Solved

PGP Question

Posted on 2004-08-25
6
222 Views
Last Modified: 2010-04-11
I recently downloaded PGPtray, and I'm trying to figure out what the difference is between "encrypt", "sign", and "sign & encrypt"?  What is the need for signing if you are encrypting?  And why sign at all?  Just a curious newbie...

Thanks!


CoolATIGuy
0
Comment
Question by:CoolATIGuy
  • 3
  • 3
6 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 500 total points
ID: 11899687
-Difference between "encrpt", "sign", and "sign & encrypt"?

Encrypt is the most straight-forward. It processes the the target file with one or more public keys & produces output readable only by those in possession of a corresponding private key. In this way you create an encrypted file that can only be read by the list of people you specify.

Signing is a way of processing a file with your private key so a recipient knows it was you who sent the file. It does not hide the contents, but it verifies the origin. The recipient checks the document by processing it with your public key. If it works they know you were the signer.

Signing and encrypting is the two used in combination.

-What is the need for signing if you are encrypting? And why sign at all?

Even if the information isn't sensitive, the trustworthiness may be. How do you know the file you received about a business negotiation or hostage situation originated from a trusted source? Without signing, you could act on planted information that sends you into dangerous territory. Signing is what the sender does so the recipient can verify the source of the data. The data is run with the private key. The recipient then checks the received information with the public key, and knows if it was you.

Don't worry. Signing is probably the least understood  feature of public key cryptography. PGP corp's introduction is a good read if you haven't battled this stuff before. Beyond the basics it talks about the importance of key security, management, and technical/social vulnerabilities.

http://download.pgp.com/pdfs/Intro_to_Crypto_040600_F.pdf

Dave
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899719
Dave,

Awesome post!  Thanks!

One question; is it not possible to determine where an encrypted file came from without being signed?


FYI, raising points.  Thanks again!


CoolATIGuy
0
 
LVL 4

Assisted Solution

by:cyrnel
cyrnel earned 500 total points
ID: 11899827
Nope. Remember, the person encrypting the data only needs your public key. They are not required to include any personally identifying information when encrypting. People often infer identity from the enclosing package (email or other) but we all know that presents numerous vulnerabilities.The act of signing adds the sender's identity component. Not perfect, but with it you know someone with that private key created the "package" and that it hasn't been tampered with en route.

Dave
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899887
Awesome Dave; just awesome!  You've cleared so much up!  Thanks again!

CoolATIGuy
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899894
BTW, I got PGP Freeware... http://web.mit.edu/network/pgp.html .  Logical choice?

CoolATIGuy
0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11899937
You bet. You get disk tools and more application interoperability with the commercial workgroup version, and management options with the admin ver$ion, but the MIT freeware version provides the complete encryption/signing functionality. That's where it (PGP) all started almost 15yrs ago. (including Mr. Z's now distant trouble with the feds)

Dave
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question