If the fingerprint you get is the same as the fingerprint the key's owner gets, then you can be sure that you have a correct copy of the key. After checking the fingerprint, you may sign the key to validate it. Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key. Jan 01, 2012 You store the public key in hex format in a file and use that with this new tool. To calculate the fingerprint, I extract the modulus and exponent from the public key, store them in another format (ssh-rsa) and calculate the MD5 hash. So now I can connect to a router via the serial console while there’s no “man in the middle”, obtain the public key and calculate the fingerprint. The fingerprint is a short version of the server's public key; it is easier for you to verify than the full key. It is very hard to spoof another public key with the same fingerprint. When you connect to a machine for the first time you do not have the fingerprint in your knownhosts, so ssh has nothing to compare it to, so it asks you.
Public Key Example
To communicate with others you must exchange public keys.To list the keys on your public keyring use the command-line option --list-keys.
Can U Generate Public Key From Fingerprint Card
Exporting a public key
To send your public key to a correspondent you must first export it.The command-line option --exportis used to do this.It takes an additional argument identifying the public key to export.As with the --gen-revoke option, either the key ID or any part ofthe user ID may be used to identify the key to export.
The key is exported in a binary format, but this can be inconvenientwhen the key is to be sent though email or published on a web page.GnuPG therefore supports a command-line option --armor[1]that that causes output to be generated in an ASCII-armored format similar touuencoded documents.In general, any output from GnuPG, e.g., keys, encrypted documents, andsignatures, can be ASCII-armored by adding the --armor option.
Importing a public keyA public key may be added to your public keyring with the--import option.
Once a key is imported it should be validated.GnuPG uses a powerful and flexible trust model that does not requireyou to personally validate each key you import.Some keys may need to be personally validated, however.A key is validated by verifying the key's fingerprint and then signingthe key to certify it as a valid key.A key's fingerprint can be quickly viewed with the--fingerprintcommand-line option, but in order to certify the key you must edit it.A key's fingerprint is verified with the key's owner.This may be done in person or over the phone or through any other meansas long as you can guarantee that you are communicating with the key'strue owner.If the fingerprint you get is the same as the fingerprint the key'sowner gets, then you can be sure that you have a correct copy of the key.
After checking the fingerprint, you may sign the key to validate it.Since key verification is a weak point in public-key cryptography,you should be extremely careful and always checka key's fingerprint with the owner before signing the key.
Once signed you can check the key to list the signatures on it andsee the signature that you have added.Every user ID on the key will have one or more self-signatures as wellas a signature for each user that has validated the key.
Notes
[1]Manycommand-line options that are frequently used can also be set in aconfiguration file.