User avatar
Posts: 158
Joined: Sat May 19, 2012 5:22 pm
Location: Minneapolis, MN (USA)

RPi User Groups and PGP Keysigning Party

Wed Aug 08, 2012 3:12 pm

Today I was thinking about security and decided to update my PGP Key to a better layout. That got me thinking that since there are lots of RPi User Groups popping up, one OT activity all the groups could do is have a Key Singing Party. Public Key Encryption/Signing is used a lot in Open Source projects but is sometimes missed with new developers.

If you are new to PGP Public Key Encryption here are a few links that may be of some help.

Walkthrough on making a key:
Key Singing Party How To: ... party.html
GnuPG Handbook:

Lets all expand our web of trust.

Posts: 1562
Joined: Sun Mar 04, 2012 12:49 am

Re: RPi User Groups and PGP Keysigning Party

Wed Aug 08, 2012 3:20 pm

What are you talking about?

What is it?

What does it do?

Why would I want to use it?

User avatar
Posts: 158
Joined: Sat May 19, 2012 5:22 pm
Location: Minneapolis, MN (USA)

Re: RPi User Groups and PGP Keysigning Party

Thu Aug 09, 2012 5:51 pm

PGP (Pretty Good Privacy) is a form of Public Key Encryption that is commonly used in Email and File Validation and Encryption. GnuPG is the GPL implementation of the open standard OpenPGP. More history is available at

Basically the way it works is every user generates a Public and Private Key pair. Using Asymmetric (one way) encryption algorithms a user can give out his Public Key to the world allowing for two way communication. Lets say Bob and Alice want to talk to eachother...

Bob gives his Public Key to Alice. If Alice wants to send a message to Bob that no one else can read, she uses Bob's Public Key to encrypt a message and emails it to Bob. Using Bob's Private Key, he is able to decrypt the message. Since the algorithm is Asymmetric, anyone who has Bob's Public Key can only encrypt messages destined for Bob. Only the Private Key can decrypt the message. If Bob wants to send a reply to Alice, he needs Alice's Public Key which encrypts the message that only Alice can decrypt.

Encryption: Message + Public Key
Decryption: Message + Private Key

Lets say Bob wants to send a message to everyone in a project (lets say Alice again). The information can be public but Alice wants to make sure that the message was actually sent by Bob and not some hacker. Bob can sign the message using his Private Key and sent it to Alice. Since she already has Bob's Public Key she can verify that the key used to sign the message was Bob's Private Key.

Signing is really just Encryption backwards. But since the message is public, the message is sent in the clear with a Hash of the message encrypted with the Private Key.

Signing: Message + Private Key
Verify: Message + Public Key

Uses: Email
The primary purpose of PGP originally was for providing security for email as the message being sent from your Mail Client, to the Server and to the destination Email Client all uses clear text. Anyone listening can read the messages. By adding PGP you can now send messages encrypted to the destination or send them in the clear with a stamp showing you are really the one who sent it.

Just think, if you always sign your email and you catch a virus that spammed your address book, your contacts would know the message was not from you and could easily disregard. Sadly its still very much a techie thing so getting your Grandma to sign her emails wont happen any time soon.

Uses: Package Signing
The one case where PGP is used frequently is signing source code and packages. Think about the case where you run apt-get install on your Raspian system. How does the system know that the package it is downloading is legit and is coming from the Raspian developers? Each package is signed with the Private Key of the development group and your system has all the developers' Public Keys. Using asymetric algorithms we know that the only person who can sign a package that we can verify with the developer's Public Key IS the developer.

If you are working on a large project with a bunch of developers all over the world you will most likely be receiving a lot of patches emailed or a lot of code checked into your source code repository. How can you quickly verify that known developers are sending updates and not some random person who may just be trying to slip in some malicious code? Signing your source code of course. Before I send you a patch I'll sign the source code and email it to you. Using my Public Key you can verify it was actually sent by me without me being there in person.

Web of Trust
Lastly, my suggestion of a Key Signing Party. Everyone's Public Keys are hosted on freely available Key Servers. You give them an email address, user name, Key ID, etc. and out pops Bob's Public Key. Great, super simple and now we can encrypt messages to Bob and verify his signature on messages we receive. But how do we know that Carol didn't create a Private/Public Key Pair and just type Bob's username and email address? We have a Key Signing Party! Alice and Bob meet up at a Raspberry Pi User Group meeting and give eachother a copy of their Key's Finger Print. Finger Prints for Public/Private Key Pairs work just like human fingerprints. They are all unique and if you know Bob's Finger Print, when you pull his Public Key from the Key Server you can verify that sure enough Bob actually uploaded that Public Key.

So you might be asking, "Do I now have to go all over the world and meet everyone on the internet?" This is where a little verification and trust comes in. When Bob and Alice meet up at the Users Group meeting, they give each other their Key Fingerprints as well as show each other some ID (Drivers License, Student ID, Library Card, etc). Bob, now knowing Alice's finger print given to him in real life, can use his Private Key to Sign Alice's Public Key. He send Alice's Key to the Key Server saying "I, Bob, have verified Alice's Fingerprint as well as her Driver's License. I know this is Alice and trust that messages signed by Alice's Private Key are truly coming from Alice." The additional part of Alice and Bob's fingerprint verification is they both agree to never sign someone's Public Key unless they also verify their ID. Alice can then go back to college and meet up with Carol. They do the same fingerprint/Driver's license swap and Alice signs Carol's Public Key.

Bob can verify Alice's Key Pair because they met in person. Bob can also trust that Carol's Key Pair is actually Carol's because Alice went through the process of verifying Carol and signed the transaction with her (Alice's) Private Key. This is what we call a "Web of Trust". I verify you, and you verify your friend, its a pretty good assumption that I can claim to have verified your friend. Its not perfect, but much easier to have a little bit of security.

So check out those links I posted. Do a little research and check around with some of the more tech-savvy users in your RPi Users Group. Might be a fun activity that makes the world a little more secure.

Return to “Off topic discussion”