File Verification

e-ignite:  Communicate Securely

GnuPG is a very advanced tool and it can be used for file verification, creating file signatures and even encrypting files.  However, GnuPG is a command-line only tool and it's not exactly quick, easy or fun to learn and use. Fortunately, there are several free front-end programs for GnuPG and in this section I'll explain how to use one of them - GPGee (although this is a Windows tool - sorry to the Mac and Linux users!).

There are several other GnuPG front-end programs available, but I like GPGee for its sheer simplicity.

Why use File Verification?
How is it used?
How to set up File Verification
How to verify files
How to encrypt files with GnuPG

Why file verification?
If you put a file on the internet for others to download, or send it by email, there is no way for you or the recepient to know if your file has been tampered with between the time it leaves your system to the time it arrives on theirs. This could be something simple like a file corruption, but it could also be something more sinister - for example, someone may have intercepted the file (or hacked your website), changed it to give out personal information or infect a system, then replaced the original file with it.  The user could potentially be at risk, and the sender could be held responsible.

This is where file verification and file signatures come in. File signatures are created by the creator's private key (so it can't be faked) and sent with the file. The recepient of the file just has to RIGHT-CLICK > VERIFY to check if the file is safe to use.  If the file verifies correctly, they can be sure it has not been altered since it was sent or placed online for download. If the verification fails, they know not to use the file and they can contact the originator.

How is it used?
There is a Windows explorer extension available (called GPGee) that allows you to right-click on a file and create a signature with your public key, or verify another usre's signature. It really is that easy.

How do I set up file verification on my computer?
First, you need to install GnuPG.  If you've set up OpenPGP email encryption as per my instructions, this is already on your computer.
Next, download GPGee and install it. You will need to restart your computer before you use it.

Now, when you right-click on a file, you will be given this menu:

GPGee Context Menu

Now, right-click on any file on your desktop, select GPGee > CONFIGURE.  This screen will appear:

GPGee Configuration

Under "Set Program Path", click the "..." button to browse to your GnuPG installation directory (eg. C:\Program Files\GnuPG\gpg.exe"
Your public and secret keyrings are in the GnuPG Home Directory. Under WinXP/2000 this is:
C:\Documents and Settings\USER\Application Data\gnupg\pubring.gpg and secring.gpg

You can now right-click any file and chose "Sign" to create a file-signature.  I recommend using detached signatures - these use a seperate file as the signature.

How do I verify a file I've downloaded?
If you download a file and associated file signature, make sure they are both in the same folder.  Right-click on the "filename.asc" file, select GPGee > VERIFY/DECRYPT. In order to verify the file, you will need to have a copy of the file sender/originator's Public Key.

Can I also use file encryption with this method?
Yes, you can.  There are two encryption options available - "Encrypt (PK)" and "Encrypt (Symmetric)".  To access both of these, you need to right-click a file and select the GPGee menu.

Encrypt (PK) means that the file is encrypted to the recepient's Public Key (PK) so that only they can decrypt the file.  This is a similar method to that used in email encryption.
Encrypt (Symmetric) encrypts the file using a password so that anyone who knows the password can decrypt the file.

Encrypting a file using symmetric encryption is mathematically stronger (although this depends on the complexity of the password used) than Public Key encryption, and it is less complex to use.  It means that if you ever lose your Public and Private keys, you will still be able to access the data. However, Public Key encryption ensures that only the person you sent it to can open the file easily.

Copyright | e-ignite is powered by | About e-ignite