this post was submitted on 26 Jul 2023
33 points (100.0% liked)

Ask Science

8691 readers
51 users here now

Ask a science question, get a science answer.


Community Rules


Rule 1: Be respectful and inclusive.Treat others with respect, and maintain a positive atmosphere.


Rule 2: No harassment, hate speech, bigotry, or trolling.Avoid any form of harassment, hate speech, bigotry, or offensive behavior.


Rule 3: Engage in constructive discussions.Contribute to meaningful and constructive discussions that enhance scientific understanding.


Rule 4: No AI-generated answers.Strictly prohibit the use of AI-generated answers. Providing answers generated by AI systems is not allowed and may result in a ban.


Rule 5: Follow guidelines and moderators' instructions.Adhere to community guidelines and comply with instructions given by moderators.


Rule 6: Use appropriate language and tone.Communicate using suitable language and maintain a professional and respectful tone.


Rule 7: Report violations.Report any violations of the community rules to the moderators for appropriate action.


Rule 8: Foster a continuous learning environment.Encourage a continuous learning environment where members can share knowledge and engage in scientific discussions.


Rule 9: Source required for answers.Provide credible sources for answers. Failure to include a source may result in the removal of the answer to ensure information reliability.


By adhering to these rules, we create a welcoming and informative environment where science-related questions receive accurate and credible answers. Thank you for your cooperation in making the Ask Science community a valuable resource for scientific knowledge.

We retain the discretion to modify the rules as we deem necessary.


founded 1 year ago
MODERATORS
 

I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don't see how it proves anything.

I created a key and ran gpg --export --armor fizz@... and I ran that twice and both blocks were identical. If I posted my public key block couldn't someone copy and paste that under their message and claim to be me?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (15 children)

Isn't that for when you want to send a message to someone so only the recipient can read it?

If I understand correctly, OP is asking about signatures to prove the posted content comes from a specific source.

Anyway, thanks for the review!

[–] [email protected] 2 points 1 year ago (14 children)

In a digital signature system, a sender can use a private key together with a message to create a signature. Anyone with the corresponding public key can verify whether the signature matches the message, but a forger who does not know the private key cannot find any message/signature pair that will pass verification with the public key

https://en.m.wikipedia.org/wiki/Public-key_cryptography

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (13 children)

Sorry, but I still think I'm saying the same thing as in that paragraph:

[from your link] a sender can use a private key together with a message to create a signature

  • [from my post] the same content published in clear text encrypted with the[ir] private key

[from your link] Anyone with the corresponding public key can verify

  • [from my post] anyone can decrypt it with the author's public key
[–] sotolf 3 points 1 year ago (1 children)

Look at the words you used, encryption is not the same as a signature, with a signature you can prove that a person with access to the private key wrote the message.

What you're talking about in your message is encryption, and you have it the wrong way around, messages gets encrypted with the public key, and can only be read with the private key.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

We may be getting somewhere...

what they post is not a PGP key, but the same content published in clear text ~~encrypted~~ with their private key.

So they are not excrypting it, but do we agree that with signatures the author uses their private key + the clear message to generate "something"?

That way anyone can ~~decrypt~~ it with the author's public key to check it has been ~~encrypted~~ with the private one (that only one person should have).

... so then anyone can use the author's public key to check that "something" against the clear mesage to confirm the author's identity?

If that's the case, then my error is that the operation to generate the signature is not an encryption. So, may I ask... what is it? A special type of hash?

Thanks again. I will edit my original comment with the corrections once I understand it correctly.

[–] sotolf 3 points 1 year ago (1 children)

So they are not excrypting it, but do we agree that with signatures the author uses their private key + the clear message to generate "something"?

Yeah sure, and I think the person you are arguing with is saying as much as well, it's just that this is not encrypting it, when you encrypt something you obfuscate it in a way that is possible to deobfuscate, think the caesar cipher as a simple encryption, a hash/signature on the other hand is something that is generated from the clear text using your private key, which is not possible to decrypt, think very simplified that the person would just put the amount of each letter of the alphabet used in in the text, then add the length of the thread, and then multiplied by your private key. This way it's proven that the holder of the private key is the person writing the text, and that the text hasn't changed since the signature was generated.

... so then anyone can use the author's public key to check that "something" against the clear mesage to confirm the author's identity?

They can confirm that the person holding the private key (not identity, just that they have the key) and also that nobody changed it since they signed it (like the person adminning the forum or a moderator or something)

If that's the case, then my error is that the operation to generate the signature is not an encryption. So, may I ask... what is it? A special type of hash?

It's basically a hashing function yeah.

[–] [email protected] 2 points 1 year ago

Thanks, now it's clear.

I corrected my original comment.

load more comments (11 replies)
load more comments (11 replies)
load more comments (11 replies)