Implement OpenPGP

Introduction

The module Implementing OpenPGP provide you with the instructions and devices to develop your hands-on skills in the following topics.

• Installation of OpenPGP
• OpenPGP Certificate Creation and Distribution
• OpenPGP Signing and Importation
• OpenPGP Verification, Encryption and Decryption

Lab time: It will take approximately 1 hour to complete this lab

Exam Objectives

The following exam objectives are covered in this lab:

• CAS-002 1.1: Distinguish which cryptographic tools and techniques are appropriate for a given situation
• CAS-002 2.2: Given a scenario, execute risk mitigation
• planning, strategies and controls
• CAS-002 5.2: Given a scenario, integrate advanced authentication and
• authorization technologies to support enterprise objectives.

Exercise 1 - Installation of OpenPGP

OpenPGP is becoming one of the most important and respected methods of encrypting information, especially when it comes to email. OpenGPG comes with a complete method of application in Win4GPG. The tools provided help to perform the certificate creation, encryption and decryption with Outlook plugins automatically installed.

Exercise 2 - OpenPGP Certificate Creation and Distribution

OpenPGP certificates have Public Key technology behind them. The idea is that there is nothing secretive about the method which adds to the fact it’s been tested countless times by the public for weaknesses and thus far has not been broken. Effectively there are two keys, one is secret and held by the creator, the other is public and meant for distribution to anyone who wishes to communicate privately with the creator.

Methods of key distribution regard the obvious emailing the public key to the recipient for correspondence, uploading to a certificate server or simply handing the key over on portable media like a USB device.

Exercise 3 - OpenPGP Signing and Importation

OpenPGP can be used for signing emails to effectively place a unique signature on the email to help with verification of the sender but also of the actual certificate itself. The act of signing is effectively a digital signature. The idea is to have the message readable to everyone but the clever part is checking whether the message have been changed by someone other than the author of the email, thereby helping to thwart man in the middle attacks and maintain the message integrity.

When working for a large business there will be mulita employees who will have their own certificates. Kleopatra helps to organize and provide a database of those certificates which greatly assists when writing emails to different members of staff and having Kleopatra automatically select the correct certificates for correspondence.

Exercise 4 - OpenPGP Verification, Encryption and Decryption

The ‘piece de resistance’ of course is encryption and decryption of messages to protect against spying eyes whether that be internal to a company or external from the company networks. OpenPGP provides an excellent method of using certificates to mask email content and even attachments preventing them from being obviously viewed by unauthorized personnel.