US-CERT Cyber Security Tip ST04-018 -- Understanding Digital Signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                          Cyber Security Tip ST04-018
                       Understanding Digital Signatures

   Digital signatures are a way to verify that an email message is really from
   the person who supposedly sent it and that it hasn't been changed.

What is a digital signature?

   There are different types of digital signatures; this tip focuses on digital
   signatures for email messages. You may have received emails that have a
   block of letters and numbers at the bottom of the message. Although it may
   look like useless text or some kind of error, this information is actually a
   digital signature. To generate a signature, a mathematical algorithm is used
   to combine the information in a key with the information in the message. The
   result is a random-looking string of letters and numbers.

Why would you use one?

   Because it is so easy for attackers and viruses to "spoof" email addresses
   (see Using Caution with Email Attachments for more information), it is
   sometimes difficult to identify legitimate messages. Authenticity may be
   especially important for business correspondenceâ??if you are relying on
   someone to provide or verify information, you want to be sure that the
   information  is  coming from the correct source. A signed message also
   indicates that changes have not been made to the content since it was sent;
   any changes would cause the signature to break.

How does it work?

   Before you can understand how a digital signature works, there are some
   terms you should know:
     * Keys - Keys are used to create digital signatures. For every signature,
       there is a public key and a private key.
          + Private key - The private key is the portion of the key you use to
            actually sign an email message. The private key is protected by a
            password, and you should never give your private key to anyone.
          + Public key - The public key is the portion of the key that is
            available to other people. Whether you upload it to a public key
            ring or send it to someone, this is the key other people can use to
            check your signature. A list of other people who have signed your
            key is also included with your public key. You will only be able to
            see their identities if you already have their public keys on your
            key ring.
     * Key ring - A key ring contains public keys. You have a key ring that
       contains the keys of people who have sent you their keys or whose keys
       you have gotten from a public key server. A public key server contains
       keys of people who have chosen to upload their keys.
     * Fingerprint - When confirming a key, you will actually be confirming the
       unique series of letters and numbers that comprise the fingerprint of
       the key. The fingerprint is a different series of letters and numbers
       than the chunk of information that appears at the bottom of a signed
       email message.
     * Key certificates - When you select a key on a key ring, you will usually
       see the key certificate, which contains information about the key, such
       as the key owner, the date the key was created, and the date the key
       will expire.
     * "Web of trust" - When someone signs your key, they are confirming that
       the key actually belongs to you. The more signatures you collect, the
       stronger your key becomes. If someone sees that your key has been signed
       by other people that he or she trusts, he or she is more inclined to
       trust your key. Note: Just because someone else has trusted a key or you
       find it on a public key ring does not mean you should automatically
       trust it. You should always verify the fingerprint yourself.

   The  process  for  creating,  obtaining,  and  using  keys  is  fairly
   straightforward:
    1. Generate a key using software such as PGP, which stands for Pretty Good
       Privacy, or GnuPG, which stands for GNU Privacy Guard.
    2. Increase the authenticity of your key by having your key signed by
       co-workers or other associates who also have keys. In the process of
       signing your key, they will confirm that the fingerprint on the key you
       sent them belongs to you. By doing this, they verify your identity and
       indicate trust in your key.
    3. Upload your signed key to a public key ring so that if someone gets a
       message with your signature, they can verify the digital signature.
    4. Digitally sign your outgoing email messages. Most email clients have a
       feature to easily add your digital signature to your message.

   There are a variety of mechanisms for creating digital signatures, and these
   mechanisms may operate differently. For example, S/MIME does not add a
   visible block of letters and numbers within the message, and its digital
   signatures are verified indirectly using a certificate authority instead of
   directly with other users in a web of trust. You may just see an icon or
   note on the message that the signature has been verified. If you get an
   error about a digital signature, try to contact the sender through a phone
   call  or a separate email address that you know is valid to verify the
   authenticity of the message.
     _________________________________________________________________

     Authors: Mindi McDowell, Allen Householder
     _________________________________________________________________

     Produced 2004 by US-CERT, a government organization.

     Note: This tip was previously published and is being re-distributed to
     increase awareness.

     Terms of use

     http://www.us-cert.gov/legal.html

     This document can also be found at

     http://www.us-cert.gov/cas/tips/ST04-018.html

     For instructions on subscribing to or unsubscribing from this mailing
     list, visit

     http://www.us-cert.gov/cas/signup.html.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSyqeo9ucaIvSvh1ZAQJjUAf+KaZctYFgsBDN0zFpel5eLDLIPFnChEyO
XWTPa/5Mmw+8AvyNffFUMB93ouSNwfTyii456sy5jGyF6ddj5BJeWHhEUnrgegP3
EqLkRuGTTzBieokh+y8AN+4QUDQr2U+yXKXri/dkFariwUO2wCV6mZLiR1yOnCtW
67aZH+YNY9AcMcSchztRCisIueQL7ge1R3ZB72Qaqup3w1zhjLRuAX+UoI7nB8dw
Po0Z75TV3hO1FQ2I2v2428uDYva29S4JspJv5S/sMGj1t3iS5pfWbHZfPDGWzdqE
miHZuXnFvUma1afUW+f0ujdrgJ7V0jIQjQi7tHk2uW4t/AZ4zButaA==
=lGai
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux