Vote For Warrior Matrix at Conspiracy Top Sites

daily quote warrior matrix

Follow Us On Facebook
PGP and GnuPG ? ? ?

Post new topicReply to topic
   Warrior Matrix Forum Index -> Computer Security
View previous topic :: View next topic  
Author Message

Joined: 05 Feb 2005
Posts: 355
Location: Aberdeen, WA

PostPosted: Sun Oct 30, 2005 8:52 pm    Post subject: PGP and GnuPG ? ? ? Reply with quote

In beginning to learn how to encrypt email or post signatures, I am still absolutely confused by a few things. I was wondering if anyone can refer me to a site where I can learn what I need.

So, I've got strong encryption configured to work with my mailer, and my public key has been posted to a round robin keyserver. Now, what do I do:

- can I send an encrypted message to anyone, and they can read it using the public key? How do they get the public key? Does the recipient need to have PGP also?

- do I need to include the key with my message?

- do I ever need to include the secret key, or does it always remain solely in my posession?

- can I ever remove the keys from my computer and store them in a different physical location?

- If I need to send the public key along with my message, what is the use of a public keyserver?

- If the public key is included in the message, is this not a security risk?

- how do I armor-ascii something, such as a key? Merely encrypt it to a text file and that's it? If so, how is it usable to anyone without the key?

- can chat functions be encrypted?

These are things that I don't understand from the tutorials I've read.

Any advice is much appreciated. Thanks!

Back to top
View user's profile Send private message Send e-mail Visit poster's website

PostPosted: Tue Dec 13, 2005 5:58 pm    Post subject: Reply with quote

Back to top

Joined: 25 Mar 2006
Posts: 20
Location: England

PostPosted: Sun Mar 26, 2006 5:43 pm    Post subject: Reply with quote

Here's a quick guide to the basic principles of public key cryptography (what PGP and GnuPG do) - but I only looked it at briefly a few years ago, so read the documentation if you want to know properly! :

(Sorry if the tone of this message seems a little condescending - I'm just trying to state things clearly!)

Keys are generated in pairs: a public key, to share with others, and a secret key, which you must keep private. Do NOT share the secret key with anyone - the security of the whole system depends on you being the only person with access to it.

There is a one-to-one relationship between these two keys, such that a message encrypted with a particular public key can only be decrypted with the corresponding secret key, and vice versa. Using this fact it is possible to do 2 things:

Private messages
Sending a message that only a particular person can read. To do this, you don't need to do anything with your keys; you need to encrypt the message with the recipient's public key. Then it can only be decrypted with their secret key. Since the recipient is the only person who has that key (assuming they've been vigilant in keeping it secret), they are the only person who can read the message.

Digital signature
'Signing' a message to prove it was written by you (or at least, encrypted by you). To do this, encrypt the message with your secret key. Then anyone who has a copy of your public key can decrypt it, and know that it was encrypted with your secret key. Since you are the only person who has that key (right...?), you are the only person who could have written it.

Those two functions are the basic building blocks. It's possible and common to both sign and encrypt a message, and PGP lets you do both in one step.

Of course, the weak link is security of the keys. Not only secret keys - when using a public key to send a private message or check a signature, are you sure that it really belongs to that person, not a would-be snooper who has created a key with their name on it? (This could be used to perform a 'man in the middle' attack; read the PGP documentation to find out more). Public key servers are provided as a convenience, but there is always the possibility of them being hacked. Exchanging keys by e-mail has obvious problems (is the e-mail really from that person? has it been intercepted and changed?)

The only sure way to know a public key is genuine is to receive a copy from its owner in person (e.g. on floppy disk / CD). This is not always practical, so a compromise is to compare the 'fingerprint' (a shortened number produced from the key) over the telephone, but are you sure you're talking to the right person? You need to decide how paranoid you are and what level of precautions you're willing to take.

To help mitigate these problems, PGP has a system of signing keys; read the documentation for more.

Hope this helps!

- Matthew
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topicReply to topic
   Warrior Matrix Forum Index -> Computer Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum