this post was submitted on 26 Jul 2023

2 points (100.0% liked)

Ask Science

8645 readers

1 users here now

Ask a science question, get a science answer.

Community Rules

Rule 1: Be respectful and inclusive.

Treat others with respect, and maintain a positive atmosphere.

Rule 2: No harassment, hate speech, bigotry, or trolling.

Avoid any form of harassment, hate speech, bigotry, or offensive behavior.

Rule 3: Engage in constructive discussions.

Contribute to meaningful and constructive discussions that enhance scientific understanding.

Rule 4: No AI-generated answers.

Strictly prohibit the use of AI-generated answers. Providing answers generated by AI systems is not allowed and may result in a ban.

Rule 5: Follow guidelines and moderators' instructions.

Adhere to community guidelines and comply with instructions given by moderators.

Rule 6: Use appropriate language and tone.

Communicate using suitable language and maintain a professional and respectful tone.

Rule 7: Report violations.

Report any violations of the community rules to the moderators for appropriate action.

Rule 8: Foster a continuous learning environment.

Encourage a continuous learning environment where members can share knowledge and engage in scientific discussions.

Rule 9: Source required for answers.

Provide credible sources for answers. Failure to include a source may result in the removal of the answer to ensure information reliability.

By adhering to these rules, we create a welcoming and informative environment where science-related questions receive accurate and credible answers. Thank you for your cooperation in making the Ask Science community a valuable resource for scientific knowledge.

We retain the discretion to modify the rules as we deem necessary.

founded 1 year ago

MODERATORS

sabbah@lemmy.world

AradFort@lemmy.world

ken_cleanairsystems@lemmy.sdf.org

count_of_monte_carlo@lemmy.world

How does a signing a post with a pgp key prove that you are actually the person behind the post? (lemmy.nz)

submitted 1 year ago by Fizz@lemmy.nz to c/askscience@lemmy.world

5 comments fedilink hide all child comments

I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don't see how it proves anything.

I created a key and ran gpg --export --armor fizz@... and I ran that twice and both blocks were identical. If I posted my public key block couldn't someone copy and paste that under their message and claim to be me?

top 5 comments

sorted by: hot top controversial new old

[–] dohpaz42@lemmy.world 1 points 1 year ago

The short answer is no. A bit longer of an answer is that with the public key, anybody can encrypt data. Only the owner(s) of the private key can decrypt the data. That is a key point: encrypted data by itself is meaningless. If you were to attempt to decrypt random data (or change one single character of valid encrypted data), you’d get literal garbage output. But, valid encrypted data and the corresponding private key can always unencrypt back into the original format.

This is why emphasis is always made to never share or expose your private key. Couple the private key with the always-available public key and you’ve got a man-in-the-middle (MitM) attack. This is where an attacker could decrypt the data with the private key, change it, re-encrypt it with the public key, and send it along to the destination without anybody knowing it was altered.

I hope this helps.

[–] PastaGorgonzola@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

What you are doing is exporting your key. Your public key is indeed something you can (and should) share as it enables others to verify that you are indeed who you claim to be (or more accurately, that you're in control of the private key that's linked to that public key). So while you should share your public key, your private key must remain private.

What these people on the dark web are doing is one step further: they sign their messages with their private key. This creates a cryptographic signature that's different for each message (changing a single character in the message will generate a wildly different signature). Anyone with the public key can simply copy that message including the signature and validate it. If even a single character of the message was changed, the signature will not be valid. Thus ensuring others that the person who posted the message is indeed in control of the private key.

Signing is different from encrypting: while encryption renders your message totally unreadable to anyone without the correct key, signing doesn't change the message itself. It simply appends a signature allowing others to check that the message wasn't tampered with.

[–] Crul@lemmy.world 0 points 1 year ago* (last edited 1 year ago) (1 children)

EDIT: changed encryption / decryption to signing / veryfing. Thanks for the corrections

Not an expert, those who know more please correct me.

From what I understand, what they post is not a PGP key, but the same content published in clear text signed with their private key. That way anyone can verify it with the author's public key to check it has been generated with the private one (that only one person should have).

[–] dohpaz42@lemmy.world 0 points 1 year ago (1 children)

You’ve got it backward. You encrypt with the public key, and decrypt with the private key. Otherwise, you’re spot on.

[–] 4am@lemmy.world 0 points 1 year ago

For signing, it’s backwards - you encrypt with the private key, and then everyone else can decrypt with the public key. If that doesn’t work, they know that the message wasn’t signed by the private key paired with the public key they have, and therefore is invalid and is not to be trusted.

Signing proves authenticity (only the private key holder can sign), encryption provides privacy (only the private key holder can read)