Sign your name

This post is about digital signatures and why they are useful.

Firstly, some basics about public key encryption. When I talk about messages this can be any kind of content, e.g. text, images, audio files. It can be encrypted as a binary file or in a form that can be sent as text in email.

To use the encryption you have two types of key:

1. Your public key is something you can happily put out for anyone to find. Using it they can encrypt a message that only you will be able to decrypt. They can also use it to verify your digital signature (see below).
2. Your private key is something you need to keep safe. It is used to decrypt and to sign messages. If anyone else gets hold of it then they can read your mail and pretend to be you. Generally it's protected by a password (or a longer pass-phrase).

To use these you need appropriate software. The common implementations are Pretty Good Privacy (PGP) and the open source GNU Privacy Guard (GPG). Setting these up is beyond the scope of this post. There are plenty of guides available. It's not the simplest process and mistakes can reduce security.

The process of digitally signing consists of:

1. Generate a hash of the content. A hash is a long number that can be used to identify that content. If even a single bit changes then the hash will not match.
2. The hash is encrypted with the private key to create the signature.
3. You send someone the message and the signature. They can verify that it came from you as nobody else could create that signature. They can also determine if the message has been changed at all.

I posted a signed message on Steemit yesterday to verify that this Steemit account belongs to the person who has control of a my private key. You can check this by posting the text of the page here. Keybase.io is a cool service designed to help prove that a public key really belongs to a given person. The main way to do this previously has been via the web of trust where you prove your identity to someone (e.g. meet up and show them your passport) and they digitally sign your public key. The Keybase approach is to allow you to post signed messages on various services (e.g. Twitter, Reddit) to prove that you are the owner of those accounts.

Posting a message like this is an alternative to posting a picture of yourself holding a sign to say that you own a Steemit account. That can potentially be faked. A digital signature is much harder to fake (i.e. practially impossible). I assume you could post a picture with a signature of the image file, but I'm not sure of the best way to do that. It would be more effort to check it as you would need to download the image and use a PGP/GPG app to check it.

Keybase provide useful tools. Some of these require you to upload your private key, but I'm not sure I want to do that. You can at least encrypt a message for any user on the site. If you want to try Keybase you have to go into a queue, but I have some invitations available. If you want one then post an encrypted message in the comments that includes your email address. To do this go to the encrypt page and enter steevc as the recipient. I may post another time about other facilities they provide, including a command line tool and encrypted cloud storage.

I actually made a couple of mistakes with my signed message:

1. I used a SHA1 hash. This is not encouraged as that hash has some security issues. It's potentially possible to create a different message with the same hash, but it's still not trivial. There are newer hashing algorithms available. I need to check my settings.
2. The link I included does not work as I put a full stop after it. I cannot edit it without making the signature invalid.

I hope this is clear, but please feel free to ask questions. I'm not an encryption guru, but I can try to help. I found another post that covered similar ground.