You exchanged keys to encrypt documents: is that enough?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ ~~~~~~
⚙️ Discover my series on Automation of cybersecurity measures. THE Coded.
🔒 Related Stories: Encryption | Cyber security
💻 Free content on Cybersecurity Jobs | ✉️ Register for Broadcast list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ ~~~~~~
This document explains how to verify the signature of a GPG key after exchanging it with someone.
I’ve written in another article why this is important, but I’ll have an even better case study in today’s Morning Reading.
I also wrote here about choosing the best algorithm for your GPG key:
I wrote about installing GPG without HomeBrew and why on a Mac here:
Let’s say you followed the steps to create a GPG key and you emailed your public key to someone and they sent theirs back to you.
The next step is to verify the signature with an out-of-band process. Why is this important? Well, this morning I read from the Cyber Safety Review Board about the Microsoft Exchange breach where attackers stole Microsoft signing keys, which ultimately allowed the attackers to read emails sent through Microsoft Exchange.
If you are unable to verify the key and you sent it via email and someone has access to your emails, they can simply swap your key for theirs, intercept the documents you send in both ways, decrypt them with your own key, re-encrypt them with the…