diff options
Diffstat (limited to 'src/content/docs/guides/sign-verify-text.md')
| -rw-r--r-- | src/content/docs/guides/sign-verify-text.md | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/src/content/docs/guides/sign-verify-text.md b/src/content/docs/guides/sign-verify-text.md new file mode 100644 index 0000000..02d7057 --- /dev/null +++ b/src/content/docs/guides/sign-verify-text.md @@ -0,0 +1,104 @@ +--- +title: Signing & Verifying Text +--- + +Digital signatures, much like their analog counterparts, serve as a method for +asserting the authenticity and integrity of a digital document or message. +However, unlike traditional signatures, digital signatures offer a much higher +level of security, making it possible to ascertain not only the identity of the +signer but also whether the content has been tampered with since it was signed. + +The foundation of digital signing and verification lies in the field of public +key cryptography, a cornerstone of modern secure communication. This system +relies on two keys: a private key, which is kept secret by the owner, and a +public key, which can be shared with anyone. To sign a document, the signer uses +their private key to generate a digital signature on the document. This +signature is unique to both the document and the private key, ensuring that any +changes made to the document after it has been signed can be detected. + +Verification, on the other hand, requires the corresponding public key. When a +document is received along with its digital signature, the recipient can use the +signer's public key to verify the signature. This process checks that the +signature matches the document and was created with the private key +corresponding to the public key. If the document has been altered after signing, +the verification will fail, alerting the recipient to the tampering. + +One of the advantages of digital signatures is the ability to use multiple +private keys for signing a document, similar to having a document signed by +multiple parties. Each signer uses their private key to sign the document, and +each signature can be independently verified with the corresponding public key. +This method is particularly useful in scenarios requiring the approval or +authorization of multiple entities. + +Digital signatures are a critical component of secure communications, providing +assurances of authenticity, integrity, and non-repudiation. Non-repudiation +means that a signer cannot later deny the authenticity of the signature on a +document they signed. This is especially important in legal, financial, and +sensitive communications, where trust and authenticity are paramount. + +Tools like GpgFrontend facilitate the process of creating and verifying digital +signatures in a user-friendly manner. GpgFrontend is built on top of the OpenPGP +standard, which is a widely accepted protocol for encryption and digital +signatures. The tool allows users to easily manage their encryption keys, sign +documents, and verify the signatures of received documents, thereby enhancing +the security and trustworthiness of digital communications. + +In summary, digital signing and verification through tools like GpgFrontend +leverage public key cryptography to ensure the security and integrity of digital +communications. By enabling users to sign documents with their private keys and +allowing others to verify those signatures with corresponding public keys, +digital signatures provide a robust mechanism for authenticating the origin and +integrity of digital documents, far surpassing the capabilities of traditional +handwritten signatures. + +## Signature Only + +By signing the text, you establish that you are the sole and unalterable +authority for this text. You can simply sign the text without encrypting it as +follows: + + + +To check whether a key can be used for signing, please review the 'Usage' column +in the key toolbox on the right (the letter 'S' stands for signature). + +## Signature with Encryption + +You also have the option to sign and encrypt at the same time by choosing a +public key for encryption and your private key for signing. This is a common +practice where you select two key pairs: one belonging to someone else for +encryption, and your private key for signing. If you don't select a key for +signing, only encryption is possible, but you will receive a warning. It's worth +noting that combining signing with encryption provides an additional layer of +security as it assures the recipient that the message hasn't been altered and it +came from the sender whose identity is verified by the digital signature. + + + +## Verification + +Once you have a plaintext and its corresponding signature, you can verify the +signature using the signer's public key. However, this type of signature isn't +suitable for emails as it can make the email less readable. + + + +To verify a signature with text, you need to have the corresponding public key +for all included signatures. If a suitable public key for a signature isn't +found locally during verification, GpgFrontend will prompt you to import it. + + + +## Verification with Decryption + +When decrypting a ciphertext, it's advised to verify it simultaneously, +regardless of whether the encryptor signed it or not. It's impossible to +determine from the ciphertext's format if it has been signed. Therefore, it's a +good habit to always perform decryption operations with verification whenever +possible. + + |