Silk Road forums

Discussion => Newbie discussion => Topic started by: TheDreadedFree on June 21, 2013, 08:46 pm

Title: Spesific PGP questions.
Post by: TheDreadedFree on June 21, 2013, 08:46 pm
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?
2)How does the signature work?

Thanks SR Community!:)
Title: Re: Spesific PGP questions.
Post by: tree on June 21, 2013, 10:15 pm
PGP encryption works by encrypting your message with the recipient's public key, and only the recipient can decrypt that message because only he has the corresponding private key. You don't decrypt using your own, you can't decrypt a message encrypted to someone else, unless you encrypted it to yourself as well.

A signature makes sure that it was made by the holder of the private key in used to make it. It can be verified by people that have your public key. It's used to let others know it's really you that's writing a message and that this message (or file) is not corrupted, in which case the signature won't match. PGP signatures are especially useful to verify the integrity of software you download, like TAILS or PGP software, to be sure that you received the correct file and weren't given the software containing malware if you were victim of a man in the middle attack.
Title: Re: Spesific PGP questions.
Post by: TheDreadedFree on June 25, 2013, 02:05 am
How do you verify a file? The man in the middle attack is when a third party intercepts the file and replaces it with one containing malware?  Not a huge techie but i'm learning...
Title: Re: Spesific PGP questions.
Post by: Choniven on June 25, 2013, 02:32 am
Best way to verify file integrity would be to "hash" the file.  Have the sender calculate the hash of the file you need, and when you receive it you can calculate its hash value and they should be identical.

If they aren't, you can be sure the file is either corrupt or it has been modified.


Title: Re: Spesific PGP questions.
Post by: tree on June 25, 2013, 09:09 am
Best way to verify file integrity would be to "hash" the file.  Have the sender calculate the hash of the file you need, and when you receive it you can calculate its hash value and they should be identical.

If they aren't, you can be sure the file is either corrupt or it has been modified.
Yeah that's the easy way but verifying signatures works better, if you're victim of a MITM, he could send you a fake hash that matches with the one you get. How to verify files is very well explained by the tor project, google something like "tor verify signatures" and you should find it.
Title: Re: Spesific PGP questions.
Post by: boaclon224 on June 25, 2013, 12:50 pm
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?

Nearly, except that you use your private key to decrypt.

The best metaphor I heard is to think of a public key like a padlock, and a private key like a key.

So you send out as many padlocks (public keys) as you like, and people can use them to lock stuff up (encrypt) to send you, but only your key (private key) can open (decrypt) them.
Title: Re: Spesific PGP questions.
Post by: TheDreadedFree on June 27, 2013, 06:19 pm
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?

Nearly, except that you use your private key to decrypt.

The best metaphor I heard is to think of a public key like a padlock, and a private key like a key.

So you send out as many padlocks (public keys) as you like, and people can use them to lock stuff up (encrypt) to send you, but only your key (private key) can open (decrypt) them.

Thanks for that that makes much more sense!!
Title: Re: Spesific PGP questions.
Post by: CannabisKing on June 28, 2013, 12:24 am
I think this thread helped me out more than it did for others! ha