Validating Public Keys

If you exchange Public Keys with your correspondent in a face to face meeting, there will be no risk, but if you do the exchange by email or any Internet insecure channel, you should be wary of a third party intercepting your communications. There's a problem with all of this, until you have exchanged Public Keys with your correspondent and verified that they are the proper ones, your emails are not private nor safe, so the question is how to exchange Public Keys safely?

Somebody may intercept the email where you send your public key, keep your public key for himself and forward the message, but replacing your public key with his own public key.

Your correspondent will answer your email with his own Public Key. The intruder can intercept that email as well, modify it at will and replace the Public Key of your correspondent with his own and forward it.

 

At this point the intruder can read all the messages between your and your correspondent, and modify them at will, since only him has the Public Keys of both correspondents and both correspondents will be using spoofed Public Keys instead the proper ones.

 

This so-called man-in-the-middle scenario can occur without the recipient's or sender's knowledge.

 

 

Bersoft Private Mail provides a secure method to validate that the Public Keys sent by email are from the intended sender.

Public Keys can be validated by using fingerprints, which are comprised of eight groups of four-digit hexadecimal numbers (including A-F letters and 0-9 numbers), like this one:

 

448B-F260-A017-DA1C-F562-6D78-8FDF-3CFD

 

Before using the Public Keys exchanged by email you should contact your recipient offline by telephone, or using any other secure channel, and compare the fingerprints of both Public Keys.

In this way you will know for sure that the Public Keys are valid and nobody can read your communication, but you and your intended recipient.

 

After the Public Keys are verified, you can start to send/receive encrypted messages securely. Afterwards, nobody will be able to read them, they may intercept the messages, but the text and attachments will not be readable.

 

This is the only secure method to ensure key authentication. Third party signatures are not secure because they can be falsified.

 

Fingerprints and Validation

Validate a Public Key from one correspondent after receiving its fingerprint

Click and select the Manage Public Keys in your keyring menu. You will see all the Public Keys from your correspondents. Select the one you want to validate and click the Validate button.

You will be asked to provide the key fingerprint. If it is the proper one, the key will become validated. Otherwise you will a dialog showing the character that don't match between the proper fingerprint and the one that your entered. If only a few characters are wrong, most probably you made a mistake when writing down it, communicate again with your correspondent to get it right.

Get a fingerprint for your own Public Key

Click and select the Manage your own RSA Key Pairs menu. Select your Key Pair and click the Get Fingerprint button.