# HANDS-ON ENCRYPTION WORKSHOP COURSE WORKBOOK

Shared by:
Categories
Tags
-
Stats
views:
0
posted:
2/14/2013
language:
English
pages:
14
Document Sample

```							    INFORMATION SERVICES AND TECHNOLOGY

HANDS-ON ENCRYPTION WORKSHOP
COURSE WORKBOOK

 UC Regents 2011
Course material prepared by:
Allison Henry, akhenry@berkeley.edu
Information Services and Technology
University of California at Berkeley
Hands-on Encryption Workshop
Class Outline

Introduction: Everything you need to know about cryptography in 6
slides
 What is Cryptography?
 Symmetric and asymmetric keys
 Encrypting a key with a key
 Hashing
 Digital Signatures
 General tips for encryption

Part 1: Securing Data with Windows Encrypting File System (EFS)

Part 2: Securing Data, Drives, and Systems with TrueCrypt

Part 3: Email encryption and signing using OpenPGP and S/MIME

Questions and Extra Credit

-2-
What is Cryptography?
• Binary data (“key”) is used by a
mathematical algorithm (“cipher”) to convert
(“ciphertext”)
• Encryption: cleartextciphertext
• Decryption: ciphertextcleartext
• Encryption keys are fixed-length – the more
bits, the stronger the encryption it provides

Symmetric and Asymmetric Keys
• Symmetric (two-way, secret) keys:
Cleartext                Two-way key           Ciphertext      Faster

• Asymmetric (one-way, public/private) keys:
Key Pair

Public Key
Cleartext                               Ciphertext
Private Key                        Supports
secure key
Public Key                         exchange
Cleartext                               Ciphertext
Private Key

Encrypting a key with a key
• Step 1 – Secure Key Exchange
Ciphertext
Two-way                                                            Two-way
Public Key       Two-way       Private Key
key                                                                key
Key

• Step 2 – Secure exchange of data
Cleartext          Two-way         Ciphertext   Two-way           Cleartext
Data               key              Data        key               Data

-3-
Hashing
• An cryptographic function that converts input data
into a small fixed-length string of bits (the hash)
“Allison Henry” MD5  “93dd65d18b048fb836294ddceee584b4”
• Any change to input data produces a different hash
“Allison HEnry” MD5  “676ac60831574b956a3b9db08d10a1af”
• NOT encryption – a hash cannot be converted back
to the original data
• Used to verify integrity of data
• Password hashes can be used to create encryption

Digital Signatures
• Step 1: Add the “digital signature” to the data
Data Hash      Private Key   Data Hash     Digital signature
Data                                      Ciphertext

Data

• Step 2: Compare hashes to confirm signature
Data Hash
Public Key     Data Hash   If the hashes are equal,
Ciphertext

Data
=       integrity of the data and
identity of originator are
Data Hash   confirmed

General Tips for Encryption
• Use standard, modern ciphers such as AES
• Avoid proprietary, secret ciphers (the key is the
secret, not the cipher)
• Choose adequate key length (128-bit or higher)
• Encrypt sensitive data during transmission: TLS,
SSL, IPsec, etc.
• Encrypt sensitive data at rest: EFS, TrueCrypt, etc.
• Use PGP or S/MIME to sign and encrypt sensitive
data sent by email
• https://kb.berkeley.edu/kb1267

-4-
Securing Data with Windows Encrypting File System (EFS)
Introduction to Encrypting File System (EFS)
The Encrypting File System (EFS) is a file system driver that provides NTFS filesystem-level
encryption in Microsoft Windows operating systems, including Windows 2000
Workstation/Server (with security vulnerabilities), Windows XP Professional, Windows Server
2003/2008, Windows Vista, and Windows 7. The technology enables files to be transparently
encrypted on NTFS file systems to protect confidential data from attackers with physical

EFS works by encrypting a file with a symmetric key, also known as the File Encryption Key
(FEK). The FEK is then encrypted with a public key that is associated with the user who
encrypted the file, and this encrypted FEK is stored with the encrypted file. To decrypt the file,
the EFS component driver uses the private key that matches the EFS digital certificate (used
to encrypt the file) to decrypt the FEK. Because the encryption & decryption operations are
performed at a layer below NTFS, it is transparent to the user and all their applications.

When to use file system encryption
EFS is appropriate for both standalone and Active Directory managed workstations with some
sensitive or restricted data. Users should be aware of EFS and the proper place to store their
sensitive files. When using EFS, additional precautions should be taken to ensure that EFS
protected files cannot be accessed by brute-force hacking of the user’s Windows password,
and that the EFS key is backed up for data recovery purposes. EFS is also an excellent option
for encrypting offline files synchronized from a Windows file server (note: the files are not
encrypted during transmission to and from the file server).

