se”.

Note that you cannot send mail via du.se from the outside, you need to use your internet providers SMTP server in this case. Here is an example to do this with Gmail from any network: http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server.

1 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

1 Example and explanation with The Bat!

I will now show how to do this with the built in OpenPGP in The Bat!

In the menu Options > OpenPGP are the settings for this. I used the Internal (RFC-1991) implementation. You can have a look in the old TheBat PGP Guide: http://users.du.se/~hjo/cs/common/doc/thebat_pgpguide.htm

If you want to use GnuPG I recommend earlier mentioned Gpg4win. If you want to use the raw version at http://www.gnupg.org/ you must follow the README.txt instructions in the doc folder thoroughly. Check out the different frontends at: http://www.gnupg.org/related_software/frontends.en.html

Personal certificates can be obtained from Thawte at: http://www.thawte.com/secure- email/web-of-trust-wot/index.html to use with Windows Live Mail. Note that I have not verified that this works.

The following example is performed with the internal OpenPGP (RFC-1991) in TheBat since it is very easy and built-in.

I generated a private and a public key pair. The public key may be exported and sent to my friends etc. With my public key my friends can encrypt messages sent to me and verify signed messages sent from me. Remember to save the private part of the key in a secret place, it should never be sent anywhere.

If the following images does not look similar to your version of The Bat! I is because of and older version and I use the “plain-text” format. Default it is RTF (Rich Text Format) or HTML.

Transfer the public PGP key to may friend at pixelin.net .

2 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

The receiver ([email protected]) import the sent public key to his key manager. Here we see that he have his own private and publika key pair and a received public key from [email protected] in his key chain.

Here I have sent a signed mail with a MD5 hash to my friend at pixelin.net. This is done with my private key.

3 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

The message as my friend Hans at pixelin.net can see it.

4 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

After he has clicked the verify Open PGP signature (the icon towards right) and put in his pass phrase in the dialog box he has validated that the massage really is sent from [email protected] and the content is not changed in any way via the public that were sent earlier.

What really happened is the following (generate a digital signature):

message message

hash algorithm hash encryption encrypted hash

Private key Signed message of signer

When receiving (control of a digital signature):

5 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

message hash algorithm hash OK if encrypted hash match decryption hash Signed message Public key of signer

This message were readable by the ones who could access it but not changeable without invalidating the signature.

Now I have received a crypted message from my friend Hans at pixelin.net which he sent with the public key he got from me ([email protected]) earlier.

After I have clicked the padlock (the icon towards right) and put in my pass phrase in the dialog box I can decrypt the message. Only my private key can decrypt this message.

6 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

The PGP algorithm PGP actually sends a symmetric key with the message in order to make the en- and decryption faster. Large messages could otherwise be rather slow to manage if only assymetric (public) crypto were used. The symmetric key is random generated and encrypted with the public key the sender got from the receiver.

When the receiver get the message the random symmetric key is first decrypted with receivers private key and then the symmetric key is used to decrypt everything. More about PGP can be read here: http://users.du.se/~hjo/cs/common/doc/kryptera.eposten.med.pgp.pdf

TheBat! use as you have noticed a later variant to PGP – OpenPGP. For managing public and private keys the RSA algorithm is used and the IDEA cipher is used for the for the symmetric crypto.

What is happening when sending an encrypted message is the following. Note that it is simplified! If you also digitally sign your message this step is taken care of before the encryption.

7 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

encryption message message encryption IDEA key IDEA key

Public key Encrypted of recipient message

What is happening when receiving an encrypted message is the following. Note that it is simplified! If the message also is digitally signed this step is taken care of after the decryption.

decryption message message

IDEA key decryption

Encrypted message Private key IDEA key of recipient

2 Lab task Before you begin with the task verify that your Email client can receive and send ordinary messages.

Email part Install and configure your Email solution to be able to send safe/secure Email. Choose software solution and generate a key pair. Create “web of trusts” with some class mates and insert their public keys in your key chain. Please try to send signed and encrypted Emails to your class mates before sending an Email to me. a) Use the one of the public keys found here: http://users.du.se/~hjo/cs/dt1026/ depending on if you use PGP or GPG. Using one of these keys send me a digitally encrypted Email with some text etc. When you got OK in response attach my answer in your report. b) Explain what kind of thing MIME is and what difference there is between S/MIME versus PGP (GPG)/MIME?

8 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

Crypto part In this part we can use the calculator found in the Accessories group in Windows or similar solution. You may need to have the programmer or scientific view in order to use the modulo button (found left to button A in image below) which we can use for our calculations. What modulo is can you read about here: http://en.wikipedia.org/wiki/Modulo_operation

Now do the following calculations. c) Perform encryption and decryption with the RSA algorithm for: p = 7, q = 11, e = 17 and ”plaintext” M = 8. Show your calculations. d) In a public key system using the RSA algorithm you got hold of the ”cipher-text” C = 10 which have been sent to a user which public key have e = 5 and n = 35. What is the plain-text M? If possible show your calculations.

RSA formula help: The public key is (e, n) and the private key is (d, n).

The public encrypt function is: encrypt(m) = m^e mod n where m is ”plain-text” and m < n.

The private decrypt functionen is: decrypt(c) = c^d mod n where c is ”cipher text”.

Some help regarding the RSA crypto and example calculations can be found here: http://en.wikipedia.org/wiki/RSA

More info here: http://www.cryptool.de/index.php/en/download-topmenu-63.html and a web demo here: http://users.du.se/~hjo/cs/common/div/rsakryptering.zip

9 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

Report Create a report with answers to the questions. Put your report in a folder together with other attachments if any and compress it. Then hand in the file to fronter.du.se.

3 Addendum

Windows Live Mail

Windows Live Mail has superseded Outlook Express in Windows as the Email client. It is a part of the Windows Live Essentials package at: http://explore.live.com/windows-live- essentials

10 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/ Home task, Introduction to IT forensic technology and IT security, v11.1

I am unsure if the “Get Digital ID” button works. You can however get a digital id from some other CA (Certificate Authority). A CA is a third party that validate that you are in fact you.

You can issue certificates yourself with software from http://openssl.org/. PGP does not need any certificate since it relies on ”web of trusts”.

With Revocation Checking the software checks if a certificate is to old or if its invalid by some reason.

MS Outlook cannot open PGP encrypted messages sent from The Bat! MS Outlook cannot open PGP encrypted messages sent from The Bat! because it does not support PGP-MIME, but only inline PGP.

In order to make PGP encrypted messages readable in MS Outlook it is necessary to insert the %NOPGPMIME macro into the message template. For more convenience this macro can be inserted into the address book group template or for a particular entry.

11 Högskolan Dalarna Telefon: 023-77 80 00 Röda vägen 3 Telefax: 023-77 80 50 781 88 BORLÄNGE URL: http://www.du.se/