Silk Road forums
Discussion => Security => Topic started by: MrRibena on October 27, 2011, 06:49 am
-
Im not sure if that would make it impossible to the recipient to read, or if it should be done. So far ive just used their public key and sent back the encrypted message. Any thoughts/help appreciated.
-
This is also a question I have.
When I encrypt a message to someone, should I sign it?
If I do, then does the recipient have to have my public key imported in order to decrypt it?
If I don't, am I sure only the recipient will be able to open it?
-
I always sign my communications - what this does is allow the recipient to verify that the communication is actually from you, using your public key.
If it's the first time you've communicated with the person, then it makes no difference (you have no history with them)... but say someone phishes your account and is posing as you - someone who has already has your public key would be able to detect that the sender *may* have changed.
Recap;
Encrypt with recipient's public key -> they decrypt with their