WEBVTT

0
00:00.850 --> 00:09.800
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents.

1
00:09.800 --> 00:17.840
A valid digital signature gives a recipient a very strong reason to believe that the message was created

2
00:17.960 --> 00:19.390
by the known sender,

3
00:19.400 --> 00:27.490
this is what authentication means, and that the message was not altered in transit. Or, in simple words

4
00:27.800 --> 00:35.450
if someone who receives a message or downloads a file that is digitally signed he knows that the message

5
00:35.540 --> 00:43.400
was really created by the sender and not spoofed by a hacker and that the message was not tampered with

6
00:43.490 --> 00:44.360
or corrupted.

7
00:45.230 --> 00:54.140
But what is a digital signature? A digital signature of a file is the hash of that file, encrypted with

8
00:54.140 --> 01:03.790
the private key of the user that signs! That’s all! You can encrypt and sign a message or just sign a message

9
01:03.880 --> 01:05.170
without encrypting it.

10
01:05.740 --> 01:12.640
You do that when you want to share something in plain text or make a public post that everyone can read,

11
01:12.970 --> 01:19.810
but you want to include a signature to prove you were the original author and that your message is not

12
01:19.960 --> 01:22.200
altered in transit.

13
01:22.330 --> 01:30.670
If you don't encrypt the message there is no confidentiality and it only proves integrity and authenticity

14
01:30.670 --> 01:33.660
of the message. In the real world

15
01:33.670 --> 01:37.250
there are a lot of messages that are not confidential

16
01:37.360 --> 01:44.950
like for example applications or software updates they only need to be signed not encrypted.

17
01:47.450 --> 01:53.330
Let's see the first type of a signature which is called clear text signature.

18
01:53.360 --> 02:01.040
The document is not encrypted, only signed, and the signature is appended to the end of the document.

19
02:01.040 --> 02:06.820
This is very useful for text files or emails.

20
02:06.830 --> 02:12.740
This is the file I wanted to sign and I'll rename it to a secret.txt.

21
02:21.380 --> 02:24.620
Let's take this file and sign it.

22
02:24.810 --> 02:29.440
gpg --clearsign and the name of the file.

23
02:33.750 --> 02:37.560
I'm signing with my private key so I must unlock it

24
02:41.160 --> 02:51.490
the command generated a clear-text file that contains the signature at the end. Let's see its contents:

25
02:51.580 --> 02:57.070
secret.txt.asc - it's an ASCII file!

26
02:57.200 --> 03:02.710
This is the contents of the file and the signature.

27
03:02.750 --> 03:07.610
This is useful for pasting it into an email or posting it online.

28
03:08.670 --> 03:15.390
If you are not interested in generating a text file you can use the --sign option

29
03:15.450 --> 03:16.890
the same way, like this

30
03:24.560 --> 03:27.340
and the resulting file is a binary one

31
03:31.560 --> 03:40.880
this binary file is not encrypted, only signed. This comment gpg --sign and the name of

32
03:40.880 --> 03:48.600
the file compressed the file and then generates a new binary file called secret.txt 

33
03:48.650 --> 03:57.240
.gpg -it contains both the file contents and the signature; so until at this point we have signed

34
03:57.360 --> 03:59.580
the file in two ways.

35
03:59.740 --> 04:08.600
We've generated an ASCII file and a binary file; and the last type of signature is called detached signature,

36
04:09.170 --> 04:12.190
the signature of the file will be in a separate file.

37
04:12.620 --> 04:21.740
Let's see the command gpg --detach-sig--output and the name of the file

38
04:21.800 --> 04:30.980
that contains the signature, let's say secret.txt.sig and the file I am signing secret.txt

39
04:31.040 --> 04:35.860
This is the signature, it's a binary file!

40
04:38.800 --> 04:46.750
Or if you want to have the signature in ASCII format you add the -a or --amore

41
04:46.750 --> 04:50.340
option like this.

42
04:50.350 --> 04:59.990
This was the command and I'm adding--amore or -a. And the resulting file will be 

43
04:59.990 --> 05:10.470
secret1.txt.asc  There is already a file called secret.txt.asc  and I

44
05:10.470 --> 05:13.410
do not want to overwrite it, that's why

45
05:13.420 --> 05:15.120
I'm using the name secret1

46
05:19.140 --> 05:22.440
and this is the signature in ASCII format.

