Skip to content

Instantly share code, notes, and snippets.

@maxsu

maxsu/Key Exchange, Encryption, and Signatures.md

Last active November 20, 2016 01:35
Show Gist options
  • Save maxsu/329b2110ccca5e0f6d709b26808e931f to your computer and use it in GitHub Desktop.
Save maxsu/329b2110ccca5e0f6d709b26808e931f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Key Exchange, Encryption, and Signatures.md

Here's a prettty rough synopsis. Check this for a better intro with some simple background in cryptography: http://www.pgpi.org/doc/pgpintro/

The steps are not entirely easy (which is why I want to practice them).

  1. Get an implementation of PGP. GPG4Win works in windows, while a more secure approach is to make a dedicated Tails USB key and boot into the Tails OS whenever you want to use PGP.
  2. Generate a public key and a private key, and a public key fingerprint
  3. Send the public key to a friend
  4. Call that friend and read them the public key fingerprint
  5. That friend verifies the public key using the fingerprint and they own copy of PGP

This lets you do two things:

  1. Your friend can now use your public key to encrypt messages that they send to you. Only your private key can decrypt these messages
  2. You can now use your private key to "sign" messages to you friend. They can use your public key to verify that the message comes from you.

If you also get your friend's public key, you can do more advanced things:

  1. Your friend can send you a message that is encrypted with your public key and /also/ signed with their private key. You can use your private key to decrypt the message, then use their private key to verify that the message really came from them.
  2. You can sign a message for your friend using with your private key, and then encrypt it with their public key. That way they can receive it and verify it came from you, without anyone else being able to read the contents.

Finally, if you have a second friend and you've exchanged keys with them, you can signing each other's keys to establish mutual trustworthiness:

  1. If you want to prove to your new friend that you first friend is trustworthy, you can send the new friend an copy of your first friend's public key, encrypted with your new friend's public key (so only they can read it), and also signed with your private key to provide proof of your endorsement.
  2. You first friend can vouch for you to the new friend, by signing a copy of your public key using /their/ private key, and sending it to the new friend as a proof of personal endorsement.
  3. Finally, if you /really/ trust your first friend, and want him to be able to prove that to a new friend on their own, you send your first friend a copy of their /own/ public key, but also sign it with your private key. This way they can share a signed copy of their public key with anyone that already has a copy of your public key, to prove that you trust them.

Using encryption and signatures you and your network of friends can create a network of mutually signed keys to create a trusted communications network that outsiders cannot access. This is called building a "Web of Trust". However you do not need to mutually sign keys for PGP to be useful - it's also useful for talking in a secure manner with relatively untrusted sources - in that case you don't sign their public keys, but use the encryption feature to protect from snooping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment