Off-Topic: PGP Questions
I realize this forum is for TB questions, but I see so much on here about PGP, I thought I might ask a few questions about PGP. Since these questions are not really germane to the list, if you'd prefer to answer off-list, that would be fine. I've never used pgp, but the discussion on here has made me curious. I checked the pgp.com website, but I still have only the vaguest idea of how it works. As I understand it, its purpose is to prevent anyone other than the intended recipient from looking at one's email and to prevent that email from being altered along the way. First question: I assume that PGP prevents anyone from intercepting the email at some point between a person's sending it and its arrival at the computer to which it was intended. Does it also prevent anyone at that computer from reading the email other than the intended recipient? In other words, if I send an email to a husband, does PGP prevent the wife's from reading it on her husband's computer? Second question: This is *not* a smart-ass or rhetorical question. I'm fairly naive, but in five years of sending email, including my credit card numbers, I've never had anything intercepted between my computer and the recipient's computer. I'd be interested in knowing if anyone else has ever had their own email intercepted. Third question: I see the value of encrypting an email with really important or sensitive information, but I note that many people seem to encrypt their email to this list as well, even when it contains nothing valuable that would seem to warrant encryption. Is there an advantage to encrypting personal or unimportant business email or do people just encrypt everything they send out by default? Last question: I went to the pgp.com site but couldn't find anything that really explains the nuts and bolts of how the system works. Their site seems aimed at people who already understand what pgp is. Once one is signed up, from what I've seen, one has to put some kind of PGP key or notice at the bottom of their email. I've seen it call a public key. Is there also a private key? Does the recipient of an email have to get one or more keys to read the email or to reply to it? Does everyone on your mailing list have to have some kind of key to send you an email? I have no idea of how this key thing works and would be happy to get an answer or to have someone point out to me where to go (please don't take that too literally!). Thanks for any help. Mike -- JANUS BOOKS, LTD. Post Office Box 40787 Tucson, AZ 85717 Phone: 520-881-8192; toll-free voice-mail: 800-986-1165 Fax: 815-333-2938 http://janusbooks.com Visa, MasterCard, Discover, and PayPal accepted. Member: IOBA (Independent Online Booksellers Association) Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Off-Topic: PGP Questions
Michael S. Greenbaum [EMAIL PROTECTED] pm 10/29/03 at 12:30 p.m. wrote: I realize this forum is for TB questions, but I see so much on here about PGP, I thought I might ask a few questions about PGP. Since these questions are not really germane to the list, if you'd prefer to answer off-list, that would be fine. Please respond on the list. Others, like myself, have the same questions that Michael has. With so many of the postings devoted to PGP and with the apparent integration of this functionality into The Bat, it seems to me that this is quite germane, particulary if ver. 2.0 of The Bat is supposed to improve this functionality. Understanding more about how PGP works can inform a decision about the advisability of an upgrade. Thanks. -- Avi Avram Sacks Chicago [EMAIL PROTECTED] Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Off-Topic: PGP Questions
Hi Michael, On Wednesday, October 29, 2003, at 10:30:12 AM PST, you wrote: I've never used pgp, but the discussion on here has made me curious. I checked the pgp.com website, but I still have only the vaguest idea of how it works. In addition to the copious documentation that comes with PGP (you can access it once you've installed PGP), heres a site that explains it pretty well in easy to understand terms (it only mentions versions 6.x and 7.x, but the basic concepts and usage are the same with v8.x): http://www.pitt.edu/~poole/PGPintro.htm As I understand it, its purpose is to prevent anyone other than the intended recipient from looking at one's email and to prevent that email from being altered along the way. There are two basic functions here...encryption (to prevent anyone other than the intended recipient from reading the message content), and digital signatures (to verify (1) that the message content has not been altered in any way since it was signed (signified by either a good or bad signature verification), and (2) through the web of trust, to ensure that a certain key owner is the one who actually wrote the message (the key is either valid or invalid...depending on your trust of the key in question). I assume that PGP prevents anyone from intercepting the email at some point between a person's sending it and its arrival at the computer to which it was intended. Incorrect assumption. :-) If you want only your intended recipient (and perhaps yourself) to be able to read a message, encryption can do this for you. However, this alone does not prevent a message from being *intercepted* during transit. In fact, this is one of the reasons to send encrypted messages...so that even if a message is somehow intercepted (or looked at by someone else sitting at a person's computer), still only the intended recipient can decrypt and read it. Does it also prevent anyone at that computer from reading the email other than the intended recipient? Yes...see above. One important note on this one...if you've chosen to cache your passphrase for any length of time, then go away from your computer while it's still cached, anyone can sit at your computer and decrypt your encrypted email. I recommend either not caching passphrases, or at least being very careful about how you go about it. In other words, if I send an email to a husband, does PGP prevent the wife's from reading it on her husband's computer? Again...see above. This is *not* a smart-ass or rhetorical question. I'm fairly naive, but in five years of sending email, including my credit card numbers, I've never had anything intercepted between my computer and the recipient's computer. Perhaps not that you know of, but I'm not sure you can claim the above just because you haven't *noticed* anything amiss...yet. I'd be interested in knowing if anyone else has ever had their own email intercepted. How would we necessarily know barring some sort of feedback? It's almost always *possible* for email to be intercepted. I see the value of encrypting an email with really important or sensitive information, but I note that many people seem to encrypt their email to this list as well, No. You're not seeing encryption of messages on this list. Perhaps some digital signatures (an encrypted hash of a clear text message), but not an encrypted message...unless someone sends one here by mistake. If you can read the message without decrypting it, it's in clear text. If it's encrypted, you wouldn't be able to decrypt it unless it was encrypted to *your* key. even when it contains nothing valuable that would seem to warrant encryption. When you send a letter to a friend, relative, or other correspondent, do you always use postcards? Or do you put the letter in an envelope? While not being a *direct* analogy (because anyone along the way can, if they really wanted to, open up a bit of snail mail in an envelope, but they can't decrypt an email message encrypted to a key other than their own), it does illustrate a little something about how we consider and deal with our personal privacy (and by extension of course, the privacy of our correspondents). Is there an advantage to encrypting personal or unimportant business email... I guess it all depends on what you consider important, unimportant and/or simply private. ...or do people just encrypt everything they send out by default? I'm not encrypting this email...but I am signing it! :-) I went to the pgp.com site but couldn't find anything that really explains the nuts and bolts of how the system works. Please see the first paragraph of this reply. [snipped several more questions] I have no idea of how this key thing works and would be happy to get an answer or to have someone point out to me where to go (please don't take that too literally!). Again, you can start with the link I provided earlier in this reply, and you can also read the very detailed documentation that is
Re: Off-Topic: PGP Questions
First question: I assume that PGP prevents anyone from intercepting the email at some point between a person's sending it and its arrival at the computer to which it was intended. It can be intercepted, in the sense that anyone can see that a message has been sent, but it is encrypted, and decoding it is very difficult (in most cases so difficult as to be considered secure) so it cannot be usefully read. For the same reasons the content is also considered tamperproof, so a malicious person in the middle cannot modify the message. Does it also prevent anyone at that computer from reading the email other than the intended recipient? In other words, if I send an email to a husband, does PGP prevent the wife's from reading it on her husband's computer? This depends... if the pass-phrase is easily available, or could be guessed, and the private key is held on the aforementioned computer, I would not consider it safe. This depends on the habits of the recipient. This is *not* a smart-ass or rhetorical question. I'm fairly naive, but in five years of sending email, including my credit card numbers, I've never had anything intercepted between my computer and the recipient's computer. I'm not being a smart-ass either, but how would you know? I suspect all you really know is that such information has not been abused in any way. You do not know if someone has been keeping a log of traffic to use at some later date. The mail you normally send passes through several computer, and over other peoples networks. The information could be picked up at any point. There is reason the believe that your government (pick one!) is doing this as a matter of course! It is a guiding principle of the cypher analyst to *not* let on that the messages are being intercepted. I would strongly advise you not to assume that somebody is not doing it! I'd be interested in knowing if anyone else has ever had their own email intercepted. Again, that it has been intercepted is impossible to judge, unless you can find evidence that it has been used. I see the value of encrypting an email with really important or sensitive information, but I note that many people seem to encrypt their email to this list as well, even when it contains nothing valuable that would seem to warrant encryption. Is there an advantage to encrypting personal or unimportant business email or do people just encrypt everything they send out by default? You are seeing two things, a lot of people have been adding PGP signatures. This is NOT encrypting the message, it is adding a signature that is very difficult to forge. signatures are useful not because they hide the message, but because the message is known to come from a trusted source. This is the most common case. The more rarely seen thing is a completely encrypted message, which only the recipient can decode. I went to the pgp.com site but couldn't find anything that really explains the nuts and bolts of how the system works ... Everyone has a pair of keys, one private, kept solely by them, the other public, for anyone who is interested. In short, to decrypt a message from someone, you need *their* public key, and you need *your* private key. Imagine a door with two locks, to unlock it you need BOTH keys. Similarly, the sender of the message needs *their* private key, and *your* public key. Private keys are private, and never shared, public keys are designed to be shared, which is why you see them on e-mail from people. The biggest weakness is someone persuades you that they are someone else, and they pass you a public key that is not in fact for the person you think it is for. Be careful about how you pick up a public key. Public keys are either exchanged through e-mail, or retrieved from public servers. Private keys are stored locally (ideally on removable media) and protected through a pass-phrase (like a long password). -- Andy Philpotts Using The Bat! v2.01 on Windows 2000 5.0 Build 2195 Service Pack 4 Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Off-Topic: PGP Questions
Hi Andy, On Wednesday, October 29, 2003, at 12:09:34 PM PST, you wrote: In short, to decrypt a message from someone, you need *their* public key, and you need *your* private key. Imagine a door with two locks, to unlock it you need BOTH keys. Well, not really. If you have my public key, you can encrypt a message using it, and I can decrypt it. For this operation, I do not need your public key...just my own private key that corresponds to the public key you used to encrypt the message. If, however, you also sign the message, I can't verify your signature unless I have your public key. -- Melissa PGP public keys: mailto:[EMAIL PROTECTED]Body=Please%20send%20keys pgp0.pgp Description: PGP signature Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html