Creating and Using X.509 and PGP Certificates for Secure Document Signing

Learning Outcomes

1. Practical experience of analysing, designing, implementing and validating solutions to computer network security challenges using common network security tools and formal methods.
2. Ability to deal with complex issues and make informed judgements about network security in the absence of complete or consistent data.
3. Exercise substantial autonomy and initiative in addressing computer network security challenges.
4. Showing initiative and team working skills in shared computer network security application development.
5. Demonstrate critical reflection on network security issues.

 

Overview

This coursework is an exercise in creating, using X.509 and PGP certificates. It involves developing an application that can be securely used to digitally record and verify signatories to a document. The application is capable of recording a set of signatures to a given document. Each signatory would have provided a signature of a given document using their own PGP certificate; the set of signato-ries is then signed using a X.509 certificate which would have been specifically set for the document. The application is capable of verifying the set of signatures to a given document. The application is certified by a local Certification Authority (CA) which is also certifying the document’s certificate. Context of use: the application is to be used by a Notary to witness signatures on documents. The application should be implemented as a commandline client/server application with the notary server distributing document, public certificate, signatory certification on request and accepting individual signature. The application can also be implemented with no network interface and therefor working on the commandline locally only, see Section 6 for the implication of not including a network interface to the application. You are expected to add and document your own extra features such as managing update to the documents, or GUI. 

 

The choice of programming language to implement this application is left to the pair. You can choose between Java and Python. If you want to use another programming language, please get agreement from the lecturer first. The learning objective of this coursework is for you to become familiar with the concepts of certificates and signatures. The work should be done in pairs. However, pairs of stu-dents also have to join together with other pairs to form a wider group of people who are prepared to sign each other’s certificates. It is recommended that the pairs do their collaborative work using the University and MACS systems: Teams, Word Online, GitLab Student1.

 

Tasks

Each member of a pair should perform the following tasks:

 

(i) Create one self-signed PGP certificate and private key.
(ii) With the wider group of students, hold virtual key party(ies) for members to sign each other’s OpenPGP certificates.
(iii) Create a plain text document2 ; create a new X.509 certificate and private key; get it signed by your pair’s CA that you created for task (1); sign the document using the new certificate; with the wider group of students, share the document, the X.509 certificate, and the signature.
(iv) Using your PGP private key, sign documents shared by other students; share the signatures to the wider group of students.

 

Each pair should perform the following tasks:

 

(1) Create a local CA run by the pair (the local CA should be given a suitable X.500 name and have a self signed X.509 certificate created for it; it may be appropriate to take steps to ensure that this certificate has the basic constraint extension set on it to identify it as a CA certificate).
(2) Form a group with at least one other pair of students and do group activities:
(a) Exercise due diligence in using key to sign other pairs’ certificates using your local CA.
(b) Get your pair’s certificate signed by at least one other pairs’ local CA. 

(3) Write an application to record and verify signatures to a given document such as the documents and signatures shared in tasks (iii) and (iv). The application should have two modes of use: record to certify a list of signatories to a document, and verify to verify such list of signatories with the corresponding X.509 and PGP certificates.
(4) Sign the application with the private key corresponding either to the pair’s X.509 certificate or one of the member’s PGP certificate.
(5) Demonstrate your application works correctly using a recorded video. Submit pair report, source code and demonstration, and individual reports (see Section 3). 

 

X.509 certificates should have a sensible X.500 name. PGP certificates should have sensible identifiers of your owner and include at least an e-mail address and a small photograph of them. Students should exercise due diligence in key parties when signing each other’s PGP certificates.