Question: When would you use 'sign' over 'encrypt'?

Submitted by justin on Wed, 06/11/2008 - 18:27.

Public key encryption (or asynchronous encryption) is pretty tricky stuff. Encrypting a message provides confidentiality, signing provides assurance. If I sign a message the message is hashed and the hash is encrypted with my private key. This 'signature' can be verified by anyone with my public key - a process that proves the holder of my private key signed the message and that the message (and signature) have not been altered since I sent the message. So I sign all my messages so you can verify that the message came from me and not some impostor. Because e-mail doesn't provide any native verification there's really no way to tell if an e-mail from my address is really from me without digital signatures.

Encryption just takes the message and encrypts it with the recipients public key. So Evil Eve could write a message and send it so that it looked like it came from me and encrypt it with your public key. The message is encrypted, so nobody but you can read it, but you can't know that it was me who sent it. However if I sign and encrypt the message, then it is signed with my private key (which you can verify) and encrypted with your public key (ensuring confidentiality). Doing both insures integrity assurance (you know the message came from me and
hasn't been altered) and confidentiality.

Encrypt or Sign?

Submitted by Matt (not verified) on Sat, 06/14/2008 - 06:43.

I wish I could encrypt everything. But I can't. Even though it is so easy no one is going to start encrypting just because I want them to. I encrypt what I can when I can but I sign everything. Sometimes I get a question about it and then I explain how e-mail works and get them thinking.

Publishing your Key is Also a Good Idea

Submitted by justin on Wed, 07/02/2008 - 19:13.

Being able to point people to an available copy of your public key also helps. Even in someone understands encryption and signing it's pretty useless if they can't verify your signature. You can upload your public key to one of PGP's or MIT's key servers, or even just post it on your website or attach it to your sig on an e-mail.

Thanks

Submitted by age of conan gold (not verified) on Tue, 10/14/2008 - 11:28.

Encryption itself is much more prevalent but behind the scenes like you said such as in SSL. Sadly for speed reasons even SSL uses the wickedly simple implementation of RC4 for bulk encryption, which I wonder how secure that is against modern compute power. AES is now getting adopted so the level of encryption may improve.

One of the biggest if not the biggest failures in computing is PKI, public key infrastructure, whether from fear that keys would be centralized and available to law enforcement to the lack of education for developers on public-key technologies. I thought for sure when the RSA patent expired there would be a mass adoption of PKI but alas it hasn't happen.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha Image: you will need to recognize the text in it.
Please type in the letters/numbers that are shown in the image above.