cs458 - Information Security - Homework #1


The purpose of this homework is to give you a chance to get familiar with using digital certificates to encrypt and sign email. You might want to do this every time you're sending sensitive email that you want kept away from the preying eyes of your boss, etc.

Here is what you have to do:

  • Download and install Thunderbird, an email client, from mozilla.com
  • Start Thunderbird and create an account that will allow Thunderbird to connect to your email account on IIT's mail server (which really is Google these days). Get the setup settings from IIT's OTS.
  • Select "Edit" and then "Account Settings"
  • In the window that opens click on "Server Settings" and the select "SSL" for security settings; this means all communications between your email client and the email server will be encrypted
  • Close the window

You can now check your email on the IIT server, download it locally if you so desire, or compose email and send it. However, the email you're sending is not encrypted, even though the communication channel between you and IIT's email may be. If you're sending information that's sensitive, then this is a problem.

Next you are going to get a free digital certificate from a reputable provider on the Internet such as CACert. Use your IIT email address when you sign up. Once your account is created and you've responded to the email address validation email, you can login into the site and request a "Client Certificate".

Follow the instructions to install the certificate; the certificate will be installed in your Firefox browser. You have to go through one extra step before you can use it in email. Here are the steps for Firefox under Linux:

  • In your Firefox browser go to "Edit" and then click "Preferences"
  • Select the "Advanced" tab in the window that opens, then "Encryption" and "View certificates"
  • Highlight the "CAcert" certificate, then click "Backup"; make a note of the location where you backed-up the certificate
  • In Thunderbird go to "Edit" and then click "Preferences"
  • Select the "Advanced" tab in the window that opens, then "Certificates", "View Certificates" and "Your Certificates"
  • Click on "Import" to import the Digital Certificate into Thunderbird; navigate to the location where you saved the certificate earlier, then select the certificate to import and click Ok
  • That's it, you're done and should be able now to encrypt and sign the contents of your email

NOTE: The instructions above work reasonably well if you're installing the certificate under Linux or even Windows XP. You'll get extra credit if you provide step-by-step instructions for other browsers on other operating systems.

Part (i), 50 points: Send your instructor an email (digitally) signed only. In the email include:

  • A memorable quotation that you like (don't forget to include the name of the author) (10 points)
  • Describe whether you can send an encrypted email to your instructor or not; if not, then explain why (40 points)

Part (ii), 50 points, due no more than 48 hours after your instructor replies to your email from part (i): Send your instructor an email that's encrypted AND signed. In the email include the following:

  • Explain how you secure the *communication* channel between your email client and the email server (20 points)
  • Explain why the sensitive information you're sending in email -- in case you're not using a digital certificate to encrypt content -- is not secure even though all communications between your email client and the server are encrypted (20 points)
  • An explanation of what you found hard about getting this assignment done (10 points)


$Id: hw1.html,v 1.2 2012/08/26 04:22:21 virgil Exp $