- The GNU PGP implementation has been around for a decade +
- it uses PKI
- keys are retrieved via public key-servers
- A file signed via a key, can be Digitally verified for tampering or corruption
- it also validates the author is actually the author
Typically the author of the file, will make the signature publicly available. So by downloading the signature, we can validate the actual datafile that was signed.
When using gpg, and when the key is not on your key-ring, then gpg is smart enough to retrieve the key that's listed in the signature file. You can display this action if you use the "-v" verbose switch.
note: if you are on a restricted network or behind a firewall the port could be blocked for the key-server.
To verify a pgp signature you need the following;
1: the data to be verified
2: the signature file
3: the public-key of the author for the datafile
If any of the three are missing, you can't continue. If one of the three was tampered with, you verification would fail!
Here's an example of a verification process against a linux kernel filename = linux-2.2.0.tar
note: if the file is compressed and ends with either a gz or bz2 extension, you need to un-compress the data before the verification. Linux Kernel sources are always signed b4 compression btw and I don't think that will ever change.
note: Once the key has been imported, any other following verifications would use the local cached key. If you want to delete the key , use the cli cmd gpg --delete-keys <key id>
So now you see just how easy it is to verify a signature using gpg. It's so simple, that even a caveman or monkey can do it.
Now, I will modify the signature to show you how any corruption or tampering will invalidation the verification. I used the unix vi cmd to change one character with in the pgp signature file, and now will attempt a new verification.
So with PKI, we have failsafes that if either ; 1> the datafile or 2> signature been tampered with, the verification process would fail. Even if we re-imported the key, and start fresh from the top, the verification will still fail.
( the modified PGP signature used for this last sample & with the "I" on the 1st line change to uppercase )
I hope this demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
and about PGP in general here;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
No comments:
Post a Comment