Digital Signatures and Cryptography

Descriptive Sites by Others

These folk have written good descriptions so I present them here.

• Peter SJF Bance's WoT page
• Peter SJF Bance's WoT FAQ page
• "Why You Should Use Encryption" from GoingWare, Inc.
• Christian Barmala's "Why Cryptography" page
• Christian Barmala's X.509 Aware Applications page
• Verisign's "About Digital IDs" page

 

Main Systems Used

• PGP (Pretty Good Privacy) - A program originally written by Phil Zimmerman to make strong cryptography widely available in cyberspace. PGP introduced the idea of the "Web of Trust" (WoT) for deciding how much trust to place in an individual's key. The WoT is based on the idea of friends introducing friends one to another as the basis of trust. PGP is available as freeware from pgpi.org (http://www.pgpi.org/products/pgp/versions/freeware/) for non-commercial use. The commercially usable edition is available, as a boxed CD-ROM or download, from PGP.com for $99.00.
   
• S/MIME (Secure / MIME) - A net standard developed using elements from the ITU-T (then CCITT) X.500 Directory Services standards to add encryption and digital signatures to the MIME standard for e-mail messages. In this environment the trust level of a key is based on a chain of digital certificates (based in the X.509 standard) leading back to a "well known" centralized Certifying Authority (CA), for example VeriSign, thawte Consulting, Canada Post Corporation or USPS.
   

S/MIME Digital Certificate Sources

• VeriSign - $19.95 per year, your credit card and receiving an e-mail at the given address proves ID, enroll at http://www.verisign.com/products/class1/index.html
   
• thawte Freemail/WoT - FREE! At the most basic level proves you have access to the e-mail address given (as "Thawte Freemail Member"). thawte has adapted the Web of Trust idea to the issuance of X.509 Certificates through a network of Digital Notaries. Depending on the experience of the Notaries by presenting proof of identity to between 2 and 5 Notaries you will be able to include your name in your Freemail certificates. See below for how to get a Freemail certificate.
   

Advanced Preparation for Meeting with A WoT Notary

Please, use this list to prepare for meeting with a Digital Notary to assert your identity. Completion of steps 1-5 prior to the meeting will save time for everyone.

1. Go to the thawte web site (http://www.thawte.com/) for a description of the certificates and their uses.
2. Sign up for the Freemail certificate program by choosing the Join link. [NOTE: Your thawte ID can be either your verified e-mail address or the CC-nid-1 format, YOUR choice. (Personally, I'd suggest an e-mail address that's unlikely to change.)]
3. Respond as requested to the e-mail verifying your e-mail address. Once you submit the the probe and ping you do not have to request a certificate immeadiately (see next step).
4. Unless you NEED a certificate prior to the meeting, WAIT to request certificates until after you have been notarized to the 50 point level and can get certificates with your name in them. You will be able to achieve this level at the MeetUp as there will be two of us able to assert your identity.
5. Have a photocopy of the below ID(s) for each Notary who will be asserting you. At the MeetUp, there will be a scanner available on site if you are unable to make copies in advance.
6. Bring one or more forms of ID with you to the meeting. One needs to be a photo ID, one must have what you are using as your "National Identification Number" (NID). If you use your Driver's License Number for your NID a photo Driver's License alone would be enough. If you use your Social Security Number you must present your ORIGINAL Social Security Card plus a photo ID.

Advanced Preparation for PGP Key Signing

Please, use this list to prepare for meeting to sign your PGP key. Completion of steps 1-4 prior to the meeting will save time for everyone.

1. Secure a copy of the PGP software (see above) install it on your system and generate a key set.
2. Self-sign (sign your public key using your private key) your key from step 1.
3. Upload your signed public key to one of the well known public PGP keyservers (e.g., http://pgp.mit.edu:11371/).
4. Create cards, labels or paper slips with your name, e-mail address, Key type (RSA or DH), Key ID and Key Fingerprint (Hex preferred).
   Real Life Example:

   Frank Warren kb4cyc@webwarren.com
   
   DH/DSS Key [ID: 0X635E3B05] Fingerprint (2048/1024 bit):
   
   6618 5D69 12C0 862E BD48  264B E0A8 8296 635E 3B05
   
   RSA Key [ID: 0XE553A1B7] Fingerprint (2048 bit):
   
   1094 D1FA BB10 A415  BA04 8A91 7A6C 5F1D

   Bring these with you to exchange at the signing session.
5. Bring one or more forms of ID with you to the meeting. One needs to be a photo ID. A photo Driver's License or State issued ID is enough.
6. At the signing, exchange the cards from step 4 with each person you will exchange signatures with and confirm their identity against their ID, a sight check is enough.
7. After the physical meeting, using the data from the slips you collected, download the other public keys from the keyserver, sign them with your key and copy them back to the server.

NOTE: Most thawte Web of Trust Digital Notaries who also participate in the PGP Web of Trust will usually also sign your PGP key if you provide the Key ID and Fingerprint when doing the thawte assertion.

Basic Definitions

encryption

Transformation of information in a way to render it not usable to those with out permission toaccess it.
 

decryption

The recovery of encrypted information.
 

hash function

A function that yields a value that can be used to uniquely identify its input without a bitfor bit comparison, e.g.., MD5 or SHA-1.
 

symmetric cypher

An encryption system that uses the same key to encrypt and decrypt, example DES.
 

asymmetric cypher

An encryption system that uses different keys to encrypt and decrypt. One key, the public key, is distributed widely. The other, private key, is known only to the owner of the key set.
 

digital signature

A method of proving the authorship and content of an electronic document such as e-mail. Often the result of a hash function applied to the document then encrypted with the signer's private key.