Page signature with PGP
Why must HTML pages be signed?
It is usually convenient to make sure that the information included in a document is precise, identical to the original published form, so that we must make sure that we have access to the original information.
This is the main aim of the PGP signature of some HTML pages in the server of INTECO, so that any user can ensure that the information has not been modified. Different mathematical techniques are used, including public key cryptography and the PGP program.
Public key cryptography.
Public key cryptography is based on the existence of two keys or mathematical functions with a fundamental characteristics, which is that a message can only be decoded using a complementary key. It is called a “public key” because one of them is secret, while the other is public and any person can have access to it.
When signing a document, the private key is used and anyone can ensure that it has not been modified with the use of a public key, since the modification of the text would not validate the authentication of the message.
What is PGP?
There are different programs that can be used for the digital signature of documents. The PGP program has been chosen for the signature of HTML pages of the server. This was one of the first programs that was started to be used by users to sign and encode documents. It has a long and interesting history and there are public domain versions for almost all platforms and operating systems, which allows us to check that the pages have not been modified on any operating system.
Why isn’t SSL/TLS used?
There is another mechanism called SSL/TLS that enables safe and authenticated connections from WWW browsers, such as Mozilla Firefox or Internet Explorer, ensuring the use of a more transparent and direct method than that used by INTECO. The problem of this system is that all cryptographic operations are carried out for each connection established, so that the connection is slower. The system used by the server of INTECO is not as transparent for the browser since it only signs pages once (when they are modified by INTECO), and the pages signed are loaded at the same speed than pages that are not signed.
Validation of the contents of a page using GPG.
GPG is a free implementation of the OpenPGP standard. There are downloadable versions for Microsoft Windows and Linux, among other OS. A validation example using GPG is shown next.
- First, save the source code of the page in a file. In Internet Explorer 6, go to
File -> Save as and select the
Web Page option, only HTML. In Internet Explorer 7, go to
Page -> Save as and select the Web Page option, only HTML. In Mozilla Firefox the operation is identical to that in version 6 of Internet Explorer.
We must then import the public key of INTECO, executing the following command:
gpg --keyserver pgp.rediris.es --recv-key 84970D98
Finally, execute the following command to validate the previously downloaded page, replacing file_name with the path to the said page:
gpg --verify file_name
If the verification is correct, the following message will be displayed:
gpg --verify home_inteco.html
gpg: Signature made Wed Feb 21 13:56:46 2007 using RSA key ID 84970D98
gpg: Good signature from "Inteco, S. A. <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F78B 4796 75DE 5EF3 5C77 196B 64CC 15DA 8497 0D98
Otherwise, we will obtain the following error message:
gpg --verify home_inteco_modificada.html
gpg: Signature made Wed Feb 21 13:57:48 2007 using RSA key ID 84970D98
gpg: BAD signature from "Inteco, S. A. <firstname.lastname@example.org>"