[olug] quick pgp question
Daniel Linder
dan at linder.org
Thu Jun 10 16:02:48 UTC 2004
Just to help a bit, I tracked down some "How PGP works" pages and links.
I think they might help clarify a bit here:
Overview: How PGP works: http://www.pgpi.org/doc/pgpintro/
"Signed e-mail"
- See: "Digital Signatures" http://www.pgpi.org/doc/pgpintro/#p12
- Basically the e-mail is sent in plain text and an encrypted "hash" (a
checksum which is then encrypted with the _senders_ private key) of the
body of the e-mail is attached. If a man-in-the middle tries to change
something in the e-mail, the recipiant computer can compute the hash of
the e-mail text it received, then decrypt the hash value (using the
_senders_ public key) sent with the e-mail and compare the two. If they
match, then there is a high confidance that the e-mail has not been
tampered with.
"Encrypted e-mail"
- See: "How PGP works" http://www.pgpi.org/doc/pgpintro/#p10
- In this case, the e-mail is compressed and encrypted with a ramdom,
symmetric, one-time "session key", and then the session key is encrypted
with the _receivers_ public PGP key. The recipiant computer then
decrypts the session key with the _receivers_ private key, then uses that
key to decrypt the e-mail.
- In addition, the encrypted e-mail inside /could/ be "signed" (see
above) as an additional security measure. By doing both these steps, you
ensure that:
(1) Only the intended receiver (or whomever has the "private keys") can
read the e-mail [encrypting].
(2) That the entity doing the sending was really who they say they are
[signing].
Dan
--
Daniel Linder
More information about the OLUG
mailing list