US-CERT Cyber Security Tip ST04-018 -- Understanding Digital Signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Understanding Digital Signatures

   Digital signatures are a way to verify that an email message is really
   from the person who supposedly sent it and that it hasn't been
   changed.

What is a digital signature?

   You may have received emails that have a block of letters and numbers
   at the bottom of the message. Although it may look like useless text
   or some kind of error, this information is actually a digital
   signature. To generate a signature, a mathematical algorithm is used
   to combine the information in a key with the information in the
   message. The result is a random-looking string of letters and numbers.
   So, the signature doesn't just tell you that this person wrote a
   message, it tells you that this person wrote this message.

Why would you use one?

   Because it is so easy for attackers and viruses to "spoof" email
   addresses (see Using Caution with Email Attachments for more
   information), it is sometimes difficult to identify legitimate
   messages. Authenticity may be especially important for business
   correspondence--if you are relying on someone to provide or verify
   information, you want to be sure that the information is coming from
   the correct source. A signed message also indicates that changes have
   not been made to the content since it was sent; any changes would
   cause the signature to break.

How does it work?

   Before you can understand how a digital signature works, there are
   some terms you should know:
     * Keys - Keys are used to create digital signatures. For every
       signature, there is a public key and a private key.
          + Private key - The private key is the portion of the key you
            use to actually sign an email message. The private key is
            protected by a password, and you should never give your
            private key to anyone.
          + Public key - The public key is the portion of the key that is
            available to other people. Whether you upload it to a public
            key ring or send it to someone, this is the key other people
            can use to check your signature. A list of other people who
            have signed your key is also included with your public key.
            You will only be able to see their identify if you already
            have their public keys on your key ring.
     * Key ring - A key ring contains public keys. You have a key ring
       that contains the keys of people who have sent you their keys or
       whose keys you have gotten from a public key server. A public key
       server contains keys of people who have chosen to upload their
       keys.
     * Fingerprint - When confirming a key, you will actually be
       confirming the unique series of letters and numbers that comprise
       the fingerprint of the key. The fingerprint is a different series
       of letters and numbers than the chunk of information that appears
       at the bottom of a signed email message.
     * Key certificates - When you select a key on a key ring, you will
       usually see the key certificate, which contains information about
       the key, such as the key owner, the date the key was created, and
       the date the key will expire. You can see an example of the
       information included in a key certificate by looking at Sending
       Sensitive Information to US-CERT.
     * "Web of trust" - When someone signs your key, they are confirming
       that the key actually belongs to you. The more signatures you
       collect, the stronger your key becomes. If someone sees that your
       key has been signed by other people that he or she trusts, he or
       she is more inclined to trust your key. Note: Just because someone
       else has trusted a key or you find it on a public key ring does
       not mean you should automatically trust it. You should always
       verify the fingerprint yourself.

   The process for creating, obtaining, and using keys is fairly
   straightforward:
    1. Generate a key using software such as PGP, which stands for Pretty
       Good Privacy, or GnuPG, which stands for GNU Privacy Guard.
    2. Increase the authenticity of your key by having your key signed by
       co-workers or other associates who also have keys. In the process
       of signing your key, they will confirm that the fingerprint on the
       key you sent them belongs to you. By doing this, they verify your
       identity and indicate trust in your key.
    3. Upload your signed key to a public key ring so that if someone
       gets a message with your signature, they can verify the digital
       signature.
    4. Digitally sign your outgoing email messages. Most email clients
       have a feature to easily add your digital signature to your
       message.
     _________________________________________________________________

   Authors: Mindi McDowell, Allen Householder
     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University. Terms of use US-CERT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQVG7IhhoSezw4YfQAQKFwwf9EJ2/xrXbYAa1smccDIokqMiNpmuBOry5
xqWQysKBmxyFzVo46SZP5E0CQitVWnjfZ9ohfs1+wMaNkXZm356A9sZl2OEcBtrg
wjuGRWqQUNG4nMSjYKnt+1SGOjh4eZN12MDXtJUGnUbpvknukJT3IUPBDJ64uND9
R56bO18lo0kj3hANkbFTmT7SrXu7HclUt8tPzcwaUgSXGFuksBh/GzlaTZ/JtEPK
HFs3iVsqn3uEB3eq5w1D/obcfxNUb6l5KguLyeU36DKBP5xWbhE28p7Hh6SQsjB5
rfD+AmY1VSV18raMJYkEREFIGwTvsc+3TMCUqq6Aw6bf+WMT8h4iDg==
=geuX
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux