Digital signatures

Abstract

This article suggests the use of the OpenPGP software packages to sign all official NET documents with digital signatures, when signing original documents with handwriting is not practical, and provides step by step instructions on how to do this, as well as security considerations.

Introduction

Many mechanisms within the NET organization are designed to rest on the responsibility of individuals. These individuals, whether directors or not ensure the validity of the data they provide with their position within the various NET structures. Official written documents are used to carry this data, however these could easily be forged by unqualified or unauthorized people or altered after they were verified by the experts.

To avoid these situations, signatures are typically used. To simplify operation over the Internet, this article suggests the use of PGP digital signatures. OpenPGP-compatible software offered without a commercial fee seem the most appropriate software packages to use to this end. This article presents the instructions for setup and use of the software to sign documents on Linux (or Mac) and Windows.

About the software

While other software packages supporting the use of private keys and PGP signing can be used to the same end, this article describes software available to all and relatively easy to use. For Linux, this article suggests the GnuPG software package, with kGPG as it's graphical user interface. For Windows this article suggests the GPG4Win package, which includes a graphical user interface (see references for links to software packages). There are no special instructions for Macs, however it is reasonable to assume the instructions for Linux will apply. Setup and usage of these programs is quite simple, however it is recommended that you read the instructions anyway due to security considerations you should be aware of.

This article does not cover the use of smartcards to store private keys or the use of government-supplied private keys, which may also be used.

PGP signatures are commonly used to sign email, so there are always tools that come with it that integrate into email clients. Using this is a good idea as it gives people a way to verify what key is used by what person.

Linux: GnuPG and kGPG

Setup

The installation of the packages depends on the distribution of Linux in use, however most users should be able to use a package manager to install both packages in a straightforward fashion.

After the software installation, you should generate your private key. If you already have a private key, you should not create a new key, but rather import the previous one.

To create a new key (please note that the exact names on the menus may differ depending on your locale):

  1. Run kGPG

  2. If a window does not appear, left-click the keylock icon in your menu

  3. Go to the “Keys” menu

  4. Select the “Generate key pair” option (Ctrl + N)

  5. Enter your real name and an email account you are reachable on and typically use for official communication. This information will help identify you as the owner of the signature.

  6. This article recommends a key size of “1024” and selecting the “DSA & ElGamael” algorithm. Then click OK.

  7. Enter the password you are going to use to use this private key. You will need to enter this password to sign anything with this key. Then click OK.

  8. This article recommends that you save a revocation certificate or print it out, and save it someplace safe. This can be used to revoke your certificate in case of theft. Keep in mind that anyone that can use your revocation certificate can invalidate all your signatures.

It is recommended you make a backup of your private key:

  1. Right click your key in the list

  2. Select the “Export secret key” option

  3. Save the file someplace SAFE. Remember, whoever gets this key and your password will be able to sign documents in your name until you revoke it. Also remember that if you loose your private key, you will never be able to sign any more documents with the same key, an identical key cannot be generated later.

Your public key will be required to verify your signature. You may export the public key as a file and give it to the people who will have to verify it, but this article recommends the more practical alternative of uploading the public key to a public key server:

  1. Right click your key in the list

  2. Select the “Export public keys (Ctrl + C)” option

  3. Select the “Default key server” option

  4. Click OK

Operation

By this point, your private key is ready and you can sign documents. There are two basic ways you can sign content, one is to sign text, the other is to sign files. When signing, remember that the content has to be identical in order for the signature to remain valid, any changes at all, including formatting changes will invalidate the signature. Signing text as opposed to files is recommended because it includes the signature within the text and not a separate file instead.

To sign a block of text or verify it's signature:

  1. Right click the keylock icon in your menu

  2. Select the “Open editor” option

  3. Type in or copy in your text

  4. Click the “Sign / Verify” button

  5. If you wanted to verify a key the result will appear in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person), otherwise see step 6

  6. Select your key

  7. Enter your key password

  8. Copy out the result

To sign or verify the signature of a file:

  1. Right click the keylock icon in your menu

  2. Select the “Open editor” option

  3. Click the “Signature” menu

  4. Click the “Create signature...” or “Verify signature...” option accordingly

  5. Select file to sign or check

  6. If you wanted to create a signature you will have to select the key to use. If you wanted to verify the signature, the result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).

Windows: GPG4Win

Setup

Download the installation program (link specified in references) and run it. During setup, choose defaults, but you may choose not to install GPGol (the Outlook plugin), manuals or such, this is okay.

After the software installation, you should generate your private key. If you already have a private key, you should not create a new key, but rather import the previous one.

To create a new key:

  1. Start → All Programs → GnuPG For Windows → GPA

  2. When presented with the dialog, select “Generate Key Now”.

  3. Enter your real name. This information will help identify you as the owner of the signature. Then click “Forward”.

  4. Enter the email address you are using for official communication. This information also helps identify you as the owner of the signature. Then click “Forward”.

  5. Enter the password you are going to use to use this private key. You will need to enter this password to sign anything with this key. Then click “Forward”.

  6. The program may complain about the password being too simple.

  7. This article recommends that you do create a backup for your key when asked. Click “Apply”.

  8. The key will be generated.

  9. When prompted, select a location for your key backup. Save the file someplace SAFE. Remember, whoever gets this key and your password will be able to sign documents in your name until you revoke it. Also remember that if you loose your private key, you will never be able to sign any more documents with the same key, an identical key cannot be generated later.

It is recommended that you create a revocation certificate. This can be used to revoke your certificate in case of theft:

  1. Start → All Programs → GnuPG For Windows → WinPT

  2. Double click the key icon in your system tray

  3. Right click your key in the window

  4. Select the “Revoke Cert” option

  5. Select a reason (you may repeat this procedure if you wish to generate more revocation certificates)

  6. Enter your private key's password

  7. Select where you want to put your revocation certificate. Save it someplace safe. Keep in mind that anyone that can use your revocation certificate can invalidate all your signatures.

  8. Click OK

Your public key will be required to verify your signature. You may export the public key as a file and give it to the people who will have to verify it, but this article recommends the more practical alternative of uploading the public key to a public key server:

  1. Start → All Programs → GnuPG For Windows → GPA

  2. Right click your key on the list

  3. Select “Send Keys to Server...”

  4. Click “Yes”

Operation

By this point, your private key is ready and you can sign documents. There are two basic ways you can sign content, one is to sign text, the other is to sign files. When signing, remember that the content has to be identical in order for the signature to remain valid, any changes at all, including formatting changes will invalidate the signature. Signing text as opposed to files is recommended because it includes the signature within the text and not a separate file instead.

To sign a block of text or verify it's signature:

  1. Start → All Programs → GnuPG For Windows → WinPT

  2. Copy the text to sign or verify into the clipboard

  3. Right click the key icon in your system tray

  4. Clipboard → Sign to sign the content or Clipboard → Decrypt/Verify to verify signature

  1. If you wanted to create a signature, paste the result where you need it. If you wanted to verify the signature, the result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).

To sign a file:

  1. Open the folder containing the file in Windows Explorer

  2. Right click the file → GPGee → Sign...

  3. Open the “Signing Keys” dropdown and tick your key

  4. Click OK

To verify the signature of a file:

  1. Open the folder containing the file in Windows Explorer

  2. Right click the file containing the signature

  3. GPGee → Decrypt/Verify

  4. The result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).

Conclusion

Using these software packages one can sign documents in a way that can be verified that the signature belongs to a specific person and that the content had not been tampered with since it was signed. The private key cannot be extrapolated from the signatures.

It remains to the user to ensure the key is kept safe so that it cannot be abused by other people. Passwords prevent people from abusing physical access to workstations, while keeping the private key itself private and unaccessible to people not authorized to work with it, and safe from accidental data loss, is an entirely different problem.

It is important to note that the signed document must include all the information that the author is certifying this way, signing a message saying “Yes” will not prove agreement with anything. It is thus highly recommended that at least a short description of the issue at hand and the current date be included in the document signed. The development of an official format is recommended.

References

GnuPG encryption engine:

http://www.gnupg.org/

kGPG graphical user interface:

http://developer.kde.org/~kgpg/

GPG4Win encrytion engline and graphical user interface package:

http://www.gpg4win.org/

Enigmail email signing interface:

http://enigmail.mozdev.org