Lab: Digital Certificates

By Drs. Anthony Vance and Dave Eargle

I recommend using the Windows 10 VM for this lab. Alternatively, you can install GPG4Win for Windows or the excellent GPG Suite for Mac. However, you're responsible to figure out the below steps if you do.

Part 1

Part 1a. Sign some public keys from the key signing party

First, make sure that Kleopatra is set to point to pgp.circl.lunot or

  1. Kleopatra > Settings > Configure Kleopatra > Directory Services. You should have only one entry here: – and it should be set for OpenPGP (the default). If this is not the case, delete all entries, then press new. You should get the correct default.

Then, repeat the steps below for at least three classmates, not including your professor.

  1. Verify their keys (i.e., witness the person show his/her government ID and attest that his/her key-id or fingerprint is correct).
  2. Sign the public key that you have verified.
    1. Get their public key into your keyring:
      1. I bundled the keys for the class into a keyring—find it on Slack under #labs or in Canvas > Files > Download folder. Download the .asc file. In Kleopatra, click the Import Certificates button and select the .asc file you downloaded.
      2. If their key is not in the keyring:
        • You can use the Lookup Certificates on Server button within Kleopatra,
        • Or, you can manually navigate to from a web browser, find their key,
          • select-all and copy to your clipboard, then Kleopatra > Clipboard > Certificate Import
          • select-all and paste into a blank notepad document, save with a .asc extension, then Kleopatra > Import Certificates
          • sometimes, the server is responsive via the protocol that Kleopatra uses, but not the web browser protocol. Try one if the other isn’t working.
          • While testing, I experienced the frustrating situation where search-by-key-id-or-fingerprint did not work unless I opened “advanced options’ and deselcted all options on the left. Don’t forget to append 0x to your query.
        • You can make them do all this for you on your machine if you want, since they didn’t get their key in to me in time ;-)
    2. In Kleopatra, right-click the key > Certify Certificate.
    3. Check each of the key IDs that you have verified.
    4. Check “I have verified the fingerprint” (assuming that you have!)
    5. Choose which of your private keys you will use to sign/certify their key. Change the radio to “Certify for everyone to see”. Leave the “Send certified certificate to server afterwards” checked.
    6. Send the key to the keyserver.
    Factoid: In PGP culture, it can be considered rude to upload someone else's key to a public server. They might not want your signature on their key, or they may not want their key on a keyserver. In practice, you could alternatively export their key after you have certified it, and send it back to them. But for this assignment, we simply upload the certified keys to a keyserver.
  3. At this point, the signed-key owner should be able to redownload their own public key from the server, and see the new signature.

    1. Kleopatra > Lookup Certificates on Server > search for their key… reimport
    2. Double-click the key > User-IDs & Certifications > Load Certifications (may take a while) > Look for new signatures.

Part 1a deliverable

Question: What are the names, email address(es), and fingerprints or key-ids of the three people whose keys you signed?

Part 1b. Have at least three people sign and upload your key.

Follow the steps above, and make sure that your key is discoverable on

  1. Ensure that your public key is uploaded to a PGP key server like In Kleopatra, you can upload a key to OpenPGP by highlighting your key, right-clicking it, and selecting “export certificates to server”. Other key-management software should have similar easy-to-use functionality.)
  2. Ensure that your public key available on public key servers has been signed by members of the class. To do this, you can re-download or refresh your public key from the key server, then view your key details.
Question: What is your key-id or fingerprint? (Tell me again even if you submitted this before. It's possible that some of you lost your key and had to create a new one.)
Question: What are the names, email address(es), and fingerprints or key-ids of the three people who signed your key?

Part 1c. Send and receive an encrypted email via PGP

For this, use GPA (gnu-privacy-assistant), which is installed on the Windows 10 VM. GPA has access to the same keyring on your machine as does Kleopatra.

You will send an encrypted and signedemail to ITA Ryan McCreesh ([email protected]) (Key-id: 720D38A6).

Q: But how can we trust this key?

A: Download it and look at the signatures (refresh from the keyserver to see it). It was signed with my key `F3E02337`, which I verified in the key signing party. If you trust me, and you trust me to only sign keys that I have verified, then can you trust this key?

You will receive a response encrypted with your key which contants a secret code. This secret code will be the deliverable for this question. You will not receive the code if:

  1. Launch GPA on the Windows 10 vm. It opens with the Clipboard view.
  2. In this view, type a message for Ryan McCreesh.
  3. Click “Encrypt”. Choose at least the public key for [email protected].
    • If you also want to be able to decrypt what you encrypt, then also select your public key.
  4. Check the box for Sign. Select with which key you will sign the message.
    If you are curious what a signed-but-not-encrypted message looks like, write a message, then press the `Sign` button within GPA. Observe the result—the original message in plaintext, and a block with a signed hash. If you applied your public key to this signed hash, you would obtain a hash against which you could compare your own hash of the plaintext. Cool, isn't it? (The correct answer is "yes".)
  5. Copy-paste the output of the previous step into an email you compose on or whatever email service or client you use. Just send it from an email address associated with your public key.
  6. Make sure that the recipient has access to your public key. You can provide a link to your key on the keyserver, or attach your public key.
  7. If you encrypted and signed your message, then you will receive an encrypted response back, encrypted with your public key. Decrypt this response. This response is the answer to the next question in this lab.
    1. If you missed a step, you will receive back a plaintext message saying as much.
Question: What is the plaintext of what you received back?

Part 2. Overall Questions

Read the following article.

Question: Compare and contrast the trust models used by PGP public key versus X.509 certs used by websites.

Part 3. Communicate Securely with Signal

  1. Watch this video and Read about WhisperSystem’s Signal app here and here.

  2. Also read about the cryptographic primities that the Signal protocol uses, here.

Question: What attacks does Signal protect you against? Which does it not protect you against?
Question: On a high level, how does the Signal protocol work?
  1. Install the app “Signal” on an iOS or Android device (if you don’t have an iOS or Android device, borrow one from a friend). Ask a partner (friend or classmate) to do the same.

  2. Using Signal, call or send a text message to your partner.

  3. Reflect: How does your experience using Signal compare to using encrypted email with PGP?