[plug] PGP Sign messages

[Steve Baker]

Padraig MacIain wrote:

> the hash is generated by the private-key of the keypair. Its a key that is
> controlled by the 'owner' of it and never seen by anyone else. The hash
> is verified by the public key.

More correctly, the hash is *encrypted by* the private key of the 
keypair.  When you want to verify the message, you generate a hash of 
the message, decrypt the one supplied with the message using the senders 
public key, and if they match then the message hasn't been altered.

Quick crypto lesson for Tim:

Symmetric encryption is relatively simple - it uses a key to encrypt 
data, and the same key to decrypt.  Some smart people found out a way to 
break the key into two pieces (public and private) giving us asymmetric 
encryption.  Asymmetric encryption uses this pair of keys - one to 
encrypt and the other to decrypt.  Whichever one you use to encrypt, you 
must use the other to decrypt.  When you encrypt something with your 
private key, only the matching public key can decrypt it.  If someone 
uses your public key to encrypt something, only your private key can 
decrypt it.

To send a 'completely secure' message to you, a person would typically 
sign a message with their own private key, then encrypt it with your 
public key.  You decrypt the message with your private key, and verify 
the signature with the senders public key.  Of course, each party must 
first be certain that they have the REAL public key of the other party...

Regards,
Steve