47
05:25.900 --> 05:26.310
Let's 

48
05:26.310 --> 05:33.380
copy the files to the other Linux machine using scp.

49
05:33.570 --> 05:43.190
The other user will verify the signatures so scp the files and I'll copy all signatures

50
05:48.760 --> 05:56.230
the user, the IP address and the path where the files will be copied, in the home directory.

51
06:04.890 --> 06:15.160
And they were copied, these three files; each file contains the content and the signature.

52
06:15.190 --> 06:21.830
Remember that the files were not encrypted, only signed! To verify a digital signature

53
06:21.880 --> 06:28.870
you always need three things: the file to very, it's here,

54
06:29.090 --> 06:39.280
the digital signature of the file,it is in the same file and the public key of the one that signed.

55
06:39.420 --> 06:44.860
Let's see if we have the public key of the user that signed in the gpg keyring.

56
06:49.530 --> 06:56.990
It's not there, I must import the public key of this the user.

57
06:57.200 --> 07:03.150
This is the keyid and I'll import the key from the key server on this machine.

58
07:03.230 --> 07:10.350
In the last lecture I've published both public keys on the key server, so this key is there.

59
07:11.500 --> 07:26.350
Copy and the gpg--keyserver pgp.mit.edu-- receive and the keyid 

60
07:30.520 --> 07:31.960
The key was imported.

61
07:32.080 --> 07:37.890
Now, the user can verify the signature. Given a signed a document

62
07:37.930 --> 07:45.670
you can either check the signature or check the signature and recover the original document. To check

63
07:45.670 --> 07:46.710
the signature

64
07:46.780 --> 07:56.170
use the -- verify option, like this gpg--verify and the name of the file that contains

65
07:56.230 --> 08:00.460
both the files contents and the signature: secret.txt.asc 

66
08:00.470 --> 08:10.740
and this is a good signature. We can assume that the file comes from the

67
08:10.740 --> 08:13.970
real user and was not changed in transit.

68
08:17.550 --> 08:20.430
To verify the signature of the other file,

69
08:20.460 --> 08:24.530
the binary one, I'll use the same command

70
08:24.570 --> 08:28.580
and it's a good signature. The signature is good

71
08:28.640 --> 08:31.090
but I've got this message, this warning.

72
08:32.670 --> 08:38.790
This key is not certified with a trusted signature. Is that okay?

73
08:39.080 --> 08:43.910
And the answer is that in these conditions the worning is okay.

74
08:43.950 --> 08:51.140
A trusted signature is a signature from a key that you trust, either because you have personally verified

75
08:51.380 --> 08:59.930
that it belongs to the person to whom it claims to belong or because it has been signed by a key that

76
08:59.930 --> 09:04.080
you trust, maybe through a series of intermediate keys.

77
09:04.190 --> 09:12.920
In our case we've just imported the key from the key server without any other verification This level

78
09:12.920 --> 09:23.080
of security is enough in most cases. Another option is to verify the signature and extract the document.

79
09:24.570 --> 09:32.760
We'll use the --decrypt option like this: gpg--decrypt or -d, it's the same,

80
09:33.210 --> 09:41.500
and the name of the file that contains the clear text contents and the signature secret.txt.asc

81
09:41.520 --> 09:49.870
and we see the contents of the file and that the signature was good.

82
09:53.660 --> 09:58.670
The command printed out the content of the file it the terminal.

83
09:58.670 --> 10:06.290
If you want to create another file, with that clear text content, you can use an output redirection like

84
10:06.290 --> 10:13.730
this or the --output option, let's say secret.txt

85
10:14.240 --> 10:23.870
This is the signature and this is secret .txt,  the initial file the file I have signed.

86
10:23.900 --> 10:28.320
Let's see how to verify the detached signature!

87
10:28.390 --> 10:37.090
Remember that secret1.txt.asc is a detached signature! There is only the signature!

88
10:39.760 --> 10:44.580
To verify a detached signature you execute gpg--

89
10:44.590 --> 10:57.780
verify, the name of the signature file and the name of the file, in clear text, this one; and we've got a

90
10:57.780 --> 10:58.560
good signature.