[olug] quick pgp question
kjk_elec at ix.netcom.com
Thu Jun 10 01:33:40 UTC 2004
Actually, you are both right.
I know S/Mime works this way, and I think GPG does too.
A signed (but not "encrypted") email is *sent twice* in
the same email, one after the other, first in plaintext,
then encrypted with the senders' private key. (But don't
believe me, find one and "view message source" for yourself.)
This results in a message which (in ordinary email clients)
can still be read (proving nothing) and is followed by an
equal amount of gibberish, which may or may not be supressed.
A secure email client will get the sender's public key,
decrypt the encrypted copy of the message, and compare the
two copies against each other, looking for tampering. If there
are no differences between them, then the plaintext message is
(1) unaltered, and (2) could only have been created by the sender.
If the email is to be "signed and encrypted", then both copies of
the same message get encrypted a *second time* but this time with
the intended receiver's public key, resulting in a message that can
only be read by the recipient, and could only have been created
by the sender.
If any of this is not so in GPG, please let me know, as I am
planning to give GPG a try soon via Mozilla/Enigmail. Thanks.
K.J. Kirwan <kjk_elec at ix.netcom.com>
OBrien, Timothy (Omaha Linux Users Group - OLUG) wrote:
> <quote who="Tim - DZ">
>>Signing and encrypting work much the same way, just depends on the key
>>Signing is basically encrypting with your private key, then anyone can
>>verify that it was you that signed but decrypting with your public key.
> Eh, no. Signing an email with your key does not encrypt the email - it
> only adds the information of your key so that the recipient can verify the
> sender as you.
> Encrypting the email uses a different key pair to encrypt the message, and
> adds your digital signature (normally - depending on your email client.)
More information about the OLUG