I'm a veteran DNM user, but I have a super noob question

Hey yall,

I've been using DNMs on and off since SR1, so I've been around the block a few times. I feel like I'm living through the Wild West in the movies: a free but dangerous lawless place slowly being chipped away by the law! But I've already digressed: I have an embarrassingly newbie-type question that I need answered, and maybe my Google-fu is weak, but I can't find an explanation that I understand elsewhere.

I use plenty of computer opsec. Y'all know what that entails so I won't list off my shit. What I've never understood or really trusted is: how does PGP signing work? I get how the encryption works, public key can only be decrypted by private blah blah, but I'm not a real programming/encryption guy so I don't understand how a vendor ending a message with their PGP key is validating their identity. Couldn't anyone just copy that string of characters and sign with it?

I know it must be more involved than that, but for the life of me I can't figure out how.

I thought about posting in /r/DarkNetMarketsNoobs, but I like this community more. I also couldn't find an answer with the search function, but then again my searching might just suck today. Thank you in advance!


Comments


[9 Points] None:

[deleted]

What is this?


[2 Points] hhayn:

Good question. I don't know for sure, but my understanding is that the PGP signature, which is appended to the message, is derived using their private key and that specific message text. And that somehow that can be verified using their public key, as to verify the integrity of the message text and the identity of the author.

Can someone else confirm?


[2 Points] GuessWhoMeOrYou:

A clear signed message is created using the sender's private key from the senders generated PGP key pair (which includes a public key and a private key). If the sender posts a clear signed message, it's fair to assume that the sender would have to know the passphrase to their private key or they have handed it over to someone else which in most cases, is unlikely but still possible. Once the recipient receives this PGP clear signed message, they can then verify the signature that's been used. They just need to import the sender's public key into their keyring and then copy / paste the signed message onto the clipboard of your PGP client. Again, highlight the signed message and click on Verify. Please note that PGP clients vary in the way this is done however this is how it's done using GPG4USB. In Tails, you simply highlight the signed message and then click on the red hexagon in the clipboard icon at the top right of your screen. It will then detail if the signature verifies with the public key on your keyring or not.


[1 Points] WeirdoOnTheInternet:

The encrypt / decrypt relationship with PGP keys works both ways: anything encrypted with the private key can only be decrypted with the public key, as well as vice-versa. What you can do then is first compute a hash of your message, then encrypt that hash with your private key and append it to your message. This proves to everyone that you signed the message, because they can decrypt the hash with your public key and then verify that it's the correct hash by re-deriving it from the message themselves - this proves that it was encrypted with your private key, because it was correctly decrypted with your public key. Had it been encrypted by someone else's private key, your public key would have decrypted it to something random, that would not be the hash of your message (unless they were very lucky).

A hash is a small string of bits that can be easily computed from your message, but not vice-versa. The only way to determine the original message from a hash is to basically hash messages at random until you find one that produces the right hash. Any change, not matter how small, in the message will result in a totally different hash. That means that digital signatures also prove the integrity of the message: it cannot have been altered since the time of signature or else the hash would no longer match your message. Someone could alter your message and produce a new hash fine, but they wouldn't be able to encrypt it with your private key, therefore they cannot make a signature that will decrypt to the correct hash with your public key.


[0 Points] DNAnonymous:

God what a fucking AWFUL ramp-up to a simple question. "Although I am super awesome, SO not a noob, and know everything about everything: Explain PGP to me".


[-1 Points] kralleo:

you can post anything with anyone's public key. that doesnt the reason you know the person is genuine. when you respond you should encrypt it with the public key. and if the person is genuine he can decyrpt it and response back.