[Enigmail] use of openPGP

[James Kosin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Rich Wales wrote:
> James Kosin wrote:
>
>> I'm missing a word here for forward and reverse working in the
>> cryptic language.
>
> Asymmetric.  That is, the same key does NOT work for BOTH
> encryption and decryption; the two keys (public and private) work
> as a pair, and whichever one was used to encrypt, you need the
> other to decrypt.
>
>> In fact you can't even read the message you sent without telling
>> enigmail you want to encrypt to self also.  In which case I
>> believe it sends another copy encrypted with your public and
>> secret keys to be readable by you.
>
> Not quite.  The real story is a bit more complicated than this.
>
> First, the main body of the message is encrypted using a
> "symmetric" encryption scheme (where the same key is used to
> encrypt and decrypt). The key used for this symmetric encryption is
> NOT anyone's public or private key; it's a randomly generated
> "session key" that is used only for one message and is then thrown
> away.
>
> In addition to the main body, encrypted using the "session key",
> the PGP message also includes a section where the session key is
> itself encrypted using the recipient's public key.  So when the
> encrypted message arrives in the recipient's e-mail, he uses his
> private key to decrypt the session key -- and then uses the session
> key to decrypt the main body of the message.
>
> This two-step process is all done as a single operation by GnuPG,
> of course, so you don't really need to mess with the separate steps
> -- it all gets done automatically for you.
>
> If a message is intended for two or more recipients -- including
> the case where you send something encrypted for yourself as well as
> for some other person -- the encrypted message contains ONE copy of
> the main message body (encrypted using a symmetric algorithm), plus
> TWO (or more) copies of the session key, each encrypted using a
> different person's public key.  Each intended recipient can then
> decrypt one copy of the session key, and, having the session key,
> can go on to decrypt the actual message.
>
> There are two reasons why this two-step process is used:
>
> (1) Public-key encryption algorithms are VERY slow, so it makes
> sense to use a public-key scheme to encrypt just a small piece of
> info (namely, a session key), and then use the session key to
> encrypt and decrypt the main body of the message (symmetric
> encryption schemes are very fast).
>
> (2) Using a two-step process makes it feasible to construct a
> single message that can be decrypted by two or more people, as
> described above.
>
> And, BTW, the system is designed so that even if I can decrypt my
> own copy of the session key, that doesn't give me any clue at all
> that I could use to crack the private key of any other recipient of
> the same message.
>
Ok,

This makes a bit more sence; so,
(1)  When enigmail sends an encrypted message; it creates a session
key to encrypt the message.  Kind of like the password to send.
(2)  Then encrypts the session key with the destination's public key
(so the recipient can decrypt the message using their private key.
(3)  I'm guessing enigmail creates another copy of the session key
encrypted for each destination.  You state this above; so I guess it
has to be true.
(4)  I'm also taking a stab by saying "The fewer people you send an
encrypted message to the better."   Since with multiple copies of the
encrypted session key are embedded in the message the more of a chance
a hacker can actually guess (not easily done) the session key and
decrypt the message themselves.  (with a LOT OF TIME)...  Not that
anyone would actually want to do such a thing.

The public and secret keys used by enigmail and PGP are examples of
Asymmetric keys.  One doesn't have to have the secret key to verify
the signature that is what the public key is for.  But to create a
message, they need the secret key.  The public key won't work for
creating a message.

- -James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFG/AzlkNLDmnu1kSkRAut+AJ4gMtE0VXA1+uIuo3a3Jdn6eNb/QACfWmG+
IPGitErefUPgwK+v+8L/db4=
=CZy1
-----END PGP SIGNATURE-----

-- 
Scanned by ClamAV - http://www.clamav.net