[olug] quick pgp question

K.J. Kirwan kjk_elec at ix.netcom.com
Thu Jun 10 04:19:34 UTC 2004


Thanks, Christopher, for your interesting and detailed reply.  

Would you consider volunteering for an OLUG presentation on OpenPGP?  
And/Or any related items like GnuPG, Mozilla/Enigmail, Linux/Win32 
setup-howto, key generation, etc.  Has there been one recently?  
Would anyone else on the list like to see this?  

Is there an OLUG group willing to send and receieve test emails 
to check new installs or help get the bugs worked out?  

And on your advice to quit S/mime and use OpenPGP (GnuPG?), 
there's another reason I would like to do that.  
I'm tired of their $15/yr per email cert fee, and besides, 
I hate to give those Verisign weasels another nickel.  

Thanks again for a great reply.  

Kim


Christopher Cashell wrote:
> At Wed, 09 Jun 04, Unidentified Flying Banana K.J. Kirwan, said:
> 
>>Actually, you are both right.  
>>
>>I know S/Mime works this way, and I think GPG does too.  
>>
>>A signed (but not "encrypted") email is *sent twice* in 
>>the same email, one after the other, first in plaintext, 
>>then encrypted with the senders' private key.  (But don't 
>>believe me, find one and "view message source" for yourself.)  
> 
> 
> Nope.  PGP/GPG doesn't work this way.
> 
> With a signed, but not encrypted e-mail, PGP/GPG will do one of two
> things, depending on if you're sending it inline (old way) or OpenPGP
> (PGP/MIME).  (Note, if I refer to PGP below, consider that to mean
> either PGP or GPG, or even the OpenPGP standard, to which both PGP and
> GPG currently support.)
> 
> If you're sending it inline, then PGP modifies the e-mail itself by
> doing ASCII armoring and adding '-----BEGIN PGP SIGNED MESSAGE-----'
> lines to the start and end of the PGP signed part.  Immediately
> following those lines, it adds a PGP signature, which is basically a
> cryptographic hash of the e-mail body, created with a PGP private key.
> 
> Then, someone with a PGP public key matching that private key can verify
> that the hash matches the e-mail body, and that the body hasn't been
> altered.
> 
> With OpenPGP (PGP/MIME), it works similarly but instead of modifying the
> e-mail body, PGP simply creates a cryptographic hash for the entire MIME
> part of the e-mail, and the signature is then attached as a separate
> MIME attachment.
> 
> 
>>This results in a message which (in ordinary email clients) 
>>can still be read (proving nothing) and is followed by an 
>>equal amount of gibberish, which may or may not be supressed.  
> 
> 
> With PGP, you can always read it.  With inline PGP, you simply read
> around the 'BEGIN PGP' lines.  With OpenPGP (MIME), you simply read the
> normal text e-mail, and ignore the PGP signature.
> 
> 
>>A secure email client will get the sender's public key, 
>>decrypt the encrypted copy of the message, and compare the 
>>two copies against each other, looking for tampering.  If there 
>>are no differences between them, then the plaintext message is 
>>(1) unaltered, and (2) could only have been created by the sender.  
> 
> 
> With PGP, for signatures, there is no real encryption or decryption
> taking place, just cryptographic hashing (signing) of an e-mail.
> 
> 
>>If the email is to be "signed and encrypted", then both copies of 
>>the same message get encrypted a *second time* but this time with 
>>the intended receiver's public key, resulting in a message that can 
>>only be read by the recipient, and could only have been created 
>>by the sender.  
> 
> 
> With a signed and encrypted e-mail, PGP first generates a signed e-mail,
> in the manner mentioned above.  PGP then compresses and encrypts the
> e-mail using the receiver's public key (and usually the singer's as
> well, so that they can still view the e-mail they sent).
> 
> When the e-mail arrives, the recipient uses their private key to decrypt
> the e-mail, and then uses the sender's public key to verify the
> signature, ensuring that the e-mail was sent by the sender, and that it
> wasn't changed or tampered with.
> 
> 
>>If any of this is not so in GPG, please let me know, as I am 
>>planning to give GPG a try soon via Mozilla/Enigmail.  Thanks.  
> 
> 
> Good call.  S/MIME isn't necessarily bad, but OpenPGP has greatly
> overtaken it, in terms of how widely used it is.  At this point, I'd
> definitely encourage people to use OpenPGP.
> 
> 
>>Kim Kirwan
> 
> 






More information about the OLUG mailing list