**You should always sign your own PGP public key.**

If you generate a public/private key-pair and distribute the public
key without any signatures on it, you are open to a *denial of
service* attack. Here's how the attack works. I take your
unsigned public key, and (using a suitably powerful editor, such as
Emacs) I edit the userid string so that it still has your name but my
email address on it. Then I distribute this modified key widely.
Note that the modified key continues to have the same key fingerprint
as the unmodified key, so it appears to be your key to all who do not
know your email address. Anyone who uses the modified key to encrypt
email to you and who does not know your real email address will send
the email to me instead. Of course, I won't be able to decrypt the
email I receive, because it was encrypted with your public key, but I
have denied you the option of decrypting it. You might never know the
message was even sent.

If you have at least one signature on your public key, PGP detects
the tampering of the userid string and alerts the person who is
sending you encrypted email. This is possible because of the nature
of a *digital signature*. A digital signature is the output of
a *cryptographically secure hash function* taking as input your
RSA public key and your userid
string (among other things). That hash output value is encrypted with
the *private* key of the signer. If you have a valid public
key from the signer and if you trust the signer to sign other people's
keys, then PGP allows you to infer a certain degree of trust that the
signed key belongs to the person named in the key's userid field.

A cryptographically secure hash function is an irreversable hash
function for which it is *computationally infeasible* to find
an input message that hashes to a given output value. A task is
computationally infeasible if the sun will have burned out before even
the most powerful computer could finish the task. This prevents
people from forging digital signatures.

You should sign your PGP public key immediately after generating your public/private key-pair. To sign your own public key, type this:

pgp -ks <userid>

where `<userid>` is the userid attached to your
just-generated public key. If you have more than one userid on your
public key, then you should sign each one individually.

A widespread misconception about self-signed public keys (i.e., keys that have been signed by their corresponding private keys) is that a self-signed key is somehow more valid than a key that is not self-signed. A self-signed key is no more valid than a key with no signatures at all. Why? Suppose you have a public key with this userid string:

John Q. Public <jqp@somewhere.com>

Here's my denial of service attack. I use PGP to generate a new
public/private key-pair with the same userid string as your public key
but having different RSA public key bits. I self-sign that public key
with its private half. I distribute that public key widely. Someone
thinks it's yours based on the userid string. She makes the mistake
of concluding that it *is* your key because it is self-signed.
This is the mistake of inferring *validity* merely from the
presence of a self-signature. She uses it to encrypt email to you,
but you will not be able to decrypt that mail.

This is a different kind of denial of service attack than the one
described earlier (see *Why You Should Sign Your PGP Public
Key* above). The only defense against this attack (that I can
think of) is to be ever-vigilent for public keys that have your userid
string but a different *key-id* and
*key-fingerprint*.

The key-id is the 32 least-significant bits of your *RSA
modulus*, which is one of the two numbers that make up your RSA
public key. The other number is the *RSA public exponent* (see
the mathematical guts of RSA
encryption for more details).

The key fingerprint is a cryptographically secure hash of the RSA modulus and RSA public exponent, which together make up your public key. The cryptographically secure hash function is Ron Rivest's MD5, which outputs a 128-bit (16-byte) number, which depends in no discernable way on every bit in its input. It is much easier for two people to compare a 16-byte hexadecimal value over the phone that it is for them to compare the many hundreds or thousands of bits that compose the modulus and public exponent. If an RSA public key were tampered with in transmission from one person to another, comparing the fingerprints (via a tamperproof communication channel) would certainly reveal the tampering.

The moral of this story is that you should regularly verify that the fingerprints of distributed copies of your PGP public keys (such as those in the PGP keyserver databases) match the fingerprints of your copies of those keys.

There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:

- You announce the keysinging session, and ask everyone who plans to come to
send you (or some single person who *will* be there) their public key. The RSVP
also allows for a count of the number of people for step 3.
- You compile the public keys into a single keyring, run
`"pgp -kvc"`on that keyring, and save the output to a file. - Print out N copies of the
`"pgp -kvc"`file onto hardcopy, and bring this and the keyring on media to the meeting. - At the meeting, distribute the printouts, and provide a site to
retreive the keyring (an ftp site works, or you can make floppy
copies, or whatever -- it doesn't matter).
- When you are all in the room, each person stands up, and people
vouch for this person (e.g., "Yes, this really is Derek Atkins -- I
went to school with him for 6 years, and lived with him for 2").
- Each person securely obtains their own fingerprint, and after being
vouched for, they then read out their fingerprint out loud so everyone
can verify it on the printout they have.
- After everyone finishes this protocol, they can go home, obtain the keyring,
run
`"pgp -kvc"`on it themselves, and re-verify the bits, and sign the keys at their own leisure. - To save load on the keyservers, you can optionally send all
signatures to the original person, who can coalate them again into a
single keyring and propagate that single keyring to the keyservers and
to each individual.

-derek

Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) Home page: http://www.mit.edu:8001/people/warlord/home_page.html warlord@MIT.EDU PP-ASEL N1NWH PGP key available

Reproduced by kind permission of Francis Litterio.

Home ~ Index ~ PGP ~ What is PGP ~ Why use PGP ~ Web of Trust ~ Quick Reference

(c) Keith Parkins 1997 -- September 1997 rev 0