 Transparent to users and all Windows applications
 Appropriate for standalone systems and managed workstations
 Data recovery supported for CalNetAD members
 Files can be encrypted selectively to maximize system performance
 Data can be shared by multiple system users without sharing passwords
 Encrypted backups supported by NTBackup and UCBackup

Considerations when using EFS
 Data only as secure as the Windows password (subject to brute-force hacking)
 Serious EFS security vulnerabilities on Windows 2000 – NOT RECOMMENDED
 Sensitive data must be stored only in EFS protected locations
 Some backup software may not save the data encrypted
 EFS data is not protected over the network or when moved to non-NTFS media
 EFS certificates should be backed up to prevent data loss

-5-
Exercises – Using and Securing EFS on a standalone workstation

Exercise 1: Start using EFS with a self-signed certificate
1) Login to the VM using the crypt account
2) Go to StartRun”certmgr.msc”
3) Click Personal
4) Minimize Certificate Window
5) Create a folder “EFS” on the desktop
6) Create a new text file “test.txt” in the folder “EFS” and add some text
7) Right-click “EFS”, choose “Properties” and click Advanced
8) Check “Encrypt contents to secure data” and click OK, then Apply
9) Click OK to confirm the attribute change
10) Maximize Certificates window and choose Action Refresh
11) Click on PersonalCertificates to view new EFS certificate

1) Right-click on the EFS certificate and choose “All TasksExport…”
2) Choose “Yes, export the private key”
3) Choose “Enable strong protection” (default)
4) Select a strong password to protect the private key
5) Save file to desktop (will have a .pfx extension)
6) Backup to a secure location

Exercise 3: View EFS details for a file
1) Right-click on your encrypted file (not folder), choose Properties
3) Note the unique Certificate Thumbprint for the user’s EFS certificate
4) You can click Add… to allow other users to access the file, if you have their EFS public
key in the local certificate store (see extra credit)
5) Data recovery agents will appear for CalNetAD managed EFS computers

Exercise 4: Kill your EFS certificate
1) Open Control PanelsAdministrative ToolsComputer Management
2) Expand Local Users and Groups and click Users
3) Right-click on the crypt user and choose “Set Password…”
4) Notice the warning? Click Proceed.
5) Choose a different password. Don’t forget it!
6) Log out and log back in with the new password
7) Try to open your EFS file. Access is denied???

Exercise 5: Restore your certificate from a backup
1) Double-click the .pfx file containing your certificate
2) Enter the password used when the file was created
3) Click “Mark this key as exportable” if you want to be able to make another backup
4) Finish the wizard and confirm that the import was successful
5) Try to open your encrypted file. Whew!

-6-
Exercise 6: Increase EFS security
1) Go to Control PanelsAdministrative ToolsLocal Security Policy
or higher
requirements to Enabled
4) Set Local PoliciesSecurity OptionsNetwork Security: Do not store LAN Manager
has value on next password change to Enabled
5) Set Local PoliciesSecurity OptionsShutdown: Clear virtual memory pagefile to
Enabled
6) Disable hibernation: open a command window and type “powercfg –h off”
7) Always close encrypted files when work is completed or when leaving the workstation
unattended

EXTRA CREDIT - Exercise 7: Share encrypted files with other users
1) Login to a Windows account and create an EFS folder with two text files
2) Create a new Windows account with Administrator access
3) Login to that account and enable EFS for any folder
4) Logout and log back in as the first user
5) Right-click on one of the files, choose “Properties”, click “Advanced”
6) Click Details to view EFS details, then click Add…
7) Find the new user’s EFS certificate and click OK
8) Close all dialog boxes with OK and logout
9) Log back in as the second user and try to access both EFS files. What happens?
10) Yes, this must be set on a file-by-file basis, not at the folder level

EXTRA CREDIT - Exercise 8: Encrypting offline files
1) Go to Control PanelsFolder Options and click on the Offline Files tab
2) Check “Enable Offline Files” and “Encrypt offline files to secure data”
3) Connect to a Windows file share that supports Offline Files
4) In Windows Explorer, right-click on the share or folder and select “Make Available
Offline”
6) Right-click on the share or folder and choose “Synchronize”
7) Go to “C:\Windows\CSC” and open some of the directories – you should see encrypted
files (labeled “green”)

-7-
Securing Data, Drives, and Systems with TrueCrypt
Introduction to TrueCrypt
TrueCrypt (http://www.truecrypt.org) is free open source disk encryption software for Windows,
Mac OS X, and Linux. Data files protected by TrueCrypt are saved as a single encrypted file,
which is mounted using the TrueCrypt software and used as a standard mounted volume.
