https://www.johndcook.com/blog/2023/12/15/pgp-fingerprint/ John D. Cook Skip to content * MATH + PROBABILITY + SIGNAL PROCESSING + NUMERICAL COMPUTING + SEE ALL ... * STATS + EXPERT TESTIMONY + FORECASTING + RNG TESTING + SEE ALL ... * PRIVACY + HIPAA + SAFE HARBOR + CRYPTOGRAPHY + DIFFERENTIAL PRIVACY * WRITING + BLOG + TWITTER + ARTICLES + TECH NOTES + SUBSCRIBE + NEWSLETTER * ABOUT + CLIENTS + ENDORSEMENTS + TEAM + SERVICES (832) 422-8646 Contact What is the point of a public key fingerprint? Posted on 15 December 2023 by John Public key cryptography uses two keys: a private key and a public key. The nature of these keys depends on the encryption scheme, such as whether one is using RSA, ECC, or some other method, but you can think of a key as a long number. A key may be a short list of numbers, but let's just say a key is a number. When you generate a public key, you get a pair of numbers, one that you keep secret and one that you publicize. Anyone can use your public key to encrypt a message that only you can decrypt, assuming only you have your private key. If I give you my public key, say I post it on my web site, how can you be sure that it's really my key? Maybe my site has been hacked and I don't even know it. Or maybe someone tampers with the site content between the time it leaves my server and arrives at your browser (though TLS is supposed to address that). We could get on a phone call and I you could read the key back to me. The problem with this approach is that keys are long. A 4096-bit RSA key, for example, encoded in hexadecimal, is 1024 characters long. You could read off the last so many characters of the key, maybe telling me that what you recieved ends in 9F0D 38FA. That would probably be sufficient to tell one key from another--it's very unlike you'd have two keys in a keychain that share the same last 32 bits--but that doesn't mean the previous part of the key hasn't been tampered with. What you'd really like is a cryptographic hash of the public key, short enough to conveniently compare, but long enough that it would be infeasible for someone to alter the public key in such a way as to produce the same hash. And that's exactly what a fingerprint is. In GnuPG, the GNU implementation of PGP, a fingerprint is an 160-bit hash, which means 40 hexadecimal characters. Manually verifying 40 characters is feasible; manually verifying 1024 characters is not. Categories : Computing Tags : Cryptography Privacy Bookmark the permalink Post navigation Previous PostFine-grained file differences Leave a Reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Search for: [ ] [Search] John D. Cook John D. Cook, PhD My colleagues and I have decades of consulting experience helping companies solve complex problems involving data privacy, math, statistics, and computing. Let's talk. We look forward to exploring the opportunity to help your company too. [ ] [ ] [ ] [ ] [ ] [Send] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] John D. Cook (c) All rights reserved. Search for: [ ] [Search] (832) 422-8646 EMAIL