IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [digital-signature]

A digital signature (not to be confused with a digital certificate) is an electronic signature that is used to authenticate the identity of a message sender or document signer, and usually to ensure that the original message/document content is unchanged (document integrity).

A digital signature (not to be confused with a digital certificate) is an electronic signature that is used to authenticate the identity of a message sender or document signer, and usually to ensure that the original message/document content is unchanged (document integrity).

856 questions
115
votes
6 answers

Why should one not use the same asymmetric key for encryption as they do for signing?

In an answer to a question about RSA and PGP, PulpSpy noted this: It is possible to generate an RSA key pair using GPG (for both encryption and signing -- you should not use the same key for both). What is the reasoning behind this? Perhaps my…
Iszi
  • 26,997
  • 18
  • 98
  • 163
87
votes
4 answers

SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?

(Sorry I know this is a complete noob question and at the risk of posting a somewhat duplicate topic. I have a basic understanding of public/private key, hashing, digital signature... I have been searching online & stack forum last couple days but…
SecurityNoob
  • 981
  • 1
  • 7
  • 6
83
votes
8 answers

Is it possible to "fake" being connected to a router?

A friend of mine is taking a UNIX systems class and mentioned to me that when they take exams they do so on their computers. That is all students are using their own computer/laptop. Students are not being provided a computer by the professor. In…
Ryan
  • 711
  • 1
  • 5
  • 6
77
votes
3 answers

Does OpenPGP key expiration add to security?

I've created a new OpenPGP key to sign a software package in a source repository with an expiration date three years from now. It seemed like a good security measure, because if the key is compromised or stolen the damage will be limited. But then I…
Adam Matan
  • 1,237
  • 2
  • 11
  • 14
68
votes
4 answers

How does the digital signature verification process work?

I am not able to understand that how the digital signature is verified. I know that digital signature will be attached to the message and sent by sender to receiver. then receiver uses the public key is used to verify it. Here are my…
n92
  • 869
  • 2
  • 9
  • 9
67
votes
3 answers

Why shouldn't I bring a computer to a key-signing party?

I'm looking at the event description for the key-signing party at an upcoming BSD conference, and it's mentioned that I shouldn't bring my computer in to the event: Things to bring no computer What risks does bringing a computer into a…
Jules
  • 1,240
  • 1
  • 10
  • 20
66
votes
9 answers

Proving creation time/date of a screenshot

I have to produce a screenshot of a web page, and want to make sure others will know without any doubt that this screenshot has been produced today. That is, I would like to embed today's date in the screenshot as irrefutable proof the screenshot…
User
  • 763
  • 1
  • 5
  • 6
64
votes
8 answers

Why do people still use/recommend MD5 if it has been proven weak since 1996?

It's still a commonly recommended way of hashing passwords, even if its insecurity had been proven in 1996: Therefore we suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a…
Marek Sebera
  • 2,223
  • 3
  • 20
  • 27
62
votes
1 answer

Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?

Simply put, I am wondering why would one need to sign one's commits with a GPG key when contributing to GitHub when one's already required to provide an SSH public key?
Mahmoud Tantawy
  • 723
  • 1
  • 5
  • 6
60
votes
2 answers

Would a digital signature have prevented the CCleaner compromise?

I read today about the CCleaner hack and how code was injected into their binary. People were able to download and install the compromised software before the company had noticed. Isn't this what digital signatures are for? Would signing the binary…
user47894
58
votes
12 answers

Is it possible to make a video that is provably non-manipulated?

Suppose a student takes an exam at home. Since home-exams are prone to cheating, the student wants to be able to prove that he/she did not cheat. So the student puts cameras in the room, which videotape the room during the entire exam. Now, if the…
Erel Segal-Halevi
  • 1,105
  • 2
  • 9
  • 11
52
votes
2 answers

Digital Certificate deployment: using two certs for each user?

At a large enterprise environment I have come across a deployment approach for Digital Certificates where each user is issued two (2) key pairs: One for signing documents, emails, etc. that is completely "personal" (perhaps kept only by him in an…
George
  • 2,813
  • 2
  • 23
  • 39
49
votes
4 answers

Can I use a private key as a public key and vice versa?

I have code to encrypt data using a public key and decrypt it using a private key. This is useful when a client wants to send data to a server and know that only the server can decrypt it. But say I want the server to encrypt data using the private…
Graeme Perrow
  • 592
  • 1
  • 4
  • 7
49
votes
11 answers

Does hashing a file from an unsigned website give a false sense of security?

Consider this. Many websites with software downloads also make available MD5 or SHA1 hashes, for users to verify the integrity of the downloaded files. However, few of these sites actually use HTTPS encryption or digital signatures on the website…
Iszi
  • 26,997
  • 18
  • 98
  • 163
47
votes
4 answers

How to achieve non-repudiation?

If I have a message that I need to send to another person, how do I achieve non repudiation ? Is digitally signing the message sufficient ?
user1157
  • 1,767
  • 5
  • 19
  • 19
1
2 3
57 58