[Enigmail] use of openPGP

[Rich Wales]

James Kosin wrote:

> (4)  I'm also taking a stab by saying "The fewer people you send an
> encrypted message to the better."   Since with multiple copies of
> the encrypted session key are embedded in the message the more of a
> chance a hacker can actually guess (not easily done) the session key
> and decrypt the message themselves.  (with a LOT OF TIME)...

I don't believe so.

First, the session key is typically very long -- 128 bits or longer --
and it's generated randomly -- so "guessing" it is out of the question.

You might think that having multiple copies of the same session key --
each copy encrypted using a different asymmetric key -- might allow you
to figure out the session key by comparing the multiple encrypted copies
somehow.  However, as I recall, the session key has a random number
stuck onto it before being encrypted -- a different random number stuck
onto each separate copy -- so the multiple encrypted "session key"
messages are NOT in fact identical, and comparing the various copies
won't help you.

> Not that anyone would actually want to do such a thing.

Don't underestimate what some people wouldn't do in an attempt to crack
an encrypted message.

> But to create a message, they need the secret key.  The public key
> won't work for creating a message.

I'm not quite sure I understand what you're saying here.  In order
to create an encrypted message that can be read only by the intended
recipient, the sender needs to encrypt using the recipient's public
key.  Then, the recipient uses his secret key to decrypt the message
(actually, to decrypt the session key that was used to encrypt the
message text).

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw at richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales
    "The difference between theory and practice is that, in theory,
theory and practice are identical -- whereas in practice, they aren't."