Solved

PGP Question

Posted on 2004-08-25
6
219 Views
Last Modified: 2010-04-11
I recently downloaded PGPtray, and I'm trying to figure out what the difference is between "encrypt", "sign", and "sign & encrypt"?  What is the need for signing if you are encrypting?  And why sign at all?  Just a curious newbie...

Thanks!


CoolATIGuy
0
Comment
Question by:CoolATIGuy
  • 3
  • 3
6 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 500 total points
ID: 11899687
-Difference between "encrpt", "sign", and "sign & encrypt"?

Encrypt is the most straight-forward. It processes the the target file with one or more public keys & produces output readable only by those in possession of a corresponding private key. In this way you create an encrypted file that can only be read by the list of people you specify.

Signing is a way of processing a file with your private key so a recipient knows it was you who sent the file. It does not hide the contents, but it verifies the origin. The recipient checks the document by processing it with your public key. If it works they know you were the signer.

Signing and encrypting is the two used in combination.

-What is the need for signing if you are encrypting? And why sign at all?

Even if the information isn't sensitive, the trustworthiness may be. How do you know the file you received about a business negotiation or hostage situation originated from a trusted source? Without signing, you could act on planted information that sends you into dangerous territory. Signing is what the sender does so the recipient can verify the source of the data. The data is run with the private key. The recipient then checks the received information with the public key, and knows if it was you.

Don't worry. Signing is probably the least understood  feature of public key cryptography. PGP corp's introduction is a good read if you haven't battled this stuff before. Beyond the basics it talks about the importance of key security, management, and technical/social vulnerabilities.

http://download.pgp.com/pdfs/Intro_to_Crypto_040600_F.pdf

Dave
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899719
Dave,

Awesome post!  Thanks!

One question; is it not possible to determine where an encrypted file came from without being signed?


FYI, raising points.  Thanks again!


CoolATIGuy
0
 
LVL 4

Assisted Solution

by:cyrnel
cyrnel earned 500 total points
ID: 11899827
Nope. Remember, the person encrypting the data only needs your public key. They are not required to include any personally identifying information when encrypting. People often infer identity from the enclosing package (email or other) but we all know that presents numerous vulnerabilities.The act of signing adds the sender's identity component. Not perfect, but with it you know someone with that private key created the "package" and that it hasn't been tampered with en route.

Dave
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899887
Awesome Dave; just awesome!  You've cleared so much up!  Thanks again!

CoolATIGuy
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11899894
BTW, I got PGP Freeware... http://web.mit.edu/network/pgp.html .  Logical choice?

CoolATIGuy
0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11899937
You bet. You get disk tools and more application interoperability with the commercial workgroup version, and management options with the admin ver$ion, but the MIT freeware version provides the complete encryption/signing functionality. That's where it (PGP) all started almost 15yrs ago. (including Mr. Z's now distant trouble with the feds)

Dave
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now