Some doubts about signature procedure

Pete Stephenson pete at heypete.com
Mon Sep 9 12:03:04 CEST 2013


On Mon, Sep 9, 2013 at 10:42 AM, Francesco C.
<anything.everything83 at gmail.com> wrote:
> Hi, here I come back to ask you some clarification about the signature
> procedure.
> The purpose of signature procedure is making sure of anybody can't modify
> the file you're trying to send.
>
> Many times they use also the check of Md5sum or SHA512Sum, but anyway my
> question is:
>
> if any spiteful person succeed in tapping a file transmission of mine, he
> surely succeed in signing the modified file. So how can my addressee realize
> of that?
>
> In other words, if this spiteful person succeed in replacing a modified file
> in a server he also succeed in replacing also the signature file, doesnt'
> he?

Hi Francesco,

That's a good question! The short answer to the question is "there's
more to a PGP signature than just the hash of the file".

In the situation you propose where a file and a hash (for example, the
sha512sum) are publish on a server, an adversary with access to that
system could modify the file and simply add a new, correct sha512sum
for the modified file. There's no way to bind the hash of the file to
the identity of the person who produced the hash. Put another way,
there's no way to tell if the hash was produced by the proper person
or a bad guy.

However, PGP signatures have more than merely the hash of the file --
when PGP (or GnuPG or any other program that implements the OpenPGP
standard) produces a signature, it produces a hash of the file and
encrypts the hash with the signer's private key. The signature is then
included with the file. (Of course, this is a very simple, general
description of what happens. There's a lot more details but this
simple explanation should suffice for now.) This binds someone's
identity to the signature.

Let's say that Alice wants to sign a file. She calculates a hash of
the file, then encrypts the hash with her private key.

Bob downloads the file and wants to verify the signature. He
calculates the hash of the file. Next, he uses Alice's public key
(which is widely available) to decrypt the hash. If the decrypted hash
from Alice and the hash he calculated himself match, then he knows
that the file has not been modified since Alice signed it.

Additionally, since only Alice's public key can decrypt a message
signed with Alice's private key, he knows that only Alice (or, more
generally, someone with Alice's private key) could have produced the
signature. Unless he has Alice's private key a bad guy cannot forge
signatures to appear to come from Alice.

Put very simply, a hash can show that a file has not been altered
since the hash was generated but it provides no assurance as to *who*
produced the hash. A signature provides assurance of both integrity
and authentication: someone verifying the signature can check that the
file has not been altered but also that the signature was produced by
a specific person.

Of course, this assumes that Bob has the public key that actually
belongs to Alice. This can be accomplished by meeting in person,
exchanging public key details over the phone (if they recognize each
other's voices), etc. It's not uncommon for people to meet up at a
"keysigning party" (see
https://en.wikipedia.org/wiki/Key_signing_party ), verify each other's
identity and public key details, and then digitally sign each other's
keys. In such a way, people establish a "Web of Trust" where different
people vouch for the identity of each other.

You might find more details about digital signatures at
https://en.wikipedia.org/wiki/Digital_signature . There may also be a
Wikipedia article that describes signatures in your own language.

> In this case I can't understand the benefit of signing procedure.
> I'm sorry if my exposure was not as good as an english professor :p but I
> promise next times it wil be better and better.

Your English is quite good.

Cheers!
-Pete

-- 
Pete Stephenson



More information about the Gnupg-users mailing list