Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30 Nov 1999, Jonas Steverud wrote:
> What is the use of fingerprints? I couldn't find anything in the
> documentation.

See Chapter 1, subsection 'Importing a public key' in the GNU Privacy
Handbook. A discussion of hash functions and what kinds of hash functions
are useful for cryptography is in Chapter 2, section 'Digital signatures'.

Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjhSsQgACgkQBwMqlokEyOIvWwCggzOiMjCgowVrgmdAhKvnfs+N
0g4An2zmK3mxXPib+PJ3Ks51cquD0aLZ
=qQMC
-----END PGP SIGNATURE-----

> fingerprints are something like a hash value of a key: A short, unique
> number. It is intended to use a fingerprint to verify that the key
> belongs to the user given in the Key ID: If you can communicate over a
> secure line, eg, via phone, you may compare the fingerprints of the
> key. Other possibility: The public key of a newspaper publisher: It may
> be printed in the newspaper, and you can simply check whether the public
> key from the keyserver is the correct one comparing the
> fingerprints. (You don't want to check the whole key, eve if it is
> printed out :-))

I've always wondered: how on earth can they be unique? Yes, a hashing
algorithm can make the hashes *almost* unique, but how can it be guaranteed
that no two keys have the same finger print? It must be impossible, since
there is no communication with a central server during key generation. Yet,
invarious documents on PGP, it is always stated that they finger prints are
indeed unique.

--
/ Peter Schuller

PGP userID: 0x5584BD98 or 'Peter Schuller <scode@scode.webprovider.com>'
Key retrival: Send an E-Mail to scode-getpgpkey@scode.webprovider.com
E-Mail: scode@scode.webprovider.com Web: http://www.scode.webprovider.com

On Sun, 12 Dec 1999, Peter Schuller wrote:

> I've always wondered: how on earth can they be unique? Yes, a hashing
> algorithm can make the hashes *almost* unique, but how can it be guaranteed
> that no two keys have the same finger print? It must be impossible, since
> there is no communication with a central server during key generation. Yet,
> invarious documents on PGP, it is always stated that they finger prints are
> indeed unique.

The odds that two fingerprints end up being equal are
1:1461501637330902918203684832716283019655932542976 against (for 160 bit
fingerprints). This is zero for all practical purposes.

Walter

On Sun, Dec 12, 1999 at 04:18:18PM +0100, Peter Schuller elucidated:
>
> I've always wondered: how on earth can they be unique? Yes, a hashing
> algorithm can make the hashes *almost* unique, but how can it be guaranteed
> that no two keys have the same finger print? It must be impossible, since
> there is no communication with a central server during key generation. Yet,
> invarious documents on PGP, it is always stated that they finger prints are
> indeed unique.
>

There is no way to guarantee they are unique. Once they are significantly
larger than the key ID, then there is less chance that there will be a
duplicate fingerprint (I don't know what the probabilities are, but I
imagine that they are relatively small). Only the whole key is unique (unless
someone uses your id and pass phrase to make another). The fingerprint
is a convenience, it is simpler for the user to check a whole key. If meet
someone or are talking to them on the phone, and you are fairly confident who
are talking to is who they say they are, then if you have them read their
fingerprint, you can have a relatively high degree of confidence that you
are using the correct key. Obviously if there is a fingerprint match, or you
want to be absolutely sure, then you'll want to check the entire key.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dale Harris <rodmur@maybe.org> GPG key: 372FBD57 http://www.maybe.org/
Maybe is an Ambivalent Yet Beguiling Enigma

On Sun, Dec 12, 1999 at 11:26:05AM -0700
Dale Harris wrote:

> are using the correct key. Obviously if there is a fingerprint match, or you
> want to be absolutely sure, then you'll want to check the entire key.

A fingerprint is the output of a cryptographic hash function (hash
digest); therefore you have to assume that it is unique - most
cryptograpic protocols rely on the properties of these hash algorithms
(MD5, SHA1, RIPME-MD 160). The most important one is that these
functions are collision-free, which means that it is hard (in the
sense of it is hard to factor the product of 2 large primes) to
produce two different data images which yields the same fingerprint.

It really makes sense to call it a fingerprint, as this is the
counterpart in the non technical area.

Hash algorithms are a basic building block in cryptography, more
information may be found at http://www.esat.kuleuven.ac.be/~bosselae/

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013