Assignment 3 is due 3/7/22 3/13/22 on or before 11:59:59pm MST.

1. Web of Trust


Who do you trust? How do you know they are who they say they are?

Your goal in this project is to learn about public key cryptography, gpg, verifying identities, and the web of trust.

You’ll need to: create a gpg public/private keypair, register your public key with the submission server, get your key signed by 30 of your fellow students in this class, and avoid signing any fake keys (you will need to verify your classmate’s identity).

The only valid keys are ones that are signed with the course’s keypair. Any key that is not signed by the course’s key is not a valid key (even if the names match).

Note that both real keys and adversarial keys are considered “valid” in that they are signed by the course’s key. Real keys are guaranteed to be the correct name of the student, and adversarial keys are guaranteed to not be the same name. So the whole goal of the assignment is to verify identity.

Very important rules

To ensure a fair and fun playing field, we all must abide by the following rules:

  1. No physical attacks or otherwise breaking the law.

  2. You must follow ASU’s Computer Use Policy so no hacking into other people’s machine’s without their consent.

  3. You agree to be a good sport: when you get scammed just recognize that you made a mistake and that you got a valid life/security lesson. The assignment doesn’t work without the adversarial component, and it won’t cause you to lose a ton of points (promise).

  4. The TAs and Professors will not be providing guidance on how to check the validity of a key or how to keep yourself “safe”. It is up to you to understand what’s going on and how to verify identify so that you only sign valid and real keys.

1. Generate a gpg key

github has a good gpg key creation guide.

Create a public/private keypair for this project that has a name that is exactly what your name is in ASU’s system, has an email (doesn’t matter what the email address is), and does not have a comment.

Other students will need to verify your identity, so the name part must be exact. You can reuse an existing gpg keypair only if the names match, otherwise you’ll need to create a new key for this assignment.

Use one of the standard public key algorithms, here’s the ones supported by the server:

Supported algorithms:
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Important note


I cannot stress this enough, due to the nature of the assignment, we cannot and will not sign multiple keys for you. This may result in you getting a zero on the assignment.

Backup your keypair, if you lose the key once you’ve uploaded it to the server then you will not be able to finish the assignment. Every ASU student has a Dropbox account, so use that or some other mechanism to backup your keypair (including your secret key).

First step is to, once your key is generated, backup your public and private key. Seriously, you’ve been warned.

2. Upload your public key

Save your public key as a file callled public_key.gpg, then upload your public key to GradeScope to the assignment Web of Trust Upload.

The server will then check to see if your public key is valid, and only if it is the server will sign your public key with the course’s keypair, which has a fingerprint of FB45DDDF8021B17B648FE0FD11A7BCA4D679D91E (you should download this key, verify the fingerprint, and import it into your gpg keyring).

The server will also generate an adversarial keypair with a random name and the same email as your key. You will be able to download this adversarial keypair, (both the public and private key).

Note that your key is not valid in the course until it’s been signed by the course key (see “Very important rules” above)! And this goes for other students in the class…

3. Have your public key signed by at least 30 fellow students (45 points)

Use the Internet to search for great information on signing public keys.

The signatures must be from a valid key in this class: How will you know?

4. Sign at least 30 of your fellow students public keys (45 points)

Using what you learned from the above, you must sign at least 30 of your fellow students’ public keys.

Sign more, and only valid public keys count. How will you know?

5. Do not sign invalid keys (10 points)

Of course, the only way that the web of trust works is if keys are signed only when the identify is validated.

If you do not sign any invalid keys that are not your own, you will receive 10 points.

The amount of (negative) points that signing an adversarial key is worth will be determined at the end (along with the positive amount of extra credit for tricking people).

If you sign one adversarial key, it will not reduce all 10 points, so don’t freak out about it (and please learn from it).

If you trick people to sign your adversarial key, you will earn extra credit (and hacker cred). The amount of extra credit will be determined at the end.

6. Submit your public key and public adversarial key

Finally, submit your public key (with the 30 signatures) and your public adversarial key (if you received any signatures).

Submission Instructions

Submit on GradeScope to the assignment Web of Trust your final public key (which you will need to export), called public_key.gpg, along with 30 valid signatures (this is included by default when you export your key), and (optionally) your adversarial public key, called adversary_public_key.gpg (if you tricked people into signing the adversarial key).

Also submit a README file that contains your name, ASU ID, and your thoughts on the usability of GPG and key signing, and how you tricked people to sign your adversarial key.

When you submit, you will see how many signatures are on your key. Again, this could be adversarial keys, which don’t count for points. Final grading will be done after the assignment is over.

2. AES CTF (105 Points)

There are 7 challenges in this module at Each challenge is 15 points, and the total is 105 points.