Score:2

How do you get a Public Key from a Fingerprint

in flag

I've seen some people putting their public key's (I'd suppose they refer to a PGP PK) fingerprint on powerpoints and alike so that they can be reached out to using a safe channel.

From my POV, it's obvious that there should be a way to get the original PK from the fingerprint (if there wasn't, I don't really find the point of sharing the fingerprint).

However, I've read that the fingerprint is a hash, and from my experience reversing a hash by just try-harding isn't great at all. How would you do this?

kelalaka avatar
in flag
Well, a public key can be long especially for RSA, 2048 bit modulus $n$ plus the public exponent $e$ that forms $(n,e)$ as the public key. If you hash it with SHA-256 then it is much shorter and collision-free since we need around $2^{128}$ public key to see one with high probability. Therefore it is possible to use it. Even Bitcoin uses RIPEMD-160 for this; $$A = RIPEMD160(SHA256(K)) $$
Néstor Llop avatar
in flag
so, is there any way to use the fingerprint so that I can get to send content using the respective public key?
kelalaka avatar
in flag
You need to find the corresponding one...
fgrieu avatar
ng flag
From a crypto standpoint, there is no way to get the public key from it's hash, the fingerprint. But if one looks at this from an IT standpoint; there could be (and there used to be) public key servers, from which you get the public key (given the name or email of the person; or possibly the fingerprint, though I can't remember this ever was a standard procedure), and then check the public key against it's fingerprint. Another option is to email asking for the public key, and then check the public key against it's fingerprint.
Néstor Llop avatar
in flag
oh roger that: using a "lookup table" or by asking for the PK. And yeah, to me it seemed impossible to get the actual data given a hash, but I've seen a lot of people publishing hashes claiming that it was enough to get in touch
Score:3
kr flag

You cannot get public key from fingerprint.

The purpose of sharing fingerprints is to make sure that particular public key really belongs to particular person.

When you want to encrypt a message to some person, you ask this person for a public key and receive it per Email. For some persons, e.g. for some developers, you can find their public key on different online resources.

When you get public key, via Email or by downloading, how do you know that it really belongs to the particular person? You compute the fingerprint and compare it to the one you have got via some channel that you trust, e.g. you have attended a talk of this person and the fingerprint was displayed on the presentation slides, or you've got the fingerprint from Twitter or Facebook account of this person.

Why not share public key directly, e.g. via slides? Because public keys can be relatively long, and that's why it can be hard to embed them and hard to verify. Whereas embedding and verifying of fingerprint is easy.

Score:1
in flag
mjt

When people hand out their public key fingerprints, it's almost always a PGP key.

Usually, you can get the original PK from the fingerprint by looking the fingerprint up on a public PGP key server.

For example, if someone tells you their PGP key fingerprint is 5744 6EFD E098 E5C9 34B6 9C7D C208 ADDE 26C2 B797 you can look it up on a PGP key server like so or import it into GPG like so: $ gpg --keyserver keyserver.ubuntu.com --recv-keys 57446efde098e5c934b69c7dc208adde26c2b797

Of course, in the current age of pandemics and online presentations, one could simply put a link, or even an entire key, into an electronically delivered presentation.

Néstor Llop avatar
in flag
Thank you for your answer! I'd like to ask for some more info, though. Obviously not every public key is in that server you mention. How would you get yours into the lookup server, for example?
kr flag
@mjt: Trusting keys or fingerprints in the "electronically delivered presentation" can be very dangerous. An attacker can put own signature or public key in the presentation, register it using email similar to yours, and can claim it is you. The receiver will send messages to the attacker believing it is you. The receiver will trust code signed by attacker key believing it is your code. This can be very dangerous. Fingerprint is needed **namely to prevent** this, and it should be shared via **trusted** channel, not simply "electronically delivered".
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.