Introduction
The largest attraction to the internet is the ability to quickly and effortlessly exchange messages and files between family, friends, and co-workers. Unfortunately, many of these files can be intercepted and/or altered during transportation. Files not sent over an encrypted channel or un-encrypted files sent across a public channel are the main target of attack. Since encrypted channels can be costly, difficult to maintain, or simply unavailable, there is a need to "tamper check" files after transportation. In addition, there is also a need to verify the sender. If one can verify that the appropriate person sent the file and that the file was unaltered during transportation, then one can assume that the file is legit and it came from the expected sender. To meet this
need, digital signatures were developed. Digital signatures allow people to verify the sender, verify that the message was not altered during transportation, and also provides a means to encrypt/compress files for transportation. This document provides definitions for
key terms, explains how digital signatures work, and then provides some quick
examples using digital signatures (PGP).
What is a Digital Signature?
A digital signature is an electronic signature that can be used to authenticate
the identity of a message's sender or the signer of a document. Much like your hand signature certifies that you wrote a check, a digital signature certifies that the document came from you. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiever can be sure of the sender's identity and that the message arrived intact.
How Do Digital Signature Work?
Digtial signatures are based on using "keys" to "lock" and "unlock" documents. The best way to see how the process works is through an example. Say, John wants to send mortage loan information to Sally across the internet. This document should only be seen by John and Sally because the interest rates are unique to John and Sally only. They have previously agree that a digitally signed file would be sufficient. The process continues as follows:
- Prior to sending any files, John creates a "public" and "private" key using digital signature software.
- John then saves his private and public keys in a safe location. These keys will be re-used over and over again.
- Safe locations include a special "read-only by owner" folder on the harddrive or floppy disk.
- NOTE: using a floppy disk in public locations is an extremely dangerous. The possiblity of loosing or forgetting your disk is extremely high. Therefore, extreme caution should be used before using this approach. If one does put their keys on a floppy disk, the disk should be switched to read-only.
- John sends Sally his "public" key. At this point Sally adds John's public key to her list of known and trusted keys.
- John uses his digital signature software to "sign" the document with his private key.
- John sends Sally the "digitally signed" document.
- Sally, receives the signed document and then "designs" the document using John's public key. If the key on the document matches John's public key, then Sally is assured the document came from John.
Where to Use Digital Signatures?
Initially, the idea of using digital signatures on every email, document, file, etc. seems like a good idea.
The mere fact that you can guarantee the information came from you on every message is very promising.
In reality, digital signatures should be used more intelligently. The main problem with signing every document
is dealing with the public keys. For example, a simple email to your roommate
asking him to purchase milk does not require a digital signature. To verify that your roommate has your public
key and then email him about milk is an added unncessary step and is too time consuming. On the other hand, exchanging bank
statements online should definately have a digital signature. It is well worth the added time to verify keys
prior to online document exchanges because then you can ensure the documents are really coming from the bank/customer.
As with these two examples, there is a point of limiting returns with digital signatures. With the bank, we get great returns
because we now can trust the information flowing between the bank and customer. On the other hand, we really don't gain
much (in dealing with the signatures and time) just to tell our roommate to buy milk. Thus, managing the keys is easier
when you aren't trying to send every message with a digital signature.
What is PGP?
PGP stands for "Pretty Good Privacy". Orignally created by Phil Zimmermann in 1991, it is a program that allows
you to encrypt and/or digitally sign your emails, documents, and files. When the message is encrypted,
the message looks like a bunch of random garbage to everyone. The receiver than has to decrypt the message in order
to read it. Thus, you can add extra security by both encrypting and digitally signing the document--a very nice
feature of PGP. PGP also generates your private and public keys, helps you manage your trusted public keys, applies
digital signatures to files, email, etc. and will decrypt incoming email, files, etc.
PGP is the desired method for applying digital signatures at Auburn University. The software is free, has been
around for many years (1991), and there are clients for Windows, MAC, and all flavors of Unix.
Where to get PGP?
There are both commercial and free versions of PGP available. The free versions can be found at: http://www.pgpI.org/products/pgp/versions/freeware/. The commercial versions can be found at: http://www.pgp.com
Where Do I Get More Information/Support Using PGP?
The main location for finding more information about PGP is at the "international PGP site" at http://www.pgpI.org.
Another good option is to search for "PGP" at google.com.
Conclusion
Digital signatures can be extremely useful when used appropriately. Once acquiring a PGP software application, the act of digitally signing
emails and files is easy. The only true "hassle" is managing the public keys and insuring your correspondents have your appropriate public key.
In the end, you can gain reassurance that the messages were sent from the expected sender and the file was unaltered during transportation.
|