Recommended Posts

So I'm just trying to educate myself and can't seem to find an answer online.  I have my wife's public PGP key imported onto my laptop, but not her private key.  If I encrypt a file with her public key, in theory, nobody should be able to decrypt it except the person with her private key, so her, however, I am able to decrypt the file even if I delete the original unencrypted copy of the file.  How is this working?  I'm using the built-in seahorse encryption tools in Debian Linux.

Link to comment
https://www.neowin.net/forum/topic/1409550-asymmetric-encryption-question/
Share on other sites

  On 11/07/2021 at 02:44, BudMan said:

Normally when you encrypt something  to someones public key, you also encrypt it with your own public key - so you can decrypt it, since you have your private key.

Expand  

I set up a clean VM and imported only one secret key and was able to decrypt a file that I encrypted with the other person's public key, so that makes sense.  It also explains why our PGP encrypted chat app lets me see all the messages I sent regardless of what device I sent it from.  Interesting how a file can basically be encrypted twice with two different keys and not affect the file size in any meaningful way though.image.png.511753f9fd455cc586b5499db68732b0.png

Well the file is not really encrypted multiple times.. What happens is the session key used to actually encrypt the data which would be symmetric, and and included in the message is encrypted with the recipients public key.. So they can decrypt the symmetric key and use that to decrypt the actual data you wanted to encrypt.

 

This is included in the header of the file..

 

But yeah it is really interesting/cool! ;)

  On 11/07/2021 at 12:13, BudMan said:

Well the file is not really encrypted multiple times.. What happens is the session key used to actually encrypt the data which would be symmetric, and and included in the message is encrypted with the recipients public key.. So they can decrypt the symmetric key and use that to decrypt the actual data you wanted to encrypt.

 

This is included in the header of the file..

 

But yeah it is really interesting/cool! ;)

Expand  

This prompted me to go do some reading and I didn't know that's how PGP worked.  I was under the impression that when you encrypted a file or something, it was actually encrypting the entire message with the public keys, so encrypting to multiple recipients would mean encrypting the file multiple times with different keys.  Doing things the way you described makes a lot more sense because symmetric encryption is faster, and this provides a method for sharing the symmetric key in a secure manner, kinda like how https/tls works when browsing the web.  I'm curious what actual encryption algorithm and strength is used then because you could have a really strong PGP key, but if the randomized symmetric key algorithm is weak, then an attacker wouldn't have to break RSA or Elgamal or whatever, they would just have to break the weaker symmetric algorithm that was used to encrypt the actual message.

  On 12/07/2021 at 23:28, Good Bot, Bad Bot said:

Are you really using PGP to communicate with your wife? Why not just use Signal?

Expand  

We do, it's our default fallback and where we have all our friends and family, but we also like experimenting with other options and found a very nice Android XMPP app called Conversations that supports either OMEMO or PGP encryption, so I decided to try out the PGP functionality. One of the down sides to Signal is that it's tied to a phone number, so my kids couldn't use it without me having to actually get them their own phone numbers. Having an independent registration method like Session Private Messenger or an XMPP server is kinda nice.

  On 13/07/2021 at 05:32, Gerowen said:

We do, it's our default fallback and where we have all our friends and family, but we also like experimenting with other options and found a very nice Android XMPP app called Conversations that supports either OMEMO or PGP encryption, so I decided to try out the PGP functionality. One of the down sides to Signal is that it's tied to a phone number, so my kids couldn't use it without me having to actually get them their own phone numbers. Having an independent registration method like Session Private Messenger or an XMPP server is kinda nice.

Expand  

it seems like a lot of work to keep "Buy some milk on the way home" secret unless you and the wife work for an alphabet agency or something.  I use SMS with my wife LOL but can't use iMessage and won't use WhatsApp. I do use Signal for certain communications with some contacts. Phone numbers are free and easy to get.

  On 13/07/2021 at 12:08, Good Bot, Bad Bot said:

it seems like a lot of work to keep "Buy some milk on the way home" secret unless you and the wife work for an alphabet agency or something.  I use SMS with my wife LOL but can't use iMessage and won't use WhatsApp. I do use Signal for certain communications with some contacts. Phone numbers are free and easy to get.

Expand  

I'm just a firm believer in encryption/security by default. Too many companies and agencies see it as their right to collect and monetize as much as possible, so we both deleted our Facebook accounts and told people if they want to get in touch with us to use Signal. There's nothing we talk about that's that interesting, but for us it's a matter of principal. If I call her while she's away on the weekend visiting her family and we decide to talk politics, I don't want somebody keeping recordings of our conversations and trying to either monetize it or use it against us at some point in the future. In a world where people like the NSA have stated their goal is to store all communications indefinitely and people are more politically divided than ever, it's more important than perhaps it has ever been to establish a secure enclave for your family to communicate without snooping and manipulation by third parties, no matter how innocent you might think your conversations are.

  On 13/07/2021 at 13:21, Gerowen said:

I'm just a firm believer in encryption/security by default. Too many companies and agencies see it as their right to collect and monetize as much as possible, so we both deleted our Facebook accounts and told people if they want to get in touch with us to use Signal. There's nothing we talk about that's that interesting, but for us it's a matter of principal. If I call her while she's away on the weekend visiting her family and we decide to talk politics, I don't want somebody keeping recordings of our conversations and trying to either monetize it or use it against us at some point in the future. In a world where people like the NSA have stated their goal is to store all communications indefinitely and people are more politically divided than ever, it's more important than perhaps it has ever been to establish a secure enclave for your family to communicate without snooping and manipulation by third parties, no matter how innocent you might think your conversations are.

Expand  

I agree. Though I didn't get anybody on signal, but I did get my mom, dad, friend, sister and neice and nephew over to telegram from Facebook messenger.

 

It started when I drew my parents a picture of this and sent it to them on facebook messenger. 

 

image.png.223b24f7cb9277944cc2c4826a77e239.png

 

Then about an hour later I was seeing ads for this on Facebook

 

53152900_2336259906404558_4436535216282009600_n.thumb.jpg.486fa82772f9e0d67bf8b226de18a447.jpg

  On 13/07/2021 at 13:21, Gerowen said:

I'm just a firm believer in encryption/security by default. Too many companies and agencies see it as their right to collect and monetize as much as possible, so we both deleted our Facebook accounts and told people if they want to get in touch with us to use Signal. There's nothing we talk about that's that interesting, but for us it's a matter of principal. If I call her while she's away on the weekend visiting her family and we decide to talk politics, I don't want somebody keeping recordings of our conversations and trying to either monetize it or use it against us at some point in the future. In a world where people like the NSA have stated their goal is to store all communications indefinitely and people are more politically divided than ever, it's more important than perhaps it has ever been to establish a secure enclave for your family to communicate without snooping and manipulation by third parties, no matter how innocent you might think your conversations are.

Expand  

I agree in a perfect world all communication would be E2EE and I could chat with anyone will any client but that is not possible. Principle is great and all but I need to communicate with others. Telling everyone it's Signal or nothing is not a real solution. Yes, no Facebook and more sensitive communication is via E2EE but I do compromise on regular everyday communication. The NSA can store those messages forever if they like. LOL What's next? We have cameras everyone so will we need to whisper to people we are talking to in public while covering our mouths as to not have our lip movements recorded?

  On 13/07/2021 at 14:38, Good Bot, Bad Bot said:

I agree in a perfect world all communication would be E2EE and I could chat with anyone will any client but that is not possible. Principle is great and all but I need to communicate with others. Telling everyone it's Signal or nothing is not a real solution. Yes, no Facebook and more sensitive communication is via E2EE but I do compromise on regular everyday communication. The NSA can store those messages forever if they like. LOL What's next? We have cameras everyone so will we need to whisper to people we are talking to in public while covering our mouths as to not have our lip movements recorded?

Expand  

I made a Facebook post 30 days before deleting my account explaining my decision and gave people ways to contact me, then posted again about 2 weeks out. I figured anybody who values talking to me will respect my choices and if they don't, they obviously didn't value me enough to be slightly inconvenienced. I've even got the people at work to start using Signal to talk to me. It took about 6 months of them trying and failing to get me back on Facebook before they finally caved because they couldn't send large files or images over SMS. I don't personally think it should be so taboo to want privacy in your day to day personal communications. I do compromise and agree to use SMS occasionally for people that I don't talk to often, but if I talk to somebody on a regular basis and especially if they're a family member that wants pictures of my kids or something, I insist that they use Signal or some other E2EE means of communication and right now Signal is the easiest to get people on board with. I can't protect everything, but that doesn't mean I shouldn't make a reasonable effort to do what I can to protect myself and my family from unlawful spying that we know is taking place at the hands of corrupt, power hungry government officials, identity thieves, etc.

I haven't been big into pgp for years and years..  But my understanding the symmetrical key normally stronger.  Keep in mind the weakest link in the chain is what to worry about.. Be it the public asymmetrical or the session key (symmetrical).. But even if they break the session key used.  That would be different for every single message, so at best if they did break the session they would just have access to that message.  Since every time you encrypt something the session key would be different.

 

And your correct is somewhat like https/tls - where a secure method is used to exchange the key to be used for that session. 

  • 3 weeks later...
  On 13/07/2021 at 13:29, warwagon said:

I agree. Though I didn't get anybody on signal, but I did get my mom, dad, friend, sister and neice and nephew over to telegram from Facebook messenger.

 

It started when I drew my parents a picture of this and sent it to them on facebook messenger. 

 

snipped

 

Then about an hour later I was seeing ads for this on Facebook

 

snipped

Expand  

That's creepy as hell.  My wife and I deleted our Facebook accounts a few years ago.  It was a lot of things really; being sold as a product to advertising companies, intentionally spying on users, storing passwords in plain text, allowing third parties access to user information without their informed consent.  My wife actually deleted hers first.  I gave everybody a 30 day heads up, made a couple of posts explaining our decision, made a backup of my profile data and then deleted my account.  It's still kinda weird because I'll occasionally talk to somebody who wants to message me on Facebook or something and I have to explain to them that I don't have an account and refuse to make a new one even just for messenger when there are better options available.  I finally got all the guys at work on Signal because I just straight up refused to install Facebook Messenger.  My brother and I experimented with "Session" for a while because it's not tied to your phone number, so it's a bit more portable, but I haven't really made any real attempts to move people anywhere else except for our inter-family conversations my wife and I bounce between Signal and "Conversations.im" with our personal PGP keys.  We have actually noticed that even though it's based around the same protocols, the audio calls on conversations are more reliable than on Signal.  On Signal sometimes if she's out of the service area Signal will still report that a phone is ringing, when in fact it's not.  With conversations.im it "discovers devices" first and if it can't ping her phone, it tells me as much instead of letting me sit there listening to a ring tone as if her phone is ringing when it's not.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Microsoft changed recall to opt-in some time ago, which seems to still be the case. I personally feel like that is the right move for something like this. You are right, settings that turn themselves back on after an update is totally unacceptable; its weird how that only happened with privacy and advertising related settings...
    • I have a Tab S9 FE and a Tab A9+ which is a lot less expensive. I much prefer the TabA9+. 1. Its display is more landscape while that of the S9 FE is more boxy. 2. They both drain battery at about the same rate of between 7% and 9% an hour depending on how I use them 3. The Tab A9+ charges a lot faster than S9 FE, The S9 FE is better at handling memory, It is faster. They both have 8GB. The TabA9+ does a lot better at handling memory on Android 15, One UI 7.0 than it did on Android 14, One UI 6.1
    • Following rough launch, Splitgate 2 is going back to beta as studio announces layoffs by Pulasthi Ariyasinghe The sequel to the free-to-play arena shooter Splitgate was released just a couple of months ago alongside a surprise Battle Royale mode, but it doesn't look like the launch has gone too well for the studio, 1047 Games. In a lengthy social media post, the developer revealed that it is making some major changes within the company that will also affect its games. The studio said that it agrees with the community regarding Splitgate 2 launching too early with rushed features. Because of this, the title is returning to its beta state. While Splitgate 2 will remain playable, the studio will be deep in development reworking the title behind the scenes until at least early 2026. The soon-landing Season 3 content update is still planned for release. "We're returning not just to our roots in what we build, but in how we build it – with you," said the company. "That means more playtests, more surveys, more listening, and truly being community first. Our goal is to combine the DNA of the first game with the best improvements from the second." The studio also revealed that this shakeup means that it had to cut some team members from the studio. It didn't give an exact number for the roles being cut but said that "we hope to bring them back when we can." In the same vein of keeping costs low, 1047 Games will be shutting down the servers for the original Splitgate within a month's time. "While we'd love to keep servers online indefinitely, it's cost us hundreds of thousands of dollars over the past couple of years, and we have to prioritize our team," added the studio. It said that offline play or peer-to-peer matchmaking for Splitgate are being explored for fans to keep playing, but nothing concrete about these potential options was announced today.
    • It sounds like you are referring to the hidden div scandal, which due to an architectural limitation on Edge prevented hardware acceleration, but of course Google denied that it was specifically intended to break Edge, which of course I don't believe. Google is known for that kind of evilness. The hidden div was also being served to Chrome in that case, but it had a different method that didn't break hardware acceleration.
    • I guess we can agree to disagree. I had the completely opposite experience, and not just that it annoyed me, I was frequently unable to use the sites I visited regularly.
  • Recent Achievements

    • Week One Done
      SmileWorks Dental earned a badge
      Week One Done
    • Community Regular
      vZeroG went up a rank
      Community Regular
    • Collaborator
      Snake Doc earned a badge
      Collaborator
    • Week One Done
      Snake Doc earned a badge
      Week One Done
    • One Month Later
      Johnny Mrkvička earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      587
    2. 2
      Michael Scrip
      199
    3. 3
      ATLien_0
      193
    4. 4
      +FloatingFatMan
      133
    5. 5
      Xenon
      122
  • Tell a friend

    Love Neowin? Tell a friend!