0

I am starting to use email encryption with a pair of keys (private and public). So far and after several days of tests, I have been able to send an encrypted/signed message. However, the recipient told me "I cannot verify the signature because you seem to have not published your public key".

This is, in fact, the first encrypted message I have sent in my life and I do not exactly know what I have to do to fulfill the requirement. The only thing I can think of is about publishing my public key to a key server but I am not sure if this is the solution.

schroeder
  • 125,553
  • 55
  • 289
  • 326
JORGE
  • 101

2 Answers2

2

I assume that you're using PGP (as in, any program that implements the OpenPGP standard, such as GnuPG). That's the de facto standard for exchanging encrypted or signed email between people who aren't in the same organization.

When an email has a valid signature, verified against a public key, that proves that the message was sent by someone who has the private key corresponding to this public key. This is only half the battle to know who sent the email: the other half is knowing who the public key belongs to.

If you send your public key to your correspondent, they can verify that it matches the key used to sign the email. You need to do that. You can send it as an attachment to an email, and email software that supports PGP often has an option to make this convenient (something like “attach my public key”). If your email software doesn't have this option, you can use your PGP software to export your public key, for example copy-paste the output of gpg --export JORGE@example.com (replacing JORGE@example.com by the email you used in your key).

That allows your correspondent to verify the signature, but it may or may not satisfy them that you are who you say you are. To satisfy that, you have to allow them to relate that public key with what they already know about you. For example, if they have your phone number, you could tell them to ring you, and then compare your public key's fingerprints — this is a short sequence of digits and letters that is unique to a public key. Your PGP software can display your key's fingerprint (e.g. gpg --fingerprint JORGE@example.com). Another method is to have someone that both of you trust sign your key. That is, Charlie (some guy you both trust) comes and verifies that the key is yours (by whatever means), and then uses PGP to emit a “certificate” that says “this key belongs to Jorge”. Such certificates form a web of trust.

You can upload your key to a key server for convenience, but unless you're part of an organization that uses a key server, that won't do much good. Putting a key on a key server lets everybody know “there's this key, and there's a claim that the key belongs to Jorge”. But it doesn't prove that the claim is true: anybody could upload any key to the key server. You still need a way to relate the key with some identity of yours, i.e. to include your key in a web of trust.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Thanks for your reply. Both of us (sender and receiver) are using Thunderbird as the email client, GnuPG and Enigmail add-on. I performed a test with 2 personal accounts. I sent an encrypted/signed email from one account to the other and also attached the public key which I added to the "keyring" and "signed it". After this, the message is showing "Decrypted message; Good signature from xxxxxxxxxxx". I supposed this is correct process to verify the signature. Am I correct? – JORGE Feb 01 '17 at 15:40
1

Since you are referring to key servers, I'm guessing that you are talking about OpenPGP here. Note however, that there is at least one more widely used email encryption scheme, namely S/MIME, but it doesn't use key servers, but relies on trusted third parties (Certificate Authorities, CAs).

On the OpenPGP side of things there are many different implementations. These days GnuPG is probably the best known one (at least on Unix platforms).

To upload your key to a key server you have to do the following:

1.) Find out your key ID:

gpg --search your@email.add

The output will contain your key ID, which will look something like this: B4B887C3479F3215

2.) Upload the key to a keyserver (in this case hkp://keys.gnupg.net):

gpg --keyserver hkp://keys.gnupg.net --send-keys B4B887C3479F3215

Most of the public keyservers are interconnected and will synchronize, so uploading your key to one of them (GnuPG, MIT, etc.) should be enough.

Pro tip: Before uploading your key and hence making it publicly known, you should really get a better understanding of OpenPGP. Some aspects of your key (key expiry, key length, sub keys, etc.) cannot easily be changed later on, so making the right decision now is important. Otherwise you'll end up with a bunch keys, which in general confuses people a lot.

Karol Babioch
  • 1,247
  • 8
  • 10