Discussion:
PGP keys
(too old to reply)
Nrth
2011-03-12 08:41:01 UTC
Permalink
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?

Regards,

Nrth.
Le Forgeron
2011-03-12 13:49:27 UTC
Permalink
Post by Nrth
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?
I guess (!) that a secret key without the passphrase is useless.
If the passphrase can be obtained (how much do you like your knees ?),
then the imposter is fine.

Without the passphrase, the private key just look like random data that
do not match the public key.

Of course, you can have an empty passphrase... just like you can write
the weekly password on a paper under the keyboard... or in the second
right drawer.

It nevertheless should not be a reason to broadcast your private key: a
dictionnary attack on the passphrase & time would still be quicker with
it than without.

Private key should be read-only & for your user only. Backup safely on
remote medium.
David E. Ross
2011-03-12 16:01:57 UTC
Permalink
Post by Le Forgeron
Post by Nrth
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?
I guess (!) that a secret key without the passphrase is useless.
If the passphrase can be obtained (how much do you like your knees ?),
then the imposter is fine.
Without the passphrase, the private key just look like random data that
do not match the public key.
Of course, you can have an empty passphrase... just like you can write
the weekly password on a paper under the keyboard... or in the second
right drawer.
It nevertheless should not be a reason to broadcast your private key: a
dictionnary attack on the passphrase & time would still be quicker with
it than without.
Private key should be read-only & for your user only. Backup safely on
remote medium.
See <http://www.rossde.com/PGP/pgp_encrypt.html#basic> for a simple
explanation of how public keys and private keys are used.
--
David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
Nrth
2011-03-12 18:11:47 UTC
Permalink
Post by Le Forgeron
Post by Nrth
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?
I guess (!) that a secret key without the passphrase is useless.
If the passphrase can be obtained (how much do you like your knees ?),
then the imposter is fine.
[snip]

Hello,

That is also my opinion. What I was asking the anonymous remailer poster was
that if I was wrong in that public keys cannot be used for encrypting or
verifying, and that secret (private) keys cannot cannot be used for signing
or decryption, where was my error ? Seriously, this is important and I'd
like to know.

Unfortunately the anonymous remailer poster did not qualify the statements
posted so I'm left to guess as to where exactly my error occurred.

Regards,

Nrth.
Kulin Remailer
2011-03-12 18:20:45 UTC
Permalink
Post by Nrth
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?
yes
Nrth
2011-03-12 18:35:42 UTC
Permalink
Post by Nrth
Would it be a disaster if someone got hold of your public an secret keys?
Since it still takes a passphrase to decrypt something, wouldn't your data
still be safe?
With your secret key, the imposter can sign/encrypt messages as if
he were you. duh!
I was under the impression that you can sign and decrypt with a secret key,
and the public key is used for encrypting and verifying messages/files.
Time for some sunlight then. You were wrong.
Can you explain why and which part ? I take from your brief message that
public keys are not used to encrypt messages and that secret (private) keys
cannot be used to sign and decrypt ? Following on from that, if I wish to
encrypt a message/file to someone, then I must obtain their private key
according to your statement. Or did you mean something else ?
yes
How convenient. :)

Regards,

Pete.

Loading...