PGP signing - where to start?

STiAT · 2006-12-23 12:11:56

Hello everyone,

I've thought on gathering information how pgp signing actually works, background, libs, background knowledge.

I've actually never touched the topic pgp signing, and just wanted to ask if anyone of you got interesting links / papers to read?

Thanks,
STi

mucknert · 2006-12-23 12:38:14

http://en.wikipedia.org/wiki/Asymmetric_key_algorithm - For a general overview on how this things work.
http://en.wikipedia.org/wiki/Gnupg - For a little bit more specific use.

What else?

Leffe · 2006-12-23 15:02:36

The GNU Privacy Handbook [1] is an interesting and practical read, which obviously focus on the GnuPG implementation of PGP.

[1] http://www.gnupg.org/gph/en/manual.html

xterminus · 2006-12-23 22:46:46

STiAT wrote:

Hello everyone,
I've thought on gathering information how pgp signing actually works, background, libs, background knowledge.
I've actually never touched the topic pgp signing, and just wanted to ask if anyone of you got interesting links / papers to read?
Thanks,
STi

When you refer to signing, do mean creating a signature for some text or a file you created, or establishing a "Web of Trust" via key signing?

STiAT · 2006-12-23 23:50:37

xterminus wrote:

When you refer to signing, do mean creating a signature for some text or a file you created, or establishing a "Web of Trust" via key signing?

Creating a signature for a file i created.

xterminus · 2006-12-24 00:58:57

STiAT wrote:

xterminus wrote:
When you refer to signing, do mean creating a signature for some text or a file you created, or establishing a "Web of Trust" via key signing?
Creating a signature for a file i created.

Basically, A hash function takes a long string (or 'message') of any length as input and produces a fixed length string as output, usually called a message digest or a fingerprint. Common hashing algorithms include MD5 and SHA-1. GnuPG uses other algorithms, but the idea is the same. (I think) that this resulting hash is then combined with your private key and "hashed" again to produce a signature.

The signature can then be verified for integrity based on a verification of the message digest, and authentication can be verified based on the data of the hashed value of the private key (which the public key can verify).

The idea for all of this has been around since the late 70's, when Rivest, Shavir, and Adlermann developed the first implementation of PKI. The most obvious problem with generating signatures is that it requires very sensitive key data. Maintaining the integrity of private keys is a real PITA.

The most likely solution seems to be a credit-card sized smart-card which performs the cryptography/signatures within the card. So called "Smart Cards" are available for cheap if your really serious about all of this.

STiAT · 2006-12-24 11:13:54

I'm aware of current hashing and encryption methods with private public key systems. It seems as if i've been a bit lazy reading the gnupg homepage, since the information i needed was there. Maybe it was since i felt from the beginning the site isn't very well designed.

I'm a bit bored lately, and this seems to be an interesting topic. I've read the above papers (thanks for all the links).

Actually, i found a point to start with, what makes me happy, i get rid of my boredom.

Let's see how far i get implementing this into a certain program. Years since i developed c the last time.

Thank you all,
STi

Arch Linux

#1 2006-12-23 12:11:56

PGP signing - where to start?

#2 2006-12-23 12:38:14

Re: PGP signing - where to start?

#3 2006-12-23 15:02:36

Re: PGP signing - where to start?

#4 2006-12-23 22:46:46

Re: PGP signing - where to start?

#5 2006-12-23 23:50:37

Re: PGP signing - where to start?

#6 2006-12-24 00:58:57

Re: PGP signing - where to start?

#7 2006-12-24 11:13:54

Re: PGP signing - where to start?

Board footer