TrueCrypt supports three modes of operation: “virtual” encrypted disk file, full partition or
storage device encryption, and Windows boot device encryption with pre-boot authentication.

When to use encrypted disk images
Encrypted disk images are especially appropriate for encrypting data on file servers and
portable media that must be shared between systems. TrueCrypt is an excellent solution due
to a large feature set and cross-platform compatibility, however Mac OS X users can also use
built-in encrypted disk image capabilities: FileVault (encrypts a user’s Home directory) and
Disk Utility (supported creation of encrypted disk images anywhere on the system).

Advantages of single-file encrypted disk images
 Ability to encrypt portable media for easy sharing
 Can be moved to and from media and across a network connection without decrypting
 Can be shared between systems (TrueCrypt offers cross-platform compatibility)
 Data security is independent of operating system security

Considerations when using encrypted disk images
 No incremental backups – any change to the volume requires a complete backup
 User intervention required to mount and use the disk image
 User MUST remember password or lose the data – no backdoors
 All users accessing the data must know the same “shared secret”

System Encryption with TrueCrypt
TrueCrypt can also encrypt a system partition or entire system drive, i.e. a partition or drive
where Windows is installed and from which it boots. System encryption provides the highest
level of security and privacy, because all files, including temporary files, hibernation files, swap
files, etc., are always permanently encrypted. Windows also records large amounts of
potentially sensitive data, such as the names and locations of files you open, applications you
run, etc., and all such log files and registry entries are also encrypted when using system
encryption.

System encryption involves pre-boot authentication, which means that anyone who wants to
gain access and use the encrypted system will need to enter the correct password each time
before Windows boots. Pre-boot authentication is handled by the TrueCrypt Boot Loader,
which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk. The
Rescue Disk can be used to decrypt the system and recover the data in case the system itself
is no longer bootable. As with encrypted disk images, loss of the pre-boot authentication
password will result in the loss of the encrypted system and all data.

-8-
Exercises – Using TrueCrypt for disk image and system encryption

Exercise 1: Install TrueCrypt on the Windows system
1) Login to the VM with the crypt account
2) Open the “installers” folder on the desktop and double-click “TrueCrypt Setup 7.0a”
3) Click Run in the Security Warning dialog box to run the installer (does anyone pay
attention to those pop-up warnings anyway?)
4) Click the check-box and click “Accept” accept the license terms
5) Choose “Install” to install TrueCrypt on the system
6) Keep all default options selected and install
7) Click on the desktop shortcut to run TrueCrypt

Exercise 2: Create an encrypted disk image with TrueCrypt
1) In the TrueCrypt window, click “Create Volume” to launch the Volume Creation Wizard
2) Choose “Create an encrypted file container”
3) Choose “Standard TrueCrypt volume”
4) Choose a Volume Location on the desktop, any filename is fine
5) Choose the default Encryption Options, or try different options (AES is fast and secure)
6) Choose a file size appropriate to your needs, smaller than the drive free space
is less than 20 characters.
8) Move the mouse around for a minute or so then click “Format”
9) Click Exit after the volume is created

Exercise 3: Mount an encrypted volume and save some data
1) In the TrueCrypt window, click “Select File…” and navigate to the volume created in
Exercise 2
2) In the top panel, select an unused drive letter and click “Mount”
3) Click “Mount Options…” and select “Mount volume as removable medium”
4) Enter the password and click OK
5) You can now access the mounted volume on the local computer through the selected
drive letter which will be labeled as “Removable Disk”
6) Move the EFS encrypted file created in Part 1 to the new volume. Notice the warning?
7) Return to the TrueCrypt windows, highlight the mounted drive letter and click Dismount
8) Close TrueCrypt – your files are now safely encrypted within the TrueCrypt file and can
be securely transferred to other media, file servers, etc.

Exercise 4: Create an encrypted system in a virtual machine
1) From Windows, go to StartRun and type cmd.exe to open a command window
2) Enter: cd “D:\Program Files\TrueCrypt”
3) Enter: "TrueCrypt Format.exe" /n
4) From the TrueCrypt Volume Creation Wizard, select “Encrypt the system partition or
entire system drive”
5) Type of System Encryption: Normal
6) Area to Encrypt: Encrypt the whole drive (click OK on the warning screen)
7) Encryption of Host Protected Area: No

-9-
8) Number of Operating Systems: Single-boot
9) Encryption Options: Use the defaults (AES,RIPEMD-160)
11) Collecting Random Data: Move the mouse around
12) Keys Generated: View and click "Next"
13) Rescue disk: Save this ISO (you are warned)!
14) Wipe Mode: None (fastest)
15) System Encryption Pretest: Click Test. System will reboot during the test
17) Pre-test Completed: Click "Encrypt"
18) Click “Defer” to quit TrueCrypt and resume encryption later

EXTRA CREDIT: Other TrueCrypt Tips and Tricks
1) Create a TrueCrypt volume under 650MB and burn the volume file to a CD
3) Install TrueCrypt on a USB drive for portable use on any system
4) Encrypt an entire USB drive with TrueCrypt: https://kb.berkeley.edu/kb1625
5) Use a keyfile to protect a TrueCrypt volume: http://www.truecrypt.org/docs/keyfiles.php

http://xkcd.com/538

- 10 -
Email encryption and signing using PGP and S/MIME
Introduction to Email Encryption and Digital Signatures
Plain email is not a secure method to communicate sensitive information. Messages can be
read by people with access (authorized or unauthorized) to mail servers handling the mail, by
people monitoring (“sniffing”) the network as mail passes between servers, and by attackers
who gain control of a workstation where mail is saved. In addition, email headers indicating
who sent an email are easily forged, and the body of an email can even be altered while in
transit, unknown to the message recipient.

Email encryption and signing using public/private key pairs adds security features to standard
email, allowing for the secure and private exchange of information by ensuring:

     Authenticity – A valid digital signature verifies the identity of the sender of an email.
     Integrity – A valid digital signature ensures that the contents of an email were not
altered after the email was sent.
     Confidentiality – Encrypting email ensures that the message and attachments may
only be read by the intended recipients.

There are currently two common standards for encryption and signing of email using
public/private key pairs – OpenPGP and S/MIME. Both standards use key pairs in a similar
way to encrypt and sign email communications, but they are not compatible with each other.
The standards differ primarily in the methods used to validate keys and establish trust. We will
cover both standards in this workshop.

How to use public/private key pairs for digital signatures and encryption

Using key pairs to add a digital signature to an email message

The SENDER uses the SENDER PRIVATE KEY to add a “digital signature” to the message
body. The RECIPIENT uses the SENDER PUBLIC KEY to validate the digital signature. A
valid digital signature ensures both the authenticity and integrity of the message.

MULDER’S                                  MULDER’S
PRIVATE KEY                               PUBLIC KEY

“Scully, I need your help!”    -------------------------> “This MUST be a real distress call!”

- 11 -
Using key pairs to encrypt and decrypt an email message

The SENDER uses the RECIPIENT PUBLIC KEY to encrypt a message. The message can
only be decrypted using the corresponding RECIPIENT PRIVATE KEY. This ensures the
confidentiality of the message as only the intended RECIPIENT is able to decrypt the
message.

SCULLY’S                                SCULLY’S
PUBLIC KEY                              PRIVATE KEY

“Scully, here’s the plans for the alien…” ----------> “I MUST keep this information secret!”

OpenPGP vs. S/MIME
OpenPGP is a standard used by PGP and similar software products that provides security for
data communication. OpenPGP is used for signing and encrypting email message, files,
directories and even whole disk partitions. OpenPGP public/private key pairs are typically
exchanged and validated through a manual process, or when trusted users validate known
keys for other users (“Web of Trust”).

S/MIME (Secure/Multipurpose Internet Mail Extensions) is another standard for encryption and
signing of email messages and attachments. S/MIME keys are validated with certificates
obtained from a trusted Certificate Authority (CA). Typically S/MIME public keys are obtained
automatically upon receiving a message from a sender with a valid signing certificate, and are
trusted by any mail client with a trusted certificate for the issuing CA.

Features of email encryption and signing with OpenPGP
 Open-source software available with add-ons for most common mail clients
 Key pairs can be generated by anyone without a Certificate Authority (CA)
 Uses manual or “web of trust” model to validate public keys
 Private keys are controlled only by the end user who generated the key pair
 Can be used for digital signatures, encryption, or both
 Can also be used for file/disk encryption and other applications

Features of email encryption and signing with S/MIME
 Built-in support with most common mail clients
 Uses standard X.509 certificates to validate the public key
 Certificates must be issued by a trusted Certificate Authority (CA)
 Private keys for encryption may be escrowed for 3rd party data recovery
 Can be used for digital signatures, encryption, or both

- 12 -
Exercises – Using OpenPGP and S/MIME public/private key pairs

Exercise 1: Validating an S/MIME digital signature with Thunderbird
1) Click the “Mozilla Thunderbird” desktop shortcut
2) Go To FileOpen Saved Message…
3) From the “samples” folder on the Desktop, select the file “This email for you”
4) Click on the sealed envelope icon in the message window
5) Read the Message Security window. Does the security feature used ensure integrity,
privacy, or both?
6) Click “View Signature Certificate”. What are the allowed uses for my certificate?
7) Close the email and go to ToolsOptionsAdvanced
8) Click the Certificates tab and click “View Certificates”
9) Click People -- you will see my certificate in the list. How are you assured that it is a
valid certificate for the email address akhenry@berkeley.edu?

Exercise 2: Installing GnuPG and Enigmail (Thunderbird Add-on)
1) From the VM desktop, go to the installers folder and double-click “gpg4win-2.1.0.exe”
2) Choose the default installer options. Notice the optional components available.
3) In the “Define trustable root certificates” window, check the box and click Next
4) When installation is complete, open Mozilla Thunderbird
5) Go to ToolsAdd-ons and click “Install…”
6) From the “installers” folder on the Desktop, select the file “enigmail-1.1.2-tb-win.xpi”
7) After the delay, click “Install Now” and then click “Restart Thunderbird”
8) Go to the new OpenPGP menu and select “Setup Wizard”
9) Choose “No, thanks. I prefer to configure things manually” and click “Next”
10) Now go to FileOpen Saved Message…
11) From the “samples” folder on the Desktop, select the file “[SNS #404856]”
12) Look at the yellow bar on the top of the message window. Why is the OpenPGP
signature unverified, while the S/MIME signature from Exercise 1 was validated?
13) Find the ciphertext of the PGP signature in the body of the email message. How is this
ciphertext generated?
14) Close the message window and start Exercise 4 to validate the PGP signature

Exercise 3: Validating the PGP signature on SNS security alerts
1) Open Internet Explorer and go to:
https://security.berkeley.edu/PGPkeys/PGPkeys.txt
2) Go To FileSave As… and save to the Desktop
3) Now go back to Thunderbird, and go to OpenPGPKey Management
4) Go to FileImport Keys from File
5) Change “Files of type:” to “All Files” and select the file created in Step 2
6) A message window will indicate that key import was successful. How many keys were
imported from the saved file?
7) In the Key Management window, check “Display All Keys by Default” and double-click
the keys to view them. Are these public keys or private keys? What can you do with
them?
8) Now go to FileOpen Saved Message…

- 13 -
9) From the “samples” folder on the Desktop, select the file “[SNS #404856]”
10) Notice that the OpenPGP bar has changed colors. Why does it say “UNTRUSTED”?
11) Close the message for now.

Exercise 4: Generating a PGP key pair with Engimail and signing a public key
Note: This is a test exercise only for a fictitious account, so DO NOT export the keys produced
or upload them to a key server. Create your valid PGP keys from a secure workstation only.
1) In Thunderbird, go to OpenPGPKey Management
2) Select GenerateNew Key Pair
3) Enter a passphrase for the private key, leave the other options on the defaults
4) Click Generate key, then click Generate Key in the Confirm dialog box
5) When key generation is complete, click “Generate Certificate” to create a revocation
certificate. Save to the desktop.
6) In the Key Management window, double-click your new key pair to view the details.
What is your trust level for the new key pair?
7) Right-click on the “SNS-DSS” key and choose “Sign Key”
8) In the Sign Key window, choose “I have done very careful checking” and click OK
9) Let’s look at the SNS PGP signature again. Go to FileOpen Saved Message…
10) From the “samples” folder on the Desktop, select the file “[SNS #404856]”
11) Notice that the OpenPGP bar has changed colors once again. You have validated the
signature with the SNS public key, and validated the SNS public key by signing it with

EXTRA CREDIT: Start signing and encrypting your email
1) Request a FREE personal email certificate and send a signed message to
akhenry@berkeley.edu: http://www.instantssl.com/ssl-certificate-products/free-email-
certificate.html
2) Generate a PGP key pair and upload your public key to the pgp.mit.edu key server
3) Send a PGP signed and encrypted message to akhenry@berkeley.edu, then read my

- 14 -

```
Related docs
Other docs by yaoyufang
FAQs Contactors
The DIRECTV Group_ Inc