On Data Integrity

Darren Tapp 2020-01-08 13:25

Digital Signatures Provide Security

In high school I read 1984 by George Orwell. You may remember that in this novel Winston Smith was employed to burn old newspapers. This was done in order to help support the ruling parties changing interpretation of events, if not to outright change the historical record. George Orwell could not have known about the digital way that information is preserved today.

Imagine what a current day Winston Smith would look like. This hypothetical Winston Smith wouldn't really need to burn anything. Simply altering the stored copies of data could drastically change people's perceptions. Just last week a librarian though it was odd that I was looking up something that wasn't digitally available. I could be very sure that the copy on the library shelf was the copy that the author intended. It would be nice if as much or more certainty could be provided for digital documents.

In fact it is possible to have a high degree of certainty that data has not changed. A digital signature provides mechanism to determine if information has changed. Once a document is signed then changing the document will invalidate the signature. It's also very difficult for anyone but the signing party to forge a signature. More difficult, in fact, than forging a handwritten signature.

There are other ways of preserving the integrity of data. The paper of Satoshi Nakamoto is perhaps one of the best digitally preserved documents. Blockchair provides a whole page that monitors this paper as hosted on several sites. They advertise the hash of the file and periodically check that it hasn't changed. There is also a copy included on the bitcoin blockchain. Embedding the document in the chain ensures the data haven't changed however it could be the case that a false copy was buried long ago. Digital signatures provide the advantage that the signer can first do their diligence and be reasonably certain that they're singing the correct copy.

As I have high certainty that I am hosting the original version of Satoshi Nakamoto's paper, I have signed this document.

Use Linux to Check the Signature

If you don't have a linux computer you should get one. Most linux installs come with Gnu Privacy Guard gpg which is software that implements the PGP (Pretty Good Privacy) protocol. To check the signature we will need three files. You can right click the links to download them.

Darren's Public Key (darren_tapp_public_key.pub)

The File We Want to Check (bitcoin.pdf)

The Signature (bitcoin.sig)

Download all three files and put them in the same directory. I made a fresh directory so that it's less cluttered. The command ls lists all the files

That's good, all three files are there. Now I import Darren's public key.

gpg-import-bitcoin-sig.sh (Source)

$gpg --import darren_tapp_public_key.pub

When you start typing the file name, most likely, you can press tab to auto-complete.

/images/gpg--import-check-bitcoin-sig.png

The picture above is the response to this command. I used a fresh gpg install and there was a warning about it being a fresh run. This warning is not serious. It's only important if we were expecting gpg to manage our trust. Finally, we can verify the signature.

gpg-verify-bitcoin-sig.sh (Source)

$gpg --verify bitcoin.sig bitcoin.pdf

Use the --verify flag and type the file with the signature and the file that we want to verify.

/images/signature-on-bitcoin-is-good.png

In this example we have verified a detached signature. That's when the signature is separate from the file. It's also possible to have a signature as part of the file or message.

Again the display shows a warning. If we informed gpg that we trusted my key that warning will go away.