What is the difference between sharing a public key and sharing just its 40-digit fingerprint? The public key is very long, so if I wanted someone to be able to verify my messages, could I just mail them a postcard with my 40-digit fingerprint?
-
An easier method is to upload your public key to a public key server (if you don't mind your public key being made public), then read the fingerprint to your friend over a phone/voip (if they trust & recognize your voice) - no postage or waiting for mail.– Xen2050Commented Feb 14, 2016 at 16:46
Add a comment
|
2 Answers
The fingerprint is like the serial number - the unique identifier - of a key. It's used to check that both parties are talking about the same key, in case there are multiple people with the same name in the public key server. (It's also dramatically easier to at-a-glance check a fingerprint than a massive public key string.)
The fingerprint is a hash of the public key, and since it's shorter, it must contain less information. Therefore, it cannot function as the public key because the public key cannot be retrieved from the fingerprint (in reasonable time). The hash function destroys the mathematical relationship of the public key to the private key.
Consider a slightly contrived physical metaphor. Suppose you have a lock (a public key) and jiggle its insides so that half the pins go away and the rest get reordered in some deterministic way (producing a borked lock, the fingerprint). The key for the real lock (private key) is not going to be able to open that munged lock because the physical interlocking relationship between it and the lock was lost. You could, however, determine that two locks were the same by comparing their fiddled versions, assuming that the fiddling process is a good hash.
So, no, you cannot use just the fingerprint to encrypt a message for someone. You must have the whole public key.
Further reading: PGP Key Verification, Public key fingerprint
-
I'd mention the fingerprint is supposed to be like a unique serial number. And you lost me on the borked lock metaphor (or maybe I'm distracted...)– Xen2050Commented Feb 14, 2016 at 16:35
-
@Xen2050 Yeah, it was kind of weird. I tried to make it a little better, and added the bit about the fingerprint being unique.– Ben NCommented Feb 14, 2016 at 16:40
-
-
It all makes sense now. The whole public key is needed first, and then you can verify the fingerprint by phone or post. Commented Feb 17, 2016 at 1:59
Can you send the fingerprint via postcard for verify a public key?
Short answer:
It is actually the idea of the fingerprint to ease the process of key authentication. So yes, you can send your fingerprint to others so they can verify your public key they have. However, you need to take care that the channel you send the fingerprint with is save.
Longer version:
It is common that public keys are accessible over some key server, or that people provide their public key in the encrypted message they send over the internet. Both are not very trustworthy sources, a man-in-the-middle could have changed the keys while you pull them. To authenticate the public keys of other (and initiate an encrypted communication with them), one needs to verify/authenticate this public accesible key.
To ease the process, you do not need to meet/phone the person in question and dictate your (possibly very long) public key, instead, you can compare your fingerprint with the fingerprint the person just computed out of the received public key.
However, the channel you use to communicate your fingerprint to compare them must be save. Personally, I am a bit to paranoid to communicate the fingerprint with a post card. However, to verify/authenticate the public key of another person, and if you trust the post service and the neighbours having access to the post box, it is feasible.
Differences between the key and the fingerprint
The fingerprint is computed with a cryptographic hash-function. Although it is meant to be unique (no two different messages share the same hash) you cannot invert the process, and thus, you cannot decrypt any messages encrypted with the corresponding public key.