Re: PGP

From: Matthew Pemble (mpemble@isintegration.com)
Date: 08/29/01


From: "Matthew Pemble" <mpemble@isintegration.com>
To: <security-basics@securityfocus.com>
Subject: Re: PGP
Date: Wed, 29 Aug 2001 09:22:00 +0100
Message-ID: <000a01c13063$acb7b260$0a02a8c0@pemble.net>


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

A further note or two:

The hybrid cryptosystem in PGP has been well explained by a couple of
people - the reason for doing it this way, rather than the logically
simpler use of pure PKI is that PKI is very processor intensive. PGP
is not a new program and CPU cycles were more important when Phil was a
lad! It is much quicker to PK encrypt a small (128 or 256 bit)
symmetric key and use that to encrypt the possibly lengthy message and
attachments.

Your original query regarded embedding your public key in the message.
This is not necessarily a good idea, as it opens up "man in the middle"
attacks.

We accept that it is trivial to spoof email headers and send claiming
to be anyone, this is why we have the concept of the digital signature.
 However, it is also trivial to generate a PGP key for any email
address. If you rely on an key embedded in a message, you cannot be
sure that that key was actually generated by the person "owning" the
email address, rather than a clever forger.

You should always try to obtain keys from a separate source - "out of
band", and, before you rely on them for anything serious, check the key
fingerprint with the putative owner. If the key is signed by enough
people you do trust, you may wish to be a little less paranoid.

- --

Matthew Pemble

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO4ymJWrvMjpl5yaUEQLXNACgytlkLDFjzCT5feh0iMzmhJlD0LoAoJCL
lsP+OFqABZnzLgHmgAqAU4k2
=znv/
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Encrypted partition solution for Windows OSes?
    ... is to encrypt the file, ... For Windows you have several ... choices, PGP, and GnuPG, as well as Guardbot for web based file transfers. ... files as drives, and aren't terribly interesting. ...
    (Focus-Microsoft)
  • RE: PGP scripting...
    ... We have a very similar solution, but we use X.509v3 instead of PGP. ... was to create a symmetric key that would be used to encrypt/decrypt all data ... generated for each data element and then the public key is used to encrypt ... We use our X.509v3 certs to do the client and server authentication. ...
    (SecProg)
  • Re: Might Be OT: Thanks for your time
    ... > So let's say you and I both use PGP to exchange email. ... > it with my secret key and encrypt it with your public key. ... > So you check the signature with PGP using my public key. ...
    (rec.pets.cats.anecdotes)
  • Re: Betr.: RE: encryption
    ... I would encrypt it gnupg/pgp.. ... >Up to a few years ago PGP and encryption was an hot item. ... >Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. ... >de afzender en de informatie te verwijderen van iedere computer. ...
    (Security-Basics)
  • Betr.: RE: encryption
    ... I was wondering if signing HTML files is useful. ... is it possible to encrypt HTML files and make them avalible for a specified number of users. ... Up to a few years ago PGP and encryption was an hot item. ...
    (Security-Basics)