Checking the GPG Signature

An MD5 digest isn't foolproof. As mentioned before, an attacker could also change the value stored in the digest file so it always matches. A far better way to ensure the integrity of files you download is to check the digital signature of the file downloaded.

Checking the signature requires that you have either PGP (www.pgp.com) or GPG (www.gnupg.org) installed on one of your systems. You'll also need the public key of the creator of the signature.

Here's how you would go about checking the integrity on our openssl file.

bash-2.05$ gpg openssl-0.9.7-beta4.tar.gz.asc
gpg: Signature made Tue Nov 19 05:15:12 2002 EST using RSA key ID E06D2CB1
gpg: Can't check signature: public key not found
bash-2.05$

We ran GPG on the signature file, but we don't have the public key for the signer. So, we have to find the key at a keyserver using the key ID 0xE06D2CB1. The easiest way to do that is to go to www.keyserver.net and enter the key ID into the window, as shown in Figure C.1, making sure to enter "0x" before the key ID. In this case, we're entering "0xE06D2CB1".

Figure C.1. Public Key Server

graphics/cfig01.gif

If a key exists in the server with the ID you entered, you'll see it displayed as the result of your query. The answer to our query is shown in Figure C.2.

Figure C.2. Results of a Key ID Search

graphics/cfig02.gif

In this case, you'll see that Richard Levitte is the owner of the public key associated with the key ID 0xE06D2CB1. Now, you need to make sure that Richard Levitte is authorized to sign the file you downloaded. To answer this question, we simply look at the list of developer team members for OpenSSL on their home page, and we see that Richard Levitte is a member of the development team. Ideally, the team should also put their OpenPGP fingerprints on this page to verify that the Richard Levitte associated with the public key we found is in fact the Richard Levitte associated with the OpenSSL project.

Once we're happy that we have the correct key, we can view an ASCII representation of it and cut and paste the key into a file we can import into our OpenPGP application. The ASCII representation of Richard Levitte's key is shown in Figure C.3.

Figure C.3. ASCII Representation of Public Key

graphics/cfig03.jpg

Now, assuming that we saved a copy of the ASCII representation in the file levitte.asc, we import the key into our public key ring with the command:

bash-2.05$ gpg --import levitte.asc
gpg: key E06D2CB1: public key imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Now that we've loaded the proper key into our public key ring, we can verify the integrity, or authenticity, of the file we downloaded.

bash-2.05$ gpg openssl-0.9.7-beta4.tar.gz.asc
gpg: Signature made Tue Nov 19 05:15:12 2002 EST using RSA key ID E06D2CB1
gpg: Good signature from "Richard Levitte <richard@levitte.org>"
gpg:                 aka "Richard Levitte <levitte@lp.se>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 35 3E 6C 9E 8C 97 85 24  BD 9F D1 9E 8F 75 23 6B

You'll see that the signature of the file verified correctly. But there's a warning message. The warning is just telling us that Richard Levitte's public key certificate isn't signed by anyone we trust.



    Part II: The Design of Wi-Fi Security