Why sign pubkey?

Rollo Silver rollo at artvark.com
Sun Apr 7 20:19:36 PDT 1996 

                   Why You Should Sign Your PGP Public Key
                    Francis Litterio (franl at world.std.com)

If you generate a public/private key-pair and distribute the public key
without any signatures on it, you are open to a denial of service attack.
Here's how the attack works. I take your unsigned public key, and (using a
suitably powerful editor, such as Emacs) I edit the userid string so that it
still has your name but my email address on it. Then I distribute this fake
key widely. Anyone who uses the fake key to encrypt email to you will send
the email to me instead (if she uses the email address in the key). Of
course, I won't be able to decrypt the email I receive, because it was
encrypted with your public key, but I have denied you the option of
decrypting it. You might never know the message was even sent.

If you have at least one signature on your public key, PGP detects the
tampering of the userid string and alerts the person who is sending you
encrypted email. This is possible because of the nature of a digital
signature. A digital signature is the output of a cryptographically secure
hash function taking as input your RSA public key and your userid string
(among other things). That hash output value is encrypted with the private
key of the signer. If you have a valid public key from the signer and if you
trust the signer to sign other people's keys, then PGP allows you to infer a
certain degree of trust that the signed key belongs to the person named in
the key's userid field.

A cryptographically secure hash function is an irreversable hash function
for which it is computationally infeasible to find an input message that
hashes to a given output value. A task is computationally infeasible if the
sun will have burned out before even the most powerful computer could finish
the task. This prevents people from forging digital signatures.

                       -------------------------------

                       How to Sign Your PGP Public Key

You should sign your PGP public key immediately after generating your
public/private key-pair. To sign your own public key, type this:

     pgp -ks <userid>

where <userid> is the userid attached to your just-generated public key. If
you have more than one userid on your public key, then you should sign each
one individually.

                       -------------------------------

                      Misconceptions About Signed Keys

A widespread misconception about self-signed public keys (i.e., keys that
have been signed by their corresponding private keys) is that a self-signed
key is somehow more valid than a key that is not self-signed. A self-signed
key is no more valid than a key with no signatures at all. Why? Suppose you
have a public key with this userid string:

     John Q. Public <jqp at somewhere.com>

Here's my denial of service attack. I use PGP to generate a new
public/private key-pair with the same userid string as your public key but
having different RSA public key bits. I self-sign that public key with its
private half. I distribute that public key widely. Someone thinks it's yours
based on the userid string. She makes the mistake of concluding that it is
your key because it is self-signed. This is the mistake of inferring
validity merely from the presence of a self-signature. She uses it to
encrypt email to you, but you will not be able to decrypt that mail.

This is a different kind of denial of service attack than the one described
earlier (see Why You Should Sign Your PGP Public Key above). The only
defense against this attack (that I can think of) is to be ever-vigilent for
public keys that have your userid string but a different key-id and
key-fingerprint.

The key-id is the 32 least-significant bits of your RSA modulus, which is
one of the two numbers that make up your RSA public key. The other number is
the RSA public exponent (see the mathematical guts of RSA encryption for
more details).

The key fingerprint is a cryptographically secure hash of the RSA modulus
and RSA public exponent, which together make up your public key. The
cryptographically secure hash function is Ron Rivest's MD5, which outputs a
128-bit (16-byte) number, which depends in no discernable way on every bit
in its input. It is much easier for two people to compare a 16-byte
hexadecimal value over the phone that it is for them to compare the many
hundreds or thousands of bits that compose the modulus and public exponent.
If an RSA public key were tampered with in transmission from one person to
another, comparing the fingerprints (via a tamperproof communication
channel) would certainly reveal the tampering.

The moral of this story is that you should regularly verify that the
fingerprints of distributed copies of your PGP public keys (such as those in
the PGP keyserver databases) match the fingerprints of your copies of those
keys.


                                         Rollo

More information about the cypherpunks-legacy mailing list