Silk Road forums
Discussion => Newbie discussion => Topic started by: TheDreadedFree on June 21, 2013, 08:46 pm
-
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?
2)How does the signature work?
Thanks SR Community!:)
-
PGP encryption works by encrypting your message with the recipient's public key, and only the recipient can decrypt that message because only he has the corresponding private key. You don't decrypt using your own, you can't decrypt a message encrypted to someone else, unless you encrypted it to yourself as well.
A signature makes sure that it was made by the holder of the private key in used to make it. It can be verified by people that have your public key. It's used to let others know it's really you that's writing a message and that this message (or file) is not corrupted, in which case the signature won't match. PGP signatures are especially useful to verify the integrity of software you download, like TAILS or PGP software, to be sure that you received the correct file and weren't given the software containing malware if you were victim of a man in the middle attack.
-
How do you verify a file? The man in the middle attack is when a third party intercepts the file and replaces it with one containing malware? Not a huge techie but i'm learning...
-
Best way to verify file integrity would be to "hash" the file. Have the sender calculate the hash of the file you need, and when you receive it you can calculate its hash value and they should be identical.
If they aren't, you can be sure the file is either corrupt or it has been modified.
-
Best way to verify file integrity would be to "hash" the file. Have the sender calculate the hash of the file you need, and when you receive it you can calculate its hash value and they should be identical.
If they aren't, you can be sure the file is either corrupt or it has been modified.
Yeah that's the easy way but verifying signatures works better, if you're victim of a MITM, he could send you a fake hash that matches with the one you get. How to verify files is very well explained by the tor project, google something like "tor verify signatures" and you should find it.
-
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?
Nearly, except that you use your private key to decrypt.
The best metaphor I heard is to think of a public key like a padlock, and a private key like a key.
So you send out as many padlocks (public keys) as you like, and people can use them to lock stuff up (encrypt) to send you, but only your key (private key) can open (decrypt) them.
-
1)When using PGP you encrypt using the intended receiving persons public key and decrypt using your own correct?
Nearly, except that you use your private key to decrypt.
The best metaphor I heard is to think of a public key like a padlock, and a private key like a key.
So you send out as many padlocks (public keys) as you like, and people can use them to lock stuff up (encrypt) to send you, but only your key (private key) can open (decrypt) them.
Thanks for that that makes much more sense!!
-
I think this thread helped me out more than it did for others! ha