Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PGP Question

Posted on 2004-08-25
6
Medium Priority
?
228 Views
Last Modified: 2010-04-11
I recently downloaded PGPtray, and I'm trying to figure out what the difference is between "encrypt", "sign", and "sign & encrypt"?  What is the need for signing if you are encrypting?  And why sign at all?  Just a curious newbie...

Thanks!


CoolATIGuy
0
Comment
Question by:CoolATIGuy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 2000 total points
ID: 11899687
-Difference between "encrpt", "sign", and "sign & encrypt"?

Encrypt is the most straight-forward. It processes the the target file with one or more public keys & produces output readable only by those in possession of a corresponding private key. In this way you create an encrypted file that can only be read by the list of people you specify.

Signing is a way of processing a file with your private key so a recipient knows it was you who sent the file. It does not hide the contents, but it verifies the origin. The recipient checks the document by processing it with your public key. If it works they know you were the signer.

Signing and encrypting is the two used in combination.

-What is the need for signing if you are encrypting? And why sign at all?

Even if the information isn't sensitive, the trustworthiness may be. How do you know the file you received about a business negotiation or hostage situation originated from a trusted source? Without signing, you could act on planted information that sends you into dangerous territory. Signing is what the sender does so the recipient can verify the source of the data. The data is run with the private key. The recipient then checks the received information with the public key, and knows if it was you.

Don't worry. Signing is probably the least understood  feature of public key cryptography. PGP corp's introduction is a good read if you haven't battled this stuff before. Beyond the basics it talks about the importance of key security, management, and technical/social vulnerabilities.

http://download.pgp.com/pdfs/Intro_to_Crypto_040600_F.pdf

Dave
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899719
Dave,

Awesome post!  Thanks!

One question; is it not possible to determine where an encrypted file came from without being signed?


FYI, raising points.  Thanks again!


CoolATIGuy
0
 
LVL 4

Assisted Solution

by:cyrnel
cyrnel earned 2000 total points
ID: 11899827
Nope. Remember, the person encrypting the data only needs your public key. They are not required to include any personally identifying information when encrypting. People often infer identity from the enclosing package (email or other) but we all know that presents numerous vulnerabilities.The act of signing adds the sender's identity component. Not perfect, but with it you know someone with that private key created the "package" and that it hasn't been tampered with en route.

Dave
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899887
Awesome Dave; just awesome!  You've cleared so much up!  Thanks again!

CoolATIGuy
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899894
BTW, I got PGP Freeware... http://web.mit.edu/network/pgp.html .  Logical choice?

CoolATIGuy
0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11899937
You bet. You get disk tools and more application interoperability with the commercial workgroup version, and management options with the admin ver$ion, but the MIT freeware version provides the complete encryption/signing functionality. That's where it (PGP) all started almost 15yrs ago. (including Mr. Z's now distant trouble with the feds)

Dave
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Check out what's been happening in the Experts Exchange community.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question