Institute of Computer Science
  1. Courses
  2. 2020/21 fall
  3. Information Security (MTAT.07.028)
ET
Log in

Information Security 2020/21 fall

  • Home
  • Lectures & labs
  • Homework & course rules
  • Exam
  • News
  • Links

Secure communication

Table of contents

  • Overview of the lab
  • Setting up the lab environment
  • Securing email exchange
    • How email exchange works
    • Security issues regarding regular email
    • How to solve the security issues of regular email exchange?
    • Overview of PGP
    • PGP task (3p)
    • Additional information
  • How to use Signal
    • Signal task (2p)
  • Ending the lab
  • Further reading

Overview of the lab

The aim of this lab is to introduce the students to the real life usage of public key cryptography. You will be able to generate keypairs, learn to share public keys over the internet and learn which risks are involved with it. In addition, you will use public keys to encrypt email messages and private key to sign emails. You will see that value of digital signatures largely relies on the trustworthiness of the corresponding certificates.

In addition, we will try using Signal Messenger as it provides one of the most secure implementations of end-to-end encryption while being easily usable. Signal is developed by cryptographers and is a non-commercial product. It has one other significant advantage compared to the other mainstream communication applications like WhatsApp, namely it is open source. This makes it possible for security researchers and for the community to audit the source code. The latter makes it possible to detect vulnerabilities and provides a guarantee that the application does not contain backdoors.

Setting up the lab environment

The lab tasks are designed to be solved in a virtual environment where all the tools are already installed. We are using Oracle VirtualBox to run a virtual machine, which contains the required tools. Both Oracle VirtualBox and the corresponding virtual machine are available in the computer classes of the DELTA building.

In case you wish to solve the lab tasks on your own, you can either manually install all of the required tools or download the virtual machine, which we also use in the computer classes. You will find the download link for the virtual machine from Moodle forum: Instructions for the first lab. We are using the same virtual machine as in the first lab. The name of the file is infsec-win10-2020_fall.ova. In case you want to use the virtual machine instead of installing the software yourself, you will also need to install Oracle VirtualBox along with its extension pack. NB! We are not able to provide support for installing software. This has to be done on your own in case you can not attend the lab. When coming across an issue while installing or using Oracle VirtualBox, first try to find an answer with the help of Google. In case that does not help you can post a description of the issue to the Moodle forum. However, in that case it will most likely be easier to install the required software manually, as getting Oracle VirtualBox to run may be tricky in some configurations (we can not provide such support over the internet).

Instructions for configuring Oracle VirtualBox in the computer class

In case you will use the virtual machine at home, you can still follow the instructions but they have to be slightly modified. For example, when using your own computer you will have to select which folder the virtual machine should be unpacked to. The virtual machine file is about 22GB and it will take around the same amount of disk space to unpack the machine. Thus, you will need about 45GB of free disk space to run the virtual machine in your own computer. In case you do not have sufficient disk space, it may be easier to manually install the required software (VeraCrypt is the most important part of this lab).

  1. Open Oracle VirtualBox from the desktop or start menu.
  1. Lets configure the folder where the virtual machine will be unpacked. For that, find the file menu from the top left corner of VirtualBox window. Navigate to: File -> Preferences -> General -> Default Machine Folder. Click on the yellow folder icon and find the drive D. Create a folder named infsec_2020 to that drive and open the folder. Next click "Open". You should now have the following view (see image below). After confirming it, click OK.
  1. Next, lets import the virtual machine. Click on the import button or select from the menu: File -> Import Appliance.
  1. Click on the yellow icon that is located on the right side of the window.
  1. Navigate to the folder C:\infsec2020 and select the file infsec-win10-2020_fall.ova. Click Open and Next.
  1. Click Import and wait until the machine is being imported.
  1. It will take a few minutes before the virtual machine gets imported. Read the following instructions in the meantime.
  1. Once the importing finishes, you will see a new entry in the left panel of the VirtualBox window. Click on that entry and press the green Start button.
  1. The system drive of the virtual machine is encrypted. Thus, it will first ask a password before it even starts to load the operating system. The password will be used to unlock the decryption key, which will be used to decrypt the contents of the virtual hard drive. The password for the virtual machine is given to you in the lab but it is also posted to the Moodle forum. Enter the password and press enter twice (the PIM field is supposed to stay empty).
  1. It will take some time to check the password. This is done on purpose to make it more difficult to guess the password by brute forcing different combinations.
  1. After a while Windows will start to load in case you entered the password correctly. There is no password set for the user account and thus you will be automatically logged in. Thus, you should be able to see the desktop on a virtual Windows machine.
  2. Put the virtual machine window to full screen mode in order to not confuse between the real operating system and the virtual environment. To do that go to View menu and select full screen mode. You can also close the information bars that are displayed on the top of the screen. Now we are ready to start solving the lab tasks.

Securing email exchange

How email exchange works

Simple Mail Transfer Protocol (SMTP) is used to transmit emails both between the user and email server and between the mail servers. However, email client software is commonly configured to use SMTP only for sending emails. In order to receive emails client software uses either IMAP or POP3.

IMAP protocol is commonly used nowadays as it provides support for multiple simultaneous clients. Therefore, with IMAP it is possible to view emails in both the smartphone and in a laptop without the emails being deleted from the server. However, POP3 is an older protocol that first fetches the mail and then deletes it from the server which means that by default mail can be downloaded to a single device.

One might wonder if SMTP, IMAP and POP3 always encrypt the email traffic in order to protect confidential information from leaking. Actually, all of these protocols support the transmission of data over SSL / TLS but this is an optional feature. Special ports are reserved for these protocols to transmit data over SSL / TLS. Secure SMTP is called SMTPS and it uses port 465. Secure IMAP is called IMAPS and it uses port 993. Secure POP3 is called POP3S and it uses port 995. It is obvious that the extra S in the abbreviations stands for secure and it just means that the protocol is used inside of a SSL / TLS session. Most email servers support the secure versions of these protocols but the user may have to configure the email client software to use the correct port.


Source: Wikimedia

There is a feature that enables encryption even for the plain SMTP, IMAP, POP3 and this feature is called STARTTLS. STARTTLS adds SSL / TLS by default if the corresponding mail server supports this. Most well known email providers have enabled support for STARTTLS. However, if a mail server does not support STARTTLS, then the user will have to configure the email client software to use a port that provides an encrypted connection.

Security and privacy issues of email exchange

The protocols that are used to exchange emails are not designed to take security and privacy seriously. These protocols were designed to get the job done in an environment where security was not so relevant. However, these protocols are still alive and it is difficult to modify them or to replace them with more secure protocols.

By default email is not encrypted, some links between the mail servers might be encrypted but this does not mean that the content of the email can not be intercepted, read and modified. It might be possible to encrypt the links between the mail clients and mail servers but while the mail is routed through the Internet it might pass servers that do not support encryption. In addition, as the content of the mail is not end-to-end encrypted, the mail servers are able to read the contents of the emails.

Some SMTP servers support STARTTLS which enables to automatically switch from an unencrypted connection to an encrypted connection over SSL / TLS. However, STARTTLS is mostly supported by the major email providers and many servers still do not provide this option. When STARTTLS is not available and the mail client is not forced to use a secure mail exchange protocol then the email is exchanged in plaintext, i.e., in an unencrypted form.

A message transfer agent (MTA) is used to relay emails from one mail server to another. MTA uses SMTP and deals with receiving messages and relaying messages. It is important to note that MTA-s do not have to communicate with each other over TLS/SSL. If one of the MTA-s does not support TLS/SSL then the email is exchanged in plaintext. In case an email is sent to a mail server that does not support TLS/SSL then it is guaranteed that the email will be transmitted in plaintext at least in one transmission step. Therefore, STARTTLS and secure mail exchange protocols do not provide confidentiality during the transmission of the email as one of the mail servers might not support TLS/SSL. Even when all links during the transmission of the email are secured by encryption the contents of the email can leak as the mail servers are able to read the email in plaintext. Therefore, one needs to trust the MTA-s while sending emails but this is not a very wise thing to do when the contents of the emails are confidential.


Source: OASIS

In addition, it is important to notice that the metadata in the header of the email can not be encrypted as this information is required for relaying the emails. Therefore, it is possible to intercept the metadata that contains: sender email address, recipient email address, sender ip, recipient ip, date, time, title of the email. This data is public and the mail exchange protocols do not provide means to protect such information.

Risks that are related with email communication:
  • the contents of the emails can be intercepted and saved
  • the contents of the emails can be modified
  • the contents of the emails can become public information
  • it might be possible to use someone else's identify

A very good overview of the security issues of email is given by the article Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security (2015). It is written by researchers from University of Michigan, Google, University of Illinois.

Solution for the privacy and security issues

There is no ideal solution for the described security and privacy issues. The best available solutions use end-to-end encryption but they are not widely used. In end-to-end encryption the message is encrypted in the sender's computer and decrypted in the recipient's computer, which means that the intercepting party can not get access to the contents of the message. End-to-end encryption of emails is provided by PGP/GPG and S/MIME. As an alternative, it is possible to use other communication means that provide end-to-end encryption. One popular alternative used to be Off-the-Record Messaging (OTR) but nowadays Signal is considered to be one of the most secure communication applications.

Today we are going to use PGP/GPG to encrypt and sign emails. You will also have to use Signal in order to solve one of the homework tasks.

S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a mail exchange standard that is based on public key infrastructure. In addition to providing confidentiality by using encryption, non-repudiation by using signing, it also provides authentication and message integrity. Similarly to HTTPS, each end user should have a key pair and a certificate that binds the identity (email address) with the corresponding public key. The certificate has to be signed by a trusted certificate authority (CA).

In order to encrypt emails with S/MIME one would need to have the public key of the email recipient. Usually the public key can be accessed if the recipient has previously sent a signed email which contains the certificate and therefore also the public key.

S/MIME is supported by several mail clients but it is rarely used as one would have to get a certificate that is signed by a CA. However, S/MIME is widely used in Estonia as each ID-card owner has a certificate signed by a CA. It is possible to send encrypted and signed emails using the Estonian ID-card. In order to do that one would have to search for the corresponding certificate and then use the email address that is in that certificate. The email addresses in the ID-card certificates are of the following format: Surname.Lastname[.X]@eesti.ee.

PGP and GPG

Pretty Good Privacy (PGP) is a computer program that was created in 1991. It allows to encrypt and sign documents and emails. Similarly to S/MIME PGP is based on public key cryptography. Each PGP user has a key pair but it differs from S/MIME by the way how keys are managed. PGP is not centralized, i.e., it does not use public key infrastructure. Therefore, one does not have to get a CA to sign a certificate which makes it easier to start using PGP.

Instead of using public key infrastructure where trust relationships are created between CA-s, PGP uses something that is called a web of trust. In the web of trust everyone can choose how much trust is given out and then the decision is bound by signing the corresponding certificate. If many people enforce the trust by signing other peoples certificates then a social network of trust is created where trust is a transitive relation as shown on the following figure.


PGP trust relations. An ordinary arrow denotes that a certificate has been signed and the dotted arrow denotes a trust relationship. For example, as Dave trusts Alice and Alice has signed the certificate of Bob, then by the transitive relation Dave also trusts Bob, i.e., Dave believes that the corresponding public key really belongs to Bob. (Source)

Key servers are used to manage the trust relationships. One can download a certificate from the key server and also upload new signed certificates to the key server. Therefore, everyone can create new trust relations and publish them in the key servers.


Source: XKCD

Actually, PGP is an old commercial software product and therefore it is not used anymore. A standard called OpenPGP was created based on PGP in order to make the functionalities provided by PGP widespread. OpenPGP is supported by different software products which makes them interoperable. The most common and widespread software that follows the OpenPGP standard is GNU Privacy Guard (GnuPG or GPG). GPG is an open-source program that is available for free.

GNU Privacy Guard (GPG)

GPG allows to exchange emails and attached files in a secure manner. GPG allows to encrypt and sign emails which means that a third party is not able to secretly modify or read the contents of the emails. In addition, when an email is signed the the receiver can be sure who sent the email (actually, the receiver only knows that the sender had access to the corresponding private key).

GPG is considered to be one of the safest methods for encrypting data. However, GPG is not very popular and only a small group of people communicate by using GPG. Therefore, one can usually start using GPG only if the receiving party is instructed on how to setup GPG. There might be a situation when someone, e.g. a client, wants to submit confidential information and GPG provides a solution for this problem. Estonian citizens can use the encryption and signing functionalities provided by the ID-card but if the client is a foreigner then ID-card may not be an option. In such cases one could create an OpenPGP key pair for himself / herself or for the company. However, just creating the key pair is not enough, the key pair would also have to be published so that the clients could find the key. One option is to publish the key in addition to the key servers also to the company website in case the website is configured to use HTTPS.


Source: XKCD

PGP task (3p)

You should be using a virtual machine if you are attending the lab. Manually installing the required software would take too much time (and you would have to solve the issues on your own!). The virtual machine already contains the required software (Thunderbird, Enigmail and GPG). The instructions for using the virtual machine were on the top of this page. Skip the following subsection and start with the PGP task by configuring the email account in Thunderbird.

Installing GPG, Mozilla Thunderbird, Enigmail

Skip this section in case you are in lab or if you are solving these tasks at home with the downloaded virtual machine..

Windows: installing GPG - skip this if you are in lab or if you are solving these tasks at home with the downloaded virtual machine

The GPG version on Windows is called Gpg4win and it contains the following tools:

  • GnuPG - the main tool that allows to encrypt / decrypt / sign / verify
  • Kleopatra - certificate manager
  • GPA - an alternative certificate manager
  • GpgOL - a plugin for Microsoft Outlook that allows to encrypt emails
  • GpgEX - a plugin for Microsoft Explorer that allows to encrypt files
  • Claws Mail - a mail client that supports GPG
  • Gpg4win Compendium - documentation in English and German

How to install Gpg4win to your computer - skip this if you are in lab or if you are solving these tasks at home with the downloaded virtual machine:

  1. Navigate to the website http://www.gpg4win.org/
  2. Click on the button "Download Gpg4win" and choose the newest version of the software
  3. Download the installation file and then open it
  4. Click "Yes", "Next"
  5. Choose to install all components and click "Next"
  6. Click "Install", "Next" and "Finish"
Installing Thunderbird and Enigmail - Skip this if you are in lab or if you are solving these tasks at home with the downloaded virtual machine.

Mozilla Thunderbird is a popular free and open-source email client that is developed by Mozilla Foundation. In order to send encrypted and signed emails using Thunderbird one would have to install the extension Enigmail, which adds support for GPG.

DO NOT install the new recently published version 78, as the Enigmail extension does not work in Thunderbird version 78. The new version of Thunderbird integrates PGP by default but the instructions for using it are completely differ from the instructions shows in this page. We will update the lab instructions for next semester but this semester we will continue to use Thunderbird 68. The latest version of Thunderbird 68.12.0 was released on the 25th of August 2020. You can download the installer for Mozilla Thunderbird 68.12.0 from Mozilla's archive page: https://archive.mozilla.org/pub/thunderbird/releases/68.12.0/win64/en-GB/.

Step 1: install Mozilla Thunderbird version 68

  1. In case you are using the lab virtual machine, you already have Thunderbird 68 installed.
  2. Otherwise, go to and pick your operating system. Windows users should pick win64. Next, choose the language for Thunderbird. Our lab instructions are made for the English version of Thunderbird (en-GB or en-US).
  3. Download the installer for your operating system
  4. Open the installer file and use the default options to install Thunderbird: Yes -> Next -> Next -> Install -> Finish

Step 2: install Enigmail extension

  1. Open Thunderbird
  2. Check if you already have Enigmail menu in Thunderbird. If you have then go to task 3.
  3. Navigate to "Tools" -> "Add-ons" -> "Search all add-ons"
  4. Search for "Enigmail"
  5. If found then click "Install"
  6. Click "Restart now" to activate the Enigmail

Connecting the email account

Next step is to connect an email account with Thunderbird. We created special email accounts for this lab so that each student would get their own email address. The accounts and the email addresses are tied to students study book numbers. Thus, try to find out what is your study book number. You can find that information from the study information system but it is available also in your profile when navigating to the top right corner of this website.

Open Thunderbird and find the button that adds a new email account. This is shown on the screenshot below. A new email account can be added also from the menu: "File -> New -> Existing Mail Account..."

Once you have pressed that button, information about the email account has to be entered. Your email address has the following format: <studybooknumber>@infsec.cs.ut.ee. The study book number and also the rest of the fields have to be filled with lowercase letters. The password is also your study book number (in lowercase). Once you have filled the fields click "Continue" and then "Done".

Now the email account should be added to Thunderbird. In case there are other errors, you may try to modify the username so that it would be in the following format: <studybooknumber>@infsec.cs.ut.ee''. You may also check the configuration manually by clicking on "Manual config". The information in the manual config window should match the configuration shown below (except the username).

Once the email account is connected to Thunderbird, it should be visible on the left panel. Make sure that you are able to send and receive emails with the connected email account. The server only allows you to send emails to other students in the information security course. Try to send a test email from Thunderbird to another student or to yourself. Make sure that you are able to receive emails with the email account connected to Thunderbird. Do not continue until you have confirmed that you can both send and receive emails.

Now we are ready to start configuring the email account in Thunderbird to support both encryption and signing of emails.

Using Thunderbird and Enigmail to send an encrypted and signed email (2p)

In order to use PGP you will have to tie a keypair with the email address. This will allow you to sign emails (using you private key) and to receive encrypted emails (decrypt with the private key and share the public key).

Thus, the first task is to generate a new keypair for your email account that is connected with Thunderbird. Once this is done, the public key has to be published, so that others would be able to use your public key to send you encrypted messages.

Find from the top right corner of Thunderbird a button that consists of three black lines. Click on that button and find the Enigmail menu -> "Preferences" (screenshot is displayed below). We will have to modify Enigmail's preferences, such that it would only use the private keyserver that is created for this course. Otherwise you could spam public keyservers with test data, which can not be removed later. In case you can not find Enigmail's preferences from the previously described menu, click on the button with the three lines and go to Add-ons -> Enigmail.

Once Enigmail's preferences are visible, click on the following button: "Display Expert Settings and Menus". Two new tabs should have appeared to the top of that window. Click on the tab named "Keyserver", remove the preexisting text set the keyserver address to be infsec.cs.ut.ee. The result is diplayed on the following screenshot.

Next, we will generate a new keypair for the email address. Find "Key Management" from Enigmail menu. A new window should appear, which contains a menu with the title "Generate". Click on that item and choose "New Key Pair".

Now the key generation window opens. Select that an elliptic curve key is generated as this is significantly faster compared to RSA key generation. Set the key to be valid for two months. The password will protect the generated private key. In case you enter a password, it will be asked before the private key is used. However, setting a password for the private key is not necessary in the lab. Thus, you may select to use "no passphrase".

After the keypair is generated, Enigmail asks whether a revocation certificate should be generated. This helps to invalidate a public key that has been uploaded to a keyserver. The need for revocation may come when the email address is no longer used, private key has leaked, the private key has been lost, etc. The revocation certificate can also be generated later by clicking "Enigmail" -> "Key management" -> "Generate" -> "Revocation certificate". It is important that you would have a revocation certificate if you really start to use PGP outside of the lab environment.

Once the keypair has been generated you should be able to see a new entry in the "Key Management" windows. You can upload the public key to the local keyserver (infsec.cs.ut.ee) by right clicking on the new entry in the "Key Management" window and then choosing the option "Upload Public Keys to Keyserver". In case this does not work, it is also possible to upload the public key manually. For that, right click on the entry and select "Copy Public Keys to Clipboard".

Once you chose the option to manually upload your public key, open a browser, navigate to infsec.cs.ut.ee:11371 and click on the "Submit Key" button.

Now the public key text can be pasted into the input form and the key can be sent to the keyserver by pressing the button "Submit Public Key".

As a result a small notification is displayed, which indicates that the process worked. Now you can go back to the web page of infsec.cs.ut.ee:11371 and check via the search option whether your public key is available. In case you used your own name when connection to the email account, you can search for the key by using your name. You can search for the public key also by entering the corresponding email address. Once your public key has been uploaded to the local keyserver, other students are able to query and download it. Thus, they are able to use your public key in order to send you encrypted emails.

Next step is to send encypted emails. First try to send an encrypted email to yourself. Find the "Write" button from Thunderbird and click on it. You will need the recipient's public key in order to be able to encrypt the email for the given recipient. In case the key is available in the key manager, encryption should be enabled by default in Thunderbird. You can test this by checking whether the padlock icon has been painted yellow in the email writing window. In order to activate the signing functionality, the button with the shape of the pen has to be activated. Now, send yourself or a co-student an encrypted and a signed email. Make sure that you receive one encrypted and signed email and are able to decrypt the message and verify the signature.

Once the email is successfully decrypted and the signature verified you should be able to see a view that is similar to the following view.

In case you managed to successfully send an encrypted and signed email, please also solve the homework task, which can give up to three points in total. To solve the task you will have to send your either to the lab instructor or to the lecturer an encrypted and signed email. It is important that the email would be both encrypted and signed. Thus, you will have to find your instructor's public key and email address. From Thunderbird, open Enigmail menu and navigate to "Key Management". From the "Key Management" window click on the "Keyserver" menu and select "Search for Keys". Write the name of your instructor to the search from and import the corresponding public key to Key Management.

In case the process succeeded, you should see a message that is similar to the one shown below.

Once you have the instructor's public key, you can send him an encrypted and signed email exactly the same way as before. The email address for Kristjan is krips@infsec.cs.ut.ee. The title of the email must be "PGP lab - task 1" and the email must contain either your full name or the pseudonym that is generated for you by the courses.cs.ut.ee website.

When the encrypted and signed email is sent, you have completed the PGP task. The instructor will try reply to your message either during the lab or in a few days. The points for the PGP task will be posted to the results table once that table gets published.

Additional information

What should be done differently when creating a key pair for your own email account:

  • the secret key should be protected by a secure password
  • the expiry date of the key should be longer but do not set it to never expire
  • the secret key has to be kept safe to avoid leaks and to be sure that you will be able to decrypt messages in the future
  • you should create a revocation certificate which allows to mark a public key invalid - it is not possible to delete an old public key from the key server, you can only mark it to be invalid by using the revocation certificate
  • you should publish your public key to a well known key server
  • in addition you may connect your public key with your identity in the Internet, e.g., with your Twitter account, with your homepage, etc.

Mac OS X: GPGTools

GPG also works on Macs, on OS X it is provided by GPGTools. GPG Suite comes with GPG for Mail, GPG Keychain, GPG Services and MacGPG. If you would like to use GPGTools, then navigate to their website and click on "Download GPG Suite".

After installation, open GPG Keychain Access and create a new keypair for you email account. If you already have a keypair for the account then it is possible to import it. As a next step create a revocation certificate, to do that navigate to "Key" -> "Generate Revoke Certificate". Under the same menu is an option that allows to publish the public key and also to search for public keys of other people.

Now it should be possible to send encrypted and signed emails using Mail. In order to send an encrypted email one would have to start writing the email and then click on the encryption button, the same holds for signing. It is important to note that one can send encrypted emails only to these contacts whose public key is available in the GPG Keychain Access. I.e., before sending an encrypted email one will have to search for the corresponding public keys. It is very likely that the contacts do not have an OpenPGP public key and therefore it might be necessary to instruct them on how to use GPG.

Problems related with OpenPGP and GPG

An overview of the problems related with PGP is given by Matthew Green: What's the matter with PGP?.

  • few users and it is not trivial to use PGP
  • difficult to create trust relationships
  • email metadata is not encrypted
  • it is difficult to share and verify the long public key
  • queries to the key-servers may not be encrypted
  • no support for perfect forward secrecy
  • people do not know what is PGP or how to verify emails signed by PGP (this problem is illustrated with the following comic)

Source: XKCD

Alternative tools

In case you have spare time and want to test out other tools that support pgp then visit: Mailvelope. This tool is recommended by the New York Times.

How to use Signal

Signal is an open source messaging application that uses end-to-end encryption. It works on Android since version 4.0 and on iOS since version 9.0. Once Signal is activated on your phone you can also use a desktop client (it is supported on Windows, MacOS and on Debian based Linux distributions). You can get helpful information from Signal Messenger Basics and Signal Security.

It is not possible to use the desktop application without having Signal on the phone. This is due to the fact that Signal uses the phone number as an identifier of the user. This has also been one of the aspects of Signal that has gotten some criticism. At the same time, the developers of Signal are improving the protocol. For example, cryptographic methods help the Signal application to identify other Signal users who are in phone's contact list without revealing the contact list to Signal's servers. You can find more information about this method from the following blog post: Technology preview: Private contact discovery for Signal.

EFF has created helpful instructions for using Signal:

  • How to: Use Signal for Android.
  • How to: Use Signal on iOS

Signal task

Use Signal to send end-to-end encrypted messages. This is part of the second homework. If you are not able to try out Signal then an alternative task regarding Signal is available as part of the second homework.

  • Install Signal from Google Play / App Store.
  • Signal uses contact list in order to find contacts. Therefore, you can see if anyone from your contact list is using Signal. We are using a prepaid card for the homework task that has the following number:+372 five three seven six zero nine four two. You can add a new Signal contact directly from Signal. However, an alternative possibility is to add the number temporarily to your contact list.
  • Now you are able to send messages to the test account. In case you have others Signal users in your contact list, you can communicate with them using end-to-end encrypted messages or calls.
  • To claim the homework points send a hello message to the test account. The message must contain either your name or pseudonym from this course as otherwise it is not possible to assign points.

Using Signal in practice

In case you plan to start using Signal it may be useful to also have a desktop client. In order to do that the desktop account has to be connected with the Signal application on the phone. This can be done by opening the Signal application on the phone and scanning the QR-code that is displayed in the desktop application. The QR-code scanning functionality can be found from Signal's settings.

Signal may have less functionalities compared to the mainstream communication applications. One of the reasons is the lack of resources for adding functionalities but the other reason is the consideration of security. For example, it is non-trivial to synchronize messages across different devices as each Signal application has its own cryptographic keys and there are protective measures to protect the exchanged messages.

Finishing the lab - remove the virtual machine

In case you were able to successfully complete the PGP task, you can close and remove the virtual machine. However, if you installed the virtual machine to your own computer, it would be good to wait for the instructors confirmation that the email was received before removing the virtual machine.

  • Close the virtual machine: open the Start menu and select "Power" -> "Shut down".
  • Next, remove the previously imported virtual machine from the main VirtualBoxi window. To do that, right click on the name of the virtual machine and select "Remove...".

From the dialog window select "Delete all files".

  • Finally, make sure that you log out of the lab computer. We will give minus points to the students who leave the computer class without logging out from their accounts.
  • In case you are solving the tasks on your own computer, you can now also remove the .ova file from your own computer (the file, which you used to import the virtual machine).

Further reading

  • Relevant papers
    • Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security (2015)
  • PGP
    • Why I Wrote PGP (1999)
    • Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away? (2013)
    • Guide for operational security while using PGP (2014)
    • Matthew Green: What's the matter with PGP? (2014)
  • Manuals for installing and using Thunderbird and Enigmail
    • Thunderbirdi paigaldamine Windowsile
    • Juhend Enigmaili paigaldamiseks Thunderbirdile
    • Juhend Enigmaili seadistamiseks ja GPG paigaldamiseks -- valige "I prefer a manual configuration (recommended for experts)", et saaksite järgida praktikumimaterjalides olevat juhendit. Kui olete juhendi abil GPG paigaldanud, siis saate edasi minna praktikumijuhendiga alates VPN seadistamise punktist.
  • GPG, Thunderbird, Enigmail
    • The GNU Privacy Guard
    • GnuPG frontends
    • Windows version of GnuPG
    • Mac OS X version of GnuPG
    • Thunderbird plugin Enigmail

Attach:server.crt.txt

  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment