[new-user] question
hello, I'm trying to understand the principals and benefits of using pgp/gpg I think I understand that I send the part of my key that is public to somebody and they use that key to encrypt a message which only I can decypher. So what if somebody uses my public key to send me a message purporting to come from somebody else ? what is the mechanism to ensure it came from who I think it did ? regards mick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [new-user] question
On Thu, Apr 12, 2012 at 11:21:16PM +0100, michael crane wrote: hello, I'm trying to understand the principals and benefits of using pgp/gpg I think I understand that I send the part of my key that is public to somebody and they use that key to encrypt a message which only I can decypher. So what if somebody uses my public key to send me a message purporting to come from somebody else ? what is the mechanism to ensure it came from who I think it did ? The sender can sign the message to verify that it came from him or her. If someone just sends you an unsigned encrypted message, there is no way to verify that I came from who you think it did. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [new-user] question
On 04/12/2012 06:21 PM, michael crane wrote: what is the mechanism to ensure it came from who I think it did ? Turn it around. The public and the private key are inverses. Each can decrypt what the other one encrypts. When someone encrypts a message with your public key, only your private key can decrypt it. And if you encrypt a message with your private key, then anyone who has your public key can decrypt it. So if I have a copy of your public key, and it decrypts a message successfully... then I know it was encrypted with your private key. And since you're the only one who has your private key, it means I can have confidence the message came from you. Usually this process is called signing a message. This is how signatures work. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [new-user] question
Hello michael ! michael crane mick.cr...@gmail.com wrote: I'm trying to understand the principals and benefits of using pgp/gpg I think I understand that I send the part of my key that is public to somebody and they use that key to encrypt a message which only I can decypher. So what if somebody uses my public key to send me a message purporting to come from somebody else ? what is the mechanism to ensure it came from who I think it did ? You are refering to the 2nd part of crypting: signature. Crypting to your key is only to ensure that you'll be the only one to read it, but you are supposed to know what you'll find in the message. Signing is dedicated to the receipient: it allows him to be sure that the message comes from exactly you. -- Laurent Jumet KeyID: 0xCFAF704C ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
