Pages:
Author

Topic: What is a PGP signature and why is it important? (Read 1214 times)

full member
Activity: 215
Merit: 101

When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.

And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.

Isn't it that aside from Public key and Private Key there's also this pass phrase that needs to be secured? Is it possible to sign and verify a PGP message without those pass phrase?

It is possible to remove the passphrase from the private key but this is not recommended. However this is usually the case for automated setups where there is nobody to enter the passphrase. You could also store the passphrase in a configuration file but from a security standpoint it does not make much difference to not using a passphrase at all.
hero member
Activity: 812
Merit: 1000

When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.

And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.

Isn't it that aside from Public key and Private Key there's also this pass phrase that needs to be secured? Is it possible to sign and verify a PGP message without those pass phrase?

When you make a new keypair you'll be asked to make a password and you'll be required to enter that password whenever you sign/decrypt anything. Its another safety measure should your private key get in hand of someone else, so make it strong and long and make sure to remember it or write it down somewhere.

You only need a pgp software to verify the message someone signed, don't need private key or password for that.
legendary
Activity: 1834
Merit: 1036

When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.

And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.

Isn't it that aside from Public key and Private Key there's also this pass phrase that needs to be secured? Is it possible to sign and verify a PGP message without those pass phrase?
legendary
Activity: 2968
Merit: 1895
...

Good thread guys, thanks for starting this conversation re signing w/ GPG. 

I am a beginner as a couple of you above know.  I am still sending out test messages to encrypt and decrypt them.  "Practice makes perfect."

I don't foresee, in my case, the need for signatures w/ PGP/GPG now.  Later perhaps.

*   *   *

I did have to sign a message proving I owned a BTC address when resolving a mistake I made sending BTC to bitmixer.io (my mistake, I sent it to an older address of theirs).  After some back & forth they refunded my BTC.  This was a year or so ago.  The signature process w/ the BTC address was reasonably simple.

HTH...
sr. member
Activity: 392
Merit: 250
bitcoin has something similar to PGP

in bitcoin you can sign a message using your
1Chris4GEoLLjdh4juFXGwY7snaazuxvKb
address..

that way people will know its actually you sending a message as they know you hold hold the privatekey to that bitcoin address..
so if ever your email or bitcointalk login got hacked and someone pretended to be you.. because they dont have the private key to your bitcoin address, they cannot sign a message from that address. and thus cant prove they are the real you.

Bitcoin address is a public key. Signing is done using your private.
hero member
Activity: 812
Merit: 1000

In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts.


thats why i prefer to use bitcoin addresses.. because the address is funded i would be less willing to sell my private key to anyone. for instance if its an address i use to receive funds from multiple locations ongoing, i wont want a new person getting them newly acquired funds..

where as PGP keys have no real collateral backing it, and can be sold dirt cheap. without worry of losing anything in the future

so bitcoin message signing has more benefits than PGP


Yes but the way things has turned out on this forum this past week I won't be surprised if people sell their "not to be used anymore" private keys as well when they're selling their account, it'll just add more value to it.

I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.

How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig).

When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.

And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.
sr. member
Activity: 350
Merit: 251
Shit, did I leave the stove on?
Are there any mobile solutions for encrypting and decrypting PGP messages or you need to open browsers and pasting the strings in them? I was looking into that Telegram app the other day. Has anyone used it?
hero member
Activity: 728
Merit: 500
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.

How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig).
PGP can be used to encrypt messages. So you can encrypt the text of your message using PGP and then send that text through whatever way you like to another person who can decrypt that message again using PGP. You can also sign messages using PGP to verify that you actually sent that message.

A PGP message can be encrypted, decrypted, signed, and verified using a client like GPG.
legendary
Activity: 1382
Merit: 1122
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.

How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig).
hero member
Activity: 728
Merit: 500
Part of PGP is also building a Web of Trust. If you trust someone, you can sign their PGP key thus indicating to everyone (if the signature is posted publicly e.g. on a keyserver) that you trust this person. Generally people only sign PGP keys of people that they have actually met in person and verified their identity. The Web of Trust comes into play when you meet someone you don't know but see that someone you trust also trusts that person. Then you could assume that person is also trustworthy. It kind of works like the trust system here works (not DefaultTrust but rather your own trust list and trusting people that are trusted by people you trust).

You can also use PGP to encrypt things for secure messaging. This is actually what it was intended to do and the encryption that PGP uses now has not been broken yet.
hero member
Activity: 588
Merit: 500
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.

This is the one fault with PGP/GPG. It is more focused on encryption on the message rather than verification of the individual sending the message. You need to have a conscience to understand that maybe the individual who you assume to be speaking and communicating with isn't actually the true individual.

PGP/GPG = Encryption > Verification of identity.
legendary
Activity: 2128
Merit: 1119
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
legendary
Activity: 4424
Merit: 4794

In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts.


thats why i prefer to use bitcoin addresses.. because the address is funded i would be less willing to sell my private key to anyone. for instance if its an address i use to receive funds from multiple locations ongoing, i wont want a new person getting them newly acquired funds..

where as PGP keys have no real collateral backing it, and can be sold dirt cheap. without worry of losing anything in the future

so bitcoin message signing has more benefits than PGP
hero member
Activity: 812
Merit: 1000
As a new user of Bitcoin, you don't really need a PGP signature, unless you really need to prove your unique identity in a anonymous way, for example, for some sort of trade between 2 parties (and always use a escrow for this). Other than that, it's not really needed. You'll know when you need it once you understand what it does.

In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts.

Actually it has other needs, if you want to send a message to someone in particular and you don't want others to see that then you encrypt the message with that person's public key and only the person knowing the private key will be able to decrypt the message.
full member
Activity: 176
Merit: 100
Satoshi, the person who invented Bitcoin, is anonymous and hasn't posted on this forum for years. If he ever posts here again the only way he could prove he is the real Satoshi is by signing a message with his PGP key, or signing a message using a private key from one of his known Bitcoin addresses.

He posted his PGP public key here that we can use to verify a message has been signed by his private key.
legendary
Activity: 4424
Merit: 4794
Aha thanks guys I'm starting to understand it more.

I thought you had to go to a certain website or something.

-----BEGIN BITCOIN SIGNED MESSAGE-----
This is Chris! from Bitcointalk.org Today is January 2nd 2016. Happy new year!
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 12aemfTErZB4eZ7LCaTTBPHWq1eqAAgFCe

H2kt5DnxYdZxG45zJtlB0v8JOBy4Fxn/1vKU3OBlU6wAMa+tQm7VlRFdNW70UhFl3AnJn0xzX4ptHBmBkGYIHbw=
-----END BITCOIN SIGNATURE-----

I guess I couldn't sign my 1Chris4GEoLLjdh4juFXGwY7snaazuxvKb address because I never input the private key into mycelium. I just created it on a Ubuntu live USB.
verified
legendary
Activity: 1382
Merit: 1122
Aha thanks guys I'm starting to understand it more.

I thought you had to go to a certain website or something.

-----BEGIN BITCOIN SIGNED MESSAGE-----
This is Chris! from Bitcointalk.org Today is January 2nd 2016. Happy new year!
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 12aemfTErZB4eZ7LCaTTBPHWq1eqAAgFCe

H2kt5DnxYdZxG45zJtlB0v8JOBy4Fxn/1vKU3OBlU6wAMa+tQm7VlRFdNW70UhFl3AnJn0xzX4ptHBmBkGYIHbw=
-----END BITCOIN SIGNATURE-----

I guess I couldn't sign my 1Chris4GEoLLjdh4juFXGwY7snaazuxvKb address because I never input the private key into mycelium. I just created it on a Ubuntu live USB.
legendary
Activity: 4424
Merit: 4794
bitcoin has something similar to PGP

in bitcoin you can sign a message using your
1Chris4GEoLLjdh4juFXGwY7snaazuxvKb
address..

that way people will know its actually you sending a message as they know you hold hold the privatekey to that bitcoin address..
so if ever your email or bitcointalk login got hacked and someone pretended to be you.. because they dont have the private key to your bitcoin address, they cannot sign a message from that address. and thus cant prove they are the real you.
hero member
Activity: 770
Merit: 509
As a new user of Bitcoin, you don't really need a PGP signature, unless you really need to prove your unique identity in a anonymous way, for example, for some sort of trade between 2 parties (and always use a escrow for this). Other than that, it's not really needed. You'll know when you need it once you understand what it does.
hero member
Activity: 588
Merit: 500
Okay so basically PGP (Pretty Good Privacy) is a form of encryption used to communicate between two individuals. PGP is owned by Symantec so you will hear the term PGP/GPG used interchangeable, they are basically the same thing.

What is a PGP Signed Message?
- It is a signature basically. It is a form of digital data that accompanies a message. Think of it like your own written signature. Your own handwritten signature is unique and basically identifies you.

Why are they important?
-It validates that the individual who sent you message is who they say they are.
-It can be used to verify the authenticity of the message and to make sure it was not "tampered" with.

Mac OS
http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/

Windows
https://ssd.eff.org/en/module/how-use-pgp-windows

Let me know if you would like any other tutorial for other operating systems.

Yes, I recommend getting a PGP/GPG signature. They are free, simple, and very easy to use to communicate encrypted messages between two users.
Pages:
Jump to: