|
09/16/07
Posted by Dave
5 Star Support Security Specialist
I have been asked a number of times "just what is a digital
signature anyway". Lets talk about this so you will understand
what a digital signature is, what it does, and why it is
important.
Before beginning, let me say that the creation and use of
digital signatures involves the use of third party software and
the process can be a bit tedious and complex. For these reasons,
I do not recommend this process for average personal email that
most of you use, but it is still important that you understand
what a digital signature really is as well as how it is created
and used.
First, a digital signature is a way to verify that an email
message is really from the person who is supposed to have sent
it and that it has not been changed. You may have received
emails in the past that have a block of letters and numbers at
the bottom of the message and there is usually the statement
"Digital Signature" directly above that block. Many people
dismiss this block as a bunch of garbage that nobody can
understand anyway. Not true. Although it may look like useless
text or an error from your browser or email client, this block
is actually a digital signature. To generate a signature, a
mathematical algorithm is used to combine the information in a
key with the information in the message. The result is the
random-looking string of letters and numbers that you see.
Because hackers, attackers and malware of many kinds (viruses,
worms, trojans) can spoof email addresses, it can become
difficult to identify and/or confirm the legitimacy of an email
message. Authenticity of a message can be especially important
for business correspondence especially if you are relying on
someone to provide or verify information. You want to be sure
that the information is coming from toe correct source. A
properly digitally signed message also indicates that the
message has not been tampered with and changes have not been
made to the content since the message was sent. Any tampering or
changes of any kind would cause the signature to break, and the
breaks or spaces would be quite evident to the recipient.
Before discussing how this all works, it is first important that
you understand some terms:
Keys-
Keys are used to create digital signatures. For every signature,
there is both a public key and a private key.
Private Key – The private key is the portion of the key you use
to actually sign an email message. This private key is protected
by a password, and it should never be shared with anyone.
Public Key – The public key is the portion of the key that is
available to other people. The public key can be uploaded to a
public key ring or sent to someone, and is the key that other
people can use to check your signature against. A list of other
people who have signed your key is also included with your
public key. You will only be able to see their identities if you
already have their public keys on your key ring.
Key Ring – A key ring contains public keys. You have a key ring
containing the keys of people who have sent you their keys, or
keys you have obtained from a public key server. A public key
server contains the keys of people who have chosen to upload
their keys to be publicly available.
Fingerprint – When confirming a key, you are actually confirming
the unique series of letters and numbers that comprise or make
up the fingerprint of the key. The fingerprint is a different
series of letters and numbers than the block of letters and
numbers that appear at the bottom of a digitally signed email
message.
Key Certificates – When you select a key on a key ring, you will
usually see the key certificate that contains information about
the key, such as the key owner, the date the key was created,
and the date the key will expire.
Web Of Trust – When someone signs your key, they are confirming
that the key actually belongs to you. The more signatures you
collect, the stronger your key becomes. If someone sees that
others that the viewer can trust have signed your key, your key
will be more inclined to be trusted as well. By the way, just
because others have signed a key does not mean you should
automatically trust it as well. Always verify the fingerprint
for yourself.
There is a process for creating, obtaining and using keys for
digital signatures:
1. Generate a key using software such as PGP (Pretty Good
Privacy) or GnuPG (GNU Privacy Guard).
2. Increase the authenticity of your key by having your key
signed by co-workers or others that also have keys. By signing
your key, they will confirm that the key you sent to them
actually belongs to you. By doing this, they verify your
identity and indicate trust in your key.
3. Upload your key to a public key ring so that if someone
receives a message with your digital signature they can verify
it.
4. Digitally sign your outgoing email messages. Most email
client programs have a feature to easily add your signature
automatically to all outgoing messages.
Please also note that use of the above two mentioned programs
would also allow you to encrypt email or other files. This is
good for very sensitive information that you cannot afford to
have anyone else but the intended recipient see, but it is
really not necessary for the average email correspondence. File
encryption can become complicated for the average user and can
significantly increase the time and methods needed to save and
retrieve your files, especially if you choose to encrypt an
entire drive.
By now you should hopefully have a basic understanding of
digital signatures, how they are created, and how they work.
Until next time here on 5 Star Support, happy computing!
Dave
[Top] |
