GNU Privacy Guard

If you have received email from me, chances are it was accompanied by an attachment named "signature.asc". This attachment contains a digital signature created by the GNU Privacy Guard.

The GNU Privacy Guard (GPG) is a software suite implementing public-key encryption and verification services. The official GPG Website has an excellent introduction to what this means, along with a great deal of technical matter. I will try to give a brief overview here.

If you are already familiar with GPG, please skip directly to the section containing my GPG details.

What does it do?

GPG (and other software which operates in the same way) provides a means to perform the following basic functions:
  • Encrypt messages between two parties without the need to agree on external data such as a password.
  • Verify that a message was sent by the person who claims to have sent it.

How does it work?

In a public-key system such as that implemented by GPG, each person has a special file they keep on their computer known as their "private key". This file is password-protected and should not be accessible to or known to anyone but the person who owns it. Each private key has associated with it a "public key", which can be distributed to anyone with whom the key's owner wants to communicate. In reality, the pair of keys are two very large numbers which are related in a special way.

I will demonstrate the communication process using my friend Josh as an example, as he uses similar software from time to time.

Encrypting a Message

To send an encrypted message (such as an email) to Josh, I need to obtain his public key. I apply a transformation to the message which is based upon his public key, and send it out using normal email. The transformation is constructed in such a way that it can only be reversed using Josh's private key. Since he is the only person who has access to this key, he is the only person who will be able to read the message.

Verifying a Message

Alternately, suppose I am simply sending Josh a normal email. How can he tell that it did in fact come from me? Or that the message he receives is the same as the one I originally sent? I use a mathematical calculation to produce what is known as a "digest" of the message - basically, a large number calculated based on the message contents. I then use my private key to "sign" the digest, and send it along with the message.

The signature is constructed in such a way that it is not possible to duplicate it without knowing my private key. However, my public key can be used to verify that the signature was made by the corresponding private key. To check that everything is OK with the message, Josh first used my public key to do precisely this and now knows that the message came from me. The second step is to compute the digest of the message he received and compare it to the one I sent. If the two differ, the message has somehow been changed in transit.

Why do I use it?

None of the email that I send is really worth bothering to encrypt. However, in my ideal world signing a digital message would be as common as signing a physical message - it would be considered very bad form not to do so. I am attempting to make this ideal into a reality.

From a practical standpoint, my use of GPG allows you to have a greater degree of confidence in my communications with you. I am often sending out instructions/advice for people to try on their computers, sometimes even sending out pieces of software. By signing each email, the recipients can verify that that everything is legitimate and if something goes wrong can feel quite justified in blaming me.

My GPG Details

  • GPG Public Key
  • Key Fingerprint: 1410F2EA607E98F7661C57967C8E52EB8B8FE74A

The GPG handbook states that whenever you receive a new public key, you should take steps to verify its authenticity with the owner. Do not underestimate the importance of this verification - the whole system of trust will break down if keys cannot be guaranteed to belong to the people that claim them. Please follow the recommendations - call me, or at the very least email me, and ask me to verify the authenticity of the key you have downloaded. I will be very happy to oblige.