US-CERT Cyber Security Tip ST04-018 -- Understanding Digital Signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   			National Cyber Alert System
  			Cyber Security Tip ST04-018

Understanding Digital Signatures

   Digital signatures are a way to verify that an email message is really
   from the person who supposedly sent it and that it hasn't been
   changed.

What is a digital signature?

   You  may have received emails that have a block of letters and numbers
   at  the  bottom of the message. Although it may look like useless text
   or  some  kind  of  error,  this  information  is  actually  a digital
   signature.  To  generate a signature, a mathematical algorithm is used
   to  combine  the  information  in  a  key  with the information in the
   message. The result is a random-looking string of letters and numbers.

Why would you use one?

   Because  it  is  so  easy  for  attackers and viruses to "spoof" email
   addresses   (see   Using  Caution  with  Email  Attachments  for  more
   information),   it  is  sometimes  difficult  to  identify  legitimate
   messages.  Authenticity  may  be  especially  important  for  business
   correspondence--if  you  are  relying  on someone to provide or verify
   information,  you  want to be sure that the information is coming from
   the  correct source. A signed message also indicates that changes have
   not  been  made  to  the  content since it was sent; any changes would
   cause the signature to break.

How does it work?

   Before  you  can  understand  how a digital signature works, there are
   some terms you should know:
     * Keys  -  Keys  are  used  to  create digital signatures. For every
       signature, there is a public key and a private key.
          + Private  key  - The private key is the portion of the key you
            use  to  actually  sign  an email message. The private key is
            protected  by  a  password,  and  you  should never give your
            private key to anyone.
          + Public key - The public key is the portion of the key that is
            available  to other people. Whether you upload it to a public
            key  ring or send it to someone, this is the key other people
            can  use  to check your signature. A list of other people who
            have  signed  your key is also included with your public key.
            You  will only be able to see their identities if you already
            have their public keys on your key ring.
     * Key  ring  -  A key ring contains public keys. You have a key ring
       that  contains  the keys of people who have sent you their keys or
       whose  keys you have gotten from a public key server. A public key
       server  contains  keys  of  people who have chosen to upload their
       keys.
     * Fingerprint  -  When  confirming  a  key,  you  will  actually  be
       confirming  the unique series of letters and numbers that comprise
       the  fingerprint of the key. The fingerprint is a different series
       of  letters and numbers than the chunk of information that appears
       at the bottom of a signed email message.
     * Key  certificates  - When you select a key on a key ring, you will
       usually  see the key certificate, which contains information about
       the  key, such as the key owner, the date the key was created, and
       the date the key will expire.
     * "Web  of trust" - When someone signs your key, they are confirming
       that  the  key  actually  belongs  to you. The more signatures you
       collect,  the stronger your key becomes. If someone sees that your
       key  has  been signed by other people that he or she trusts, he or
       she is more inclined to trust your key. Note: Just because someone
       else  has  trusted  a key or you find it on a public key ring does
       not  mean  you  should  automatically  trust it. You should always
       verify the fingerprint yourself.

   The  process  for  creating,  obtaining,  and  using  keys  is  fairly
   straightforward:
    1. Generate a key using software such as PGP, which stands for Pretty
       Good Privacy, or GnuPG, which stands for GNU Privacy Guard.
    2. Increase the authenticity of your key by having your key signed by
       co-workers  or other associates who also have keys. In the process
       of signing your key, they will confirm that the fingerprint on the
       key  you sent them belongs to you. By doing this, they verify your
       identity and indicate trust in your key.
    3. Upload  your  signed  key  to a public key ring so that if someone
       gets  a  message  with your signature, they can verify the digital
       signature.
    4. Digitally  sign  your  outgoing email messages. Most email clients
       have  a  feature  to  easily  add  your  digital signature to your
       message.
     _________________________________________________________________

   Authors: Mindi McDowell, Allen Householder
     _________________________________________________________________
   Produced 2007 by US-CERT, a government organization.

   Note: This tip was previously published and is being re-distributed 
   to increase awareness. 
  
   Terms of use
 
   <http://www.us-cert.gov/legal.html>
  
   This document can also be found at
 
   <http://www.us-cert.gov/cas/tips/ST04-018.html>
 

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRuqdm/RFkHkM87XOAQLahgf7BOBifMF/d/6kPtvHFOJxwp0YnZThpxM2
R/qUO5lb70GmXAfi+qOnjHBhd6grLiKSlFhvLvEKrNoVFj6VmCpWxDdZgInVuO9F
ni5Ga/0Y1Elgvz9bNQOpavABua/QipxtjTa88mEXEgjov1LiwWnbYRF/xoni1+Rw
x6aQt7Z/v2nSnxnjJOnLcJJDDOfkjQjdk1+2YwbnkoH9RqMHyQpIWDxlbbhxFP//
3YrO57n8ZEXZmumGISC51ZPmwLrDwYN9pONx1kpv5oMofxWNjqjgu57XjIMWwXnZ
1iUaB1RgFuO7rcZqfUV06Ub6nStW1X/PNGO2dmTbwpwSfLT5JwEwxw==
=775z
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux