Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: PGP encrypted email - basic questions

RE: PGP encrypted email - basic questions

From: Bass, Mike B [CCC-OT_IT] <mike.b.bass_at_citigroup.com>
Date: Tue, 2 Jan 2007 14:56:23 -0500

While we are on the subject, could someone reply to this message and
sign it with smime? I need to test something. Thanks.

Mike

-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On Behalf Of Thomas D.
Sent: Saturday, December 30, 2006 7:03 AM
To: security-basics_at_securityfocus.com
Subject: RE: PGP encrypted email - basic questions

Dave asked on Friday, December 29, 2006 4:01 PM:
> I understand that a recipient of a PGP signed/encrypted message will
> have to get my public key to decrypt said message.

Your recipient needs your public key to check the signature, but only
with your public key he/she isn't able to decrypt the encrypted message,
because in the moment you send that mail, you have to decide who should
be able to read this mail, because you will only encrypt this message
with those public keys (don't forget your own key, if you want to be
able to read this mail in your "send messages" folder).

> What I don't
> understand is how this is carried out in a seemingly automatic fashion
> for many of the email messages I receive, e.g. postings from mailing
> lists, in which I see the 'BEGIN PGP SIGNED.. ' and the signature at
> the end.

You can sign every mail, you are sending. This can be done automatically
using a pgp-relay service or many pgp plugins like Enigmail offers these
functionality.

As I said before, If the recipient wants to validate this signature,
he/she needs your public key.
This is the reason, why you can do this without any user interaction
while sending.

If you want do encrypt your message your are sending, you need the
public key from the recipient, you are sending this message to. Many PGP
applications offers functions to search automatically for those keys.

But keep in mind:
One of the basic idea behind PGP is the TRUST. If you download a key
automatically to encrypt the message for this recipient, you don't
really know if you have his/her key or if it probably a key from a bad
guy, spoofing to be your recipient :)
Received on Jan 02 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos