• 0 Posts
  • 5 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle



  • If this is some kind of messaging board, you’d probably put your public key in your profile (I assume that since OP is talking about the dark web that the posters there would rather not share their actual identity).

    Let’s talk about Alice, Bob and Eve. Alice is an active poster on a dark web forum. She puts her public key on her profile and uses the corresponding private key to sign her messages. If Eve wants to pretend to be Alice, Eve can simply put her own public key on her profile and sign messages with her own private key. But Bob is smart. Rather than just looking at the profile of the poster and copying their key every time, Bob saved it in his key store and assigned it to Alice (possibly even marked it as trusted). When Bob sees a post by Eve, he’ll try to validate it. This validation might succeed (if Bob has access to Eve’s public key), but it will be clear that the message wasn’t signed by Alice’s key.

    Of course, this all assumes that Bob has quite some knowledge of how this works and is vigilant enough to perform all these validations correctly.

    As for the regular internet, there are some services where you can share your public key: keys.openpgp.org is one of these. Of course, as /u/perviouslyiner@lemm.ee says, there’s still the matter of trust. You need to make sure that the public key you’re using is actually from the right person.


  • What you are doing is exporting your key. Your public key is indeed something you can (and should) share as it enables others to verify that you are indeed who you claim to be (or more accurately, that you’re in control of the private key that’s linked to that public key). So while you should share your public key, your private key must remain private.

    What these people on the dark web are doing is one step further: they sign their messages with their private key. This creates a cryptographic signature that’s different for each message (changing a single character in the message will generate a wildly different signature). Anyone with the public key can simply copy that message including the signature and validate it. If even a single character of the message was changed, the signature will not be valid. Thus ensuring others that the person who posted the message is indeed in control of the private key.

    Signing is different from encrypting: while encryption renders your message totally unreadable to anyone without the correct key, signing doesn’t change the message itself. It simply appends a signature allowing others to check that the message wasn’t tampered with.