Digital Signatures
For a variety of reasons, I sign all (well almost all) my outgoing
mail messages with a digital signature. You can verify that the
message was really sent by me by explicitly checking the message
against my public
key. Many mailers can be configured to do this verification for
you. I use mutt as my mail reader
and it assists me in signing mail as well as verifying signatures when
they are attached as part of a mail message.
Digital signatures can also be used to encrypt messages so that
only particular people can read them. I use the intendend recipient's
public key to encrpyt the message. Only the person with the
corresponding private key can decrypt and interpret the message.
Hopefully the private key is only in the hands of the recipient I
intended.
And just as I can sign email messages, I can also sign files to
allow readers to verify those files did actually come from me. I can
either encode the signature within the file, or more conveniently, I
can provide both the file and the signature separately and the reader
can verify the document came from me by using the two.
Digital Signature Software
If you want to use digital signatures,
either to sign digital/electronic content
or to verify the origin of content you
receive, you need digital signature software.
- GNU Privacy Guard
- This is also known simply as GPG, and is the software I use
This is an Open Source system that works on all the operating systems I need it for.
- Pretty Good Privacy
- This is very similarly , but confusingly different, named
system. There are Open Source and freeware versions
of this as well as commercial implementations with support.
MD5 Sums
When downloading files, it is always good to verify that they
have not been corrupted or, more importantly, replaced by files with
malicious contents. When the author "publishes" a file, they can also
provide MD5 sum along with it. The MD5sum is basically a
hash generated from the contents of the specific file (i.e. the
number and order of its bytes). If somebody modifies the original
file, it is virtually impossible to do so in a way that leaves the
MD5sum the same. So this allows us to test whether the current file
corresponds to the MD5sum of the original.
The MD5sum is both created and checked by the
publisher and recipient with the
same tool - md5sum.
Publisher |
Recipient |
md5sum file |
md5sum -c file |
Duncan Temple Lang
<duncan@wald.ucdavis.edu>
Last modified: Sun Jul 18 10:28:18 PDT 2004