TL;DR
Verifying a public key ensures you’re communicating with the intended person and not an imposter. This guide covers practical steps using fingerprints, trusted sources, and out-of-band confirmation.
1. Understand Public Key Fingerprints
A public key fingerprint is a short, unique ‘hash’ of the key itself. It’s like a digital summary. If even one bit of the key changes, the fingerprint will be completely different. This makes it useful for checking if a key has been tampered with.
2. Obtain the Public Key
- From a Trusted Source: The best way is directly from the person you want to communicate with – in person, over a secure phone call, or through a website you *already* trust (e.g., their official company site).
- Key Server (Use with Caution): Public key servers are convenient but less secure. Anyone can upload keys, so verification is crucial. We’ll cover that in the next steps.
3. Verify the Fingerprint
Once you have the public key, calculate its fingerprint and compare it to a trusted source.
Using OpenSSL
openssl rsa -pubin -in your_public_key.pem -fingerprintThis command will output something like:
SHA256 Fingerprint=AA:BB:CC:DD:EE:FF...Using GPG
- Import the key:
gpg --import your_public_key.pem - List keys with fingerprints:
gpg --list-keys
Compare the fingerprint shown by GPG to the one you received from a trusted source.
4. Out-of-Band Confirmation
This is *the most important step*. Never rely solely on digital methods. “Out-of-band” means confirming information through a different channel than the one used to obtain the key.
- Phone Call: Call the person and read them the fingerprint you calculated.
- In-Person Verification: Meet in person and compare fingerprints directly.
- Trusted Messaging App (with prior verification): If you’ve already verified their key on a secure messaging app like Signal, use that to confirm.
5. Key Server Considerations
If you obtained the key from a key server:
- Multiple Sources: Check the fingerprint against multiple key servers if possible.
- Key Age & Signatures: Look for keys that are relatively recent and have been signed by other trusted individuals (a ‘web of trust’). This isn’t foolproof, but adds a layer of confidence.
6. What to Do If Fingerprints Don’t Match
STOP! Do not use the key. It has likely been tampered with or you have received it from an imposter.
- Contact the person directly through a known, trusted channel (not email!).
- Do not proceed until you can verify the correct key.
7. Common Mistakes to Avoid
- Trusting Email Attachments: Never trust public keys sent as attachments in emails. Emails are easily spoofed.
- Copy-Pasting Fingerprints: Manual copy-pasting is prone to errors. Read the fingerprint aloud over the phone instead of copying it.
- Ignoring Out-of-Band Verification: This is the biggest mistake. Digital verification alone isn’t enough.