this post was submitted on 26 Jul 2023
33 points (100.0% liked)

Ask Science

8694 readers
16 users here now

Ask a science question, get a science answer.


Community Rules


Rule 1: Be respectful and inclusive.Treat others with respect, and maintain a positive atmosphere.


Rule 2: No harassment, hate speech, bigotry, or trolling.Avoid any form of harassment, hate speech, bigotry, or offensive behavior.


Rule 3: Engage in constructive discussions.Contribute to meaningful and constructive discussions that enhance scientific understanding.


Rule 4: No AI-generated answers.Strictly prohibit the use of AI-generated answers. Providing answers generated by AI systems is not allowed and may result in a ban.


Rule 5: Follow guidelines and moderators' instructions.Adhere to community guidelines and comply with instructions given by moderators.


Rule 6: Use appropriate language and tone.Communicate using suitable language and maintain a professional and respectful tone.


Rule 7: Report violations.Report any violations of the community rules to the moderators for appropriate action.


Rule 8: Foster a continuous learning environment.Encourage a continuous learning environment where members can share knowledge and engage in scientific discussions.


Rule 9: Source required for answers.Provide credible sources for answers. Failure to include a source may result in the removal of the answer to ensure information reliability.


By adhering to these rules, we create a welcoming and informative environment where science-related questions receive accurate and credible answers. Thank you for your cooperation in making the Ask Science community a valuable resource for scientific knowledge.

We retain the discretion to modify the rules as we deem necessary.


founded 1 year ago
MODERATORS
 

I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don't see how it proves anything.

I created a key and ran gpg --export --armor fizz@... and I ran that twice and both blocks were identical. If I posted my public key block couldn't someone copy and paste that under their message and claim to be me?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (2 children)

Funny story: you didn’t change the wrong info. The sad part is that you’re spreading misinformation and unwilling to hear otherwise. This is more dangerous than helpful.

[–] [email protected] 1 points 1 year ago (1 children)

How is Crul wrong in anything other than the terminology? You sign a document with your private key - generating basically a hash of the document entangled with your key information. Anyone holding the public key can then verify that hash with the public key - that the document contents are intact and unchanged (from the hash), and generated by the person holding the private key (entangled key information)

[–] [email protected] 1 points 1 year ago (1 children)

Thanks for mediating!

What I'm getting from this dicussion is that, when signing, the operations are not encryption and decryption, but ... hashing and hash-veryfing?

[–] [email protected] 2 points 1 year ago (1 children)

To help you with the terminology, the names for the two operations are "signing" and "verifying". That's it.

What can you do with...

public key private key
Encryption: encrypt decrypt
Signature: verify sign

"Signing" is not at all the same as "encrypting" with the keys swapped. It is a separate specific sequence of mathematical operations you perform to combine two numbers (the private key and the message) to produce a third - the signature. Signing is not called "hashing". A hash may be involved as part of the signature process, but it is not strictly necessary. It makes the "message" number smaller, but the algorithm can sign the full message without hashing it first, will just require computation for longer time. "Hash-verifying" isn't a thing in this context, you made that name up, just use "verify".

@dohpaz42 is mad because you messed up your terminology originally, and thought you were trying to say that you "encrypt" a message with the private key, which is totally backwards and wrong. He didn't know that in your mind you thought you were talking about "signing" the message. Because honestly no one could have known that.

[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 0 points 1 year ago

Sorry, I'm very confused. Both of us seem very confident in our positions, so clearly one of use is c/confidentlyincorrect...

I will wait until a third party helps us identify who is wrong and I will be very happy to correct any mistake if that's the case.