Our encryption technologies not only provide a secure channel of communication, but they can also prove that the data we’re receiving has not been changed between endpoints. In this video, you’ll learn about non-repudiation and how digital signatures can ensure the integrity and authenticity of our data.
<< Previous Video: Transport EncryptionNext: Hashing >>
When we talk about non-repudiation we mean that information that we may have received can be absolutely attributed to somebody. There’s no way that they can take it back. They absolutely said what it is that we have in this message right here.
When we talk about encryption, we talk about cryptography, we even add a different perspective to that. We add on a proof of integrity. We know the information that we received is intact. And we know that we can be assured that that information, when we received it, really came from the source. We can be absolutely authenticated with the person that sent this data.
And that may be difficult to do when we’re talking about networks. We may not be able to see someone. We may not be able to talk to anybody. But by using these cryptographic techniques we can be assured that the package that we received really did come from the person that we think sent it.
We use digital signatures, in cryptography, to be able to check for non-repudiation. What we’re doing is we’re signing– we’re digitally signing– a file. Or we’re digitally signing a message. Just like you would sign a message at the bottom of a letter to prove that you’re the one that wrote it, you are digitally signing a message at the bottom of your email, for instance.
And your email doesn’t have to be encrypted. Your file does not have to be encrypted. In fact, you usually want to send your email in a non-encrypted form in some cases. All you’re doing is putting a little bit of a digital signature at the bottom that people can verify that this message really came from you, and it was not changed between the time you wrote it and the time that I received it.
You’re usually signing it with your private key then. Take your private key, sign the file or sign the message, and apply your signature that it outputs for you right there at the bottom of that message. The people who receive your message will use your public key, because obviously they don’t have access, and you don’t want them to have access to the private key. They’re going to use your public key to verify that you’re the one that signed it.
And that’s the beauty of asymmetric encryption is that we’re able to use our private key to do things privately on our side. And people can use our public key to be able to prove that this is really what we sent to them. And this allows us also validate signatures from other people. As long as I have everybody’s public key, which is out there and available probably on a server or on their website, I should then be able to qualify and make sure that what I’m receiving absolutely came from them.
Let’s try this out with some files on the internet, and see how this might work. Let’s take an example of downloading a file that someone has signed for us. And we want to be sure that if we’re downloading a file, and we’ve received a file, that it really did come from that person.
So here’s an example one called the Enigmail Project. This is a plug-in that you can get to Mozilla applications, like Thunderbird, that will integrate the encryption methodologies that come from PGP or GPG. We’ll talk more about those in another video.
But I’ve downloaded these files. I’ve downloaded both the file itself, that I’m going to use to install the program, and I’ve also downloaded a separate file that the people that originated this created, that contains the digital signature of that file. So you should be able to see there’s a digital signature that I’ve downloaded. And you should see some output that says that it’s a good signature. And that means that the file that we received is the file that they signed to put on the web server.
So let’s try that out. Here I am in my window to be able to look at my terminal screen. I’m going to show you the files I’ve downloaded. Here’s Enigmail. This is the XPI. This is the file that would be installed.
And this is the signature that they created. So they took their private key, they said, private key, go sign this file. And it created this file right here. In fact, let’s look at that. We’ll look at the Enigmail 1.2-TB.
And here is the PGP signature. And here is the signature itself, right here– all this weird looking text going back and forth over it. And that’s the end of the signature.
It’s not very complex. That’s the signature they just put at the bottom that said, my name is this, and I’m signing it at the bottom, and nobody else can prove that it came from me except me, because I put my signature on it.
So let’s really see if the signature matches. We want to be sure the file we downloaded really did come from them. So I’m going to run my GPG program with a verify requirement.
I’m going to specify the signature they sent us, and say does this signature really– is it really signed? Is this file really signed with this signature of this person? And it’s going to go out and see that the signature was made at this date and time, using this particular key ID.
It is a good signature from Patrick at masdev.org. It’s key is not certify with a trusted signature. I’ve not had this key signed to prove that this really is this person. That’s a very important part about this asymmetric encryption I just did, is it is a web of trust.
I would also have to be sure that the public key that I received really did come from Patrick. And so usually there’s a method that we set up, we call them on the phone, we ask for their signature. We get a friend of theirs to prove that the signature public key that they have really is the public key from Patrick. There are number of different ways to do this.
But in this case, let’s just assume that Patrick’s key really is the one I have. And it really is obviously the one that signed this because I have a good signature for this file. And now I can feel very good about using this particular program because I know it came straight from Patrick. He signed it, and nobody’s changed anything with that file anywhere in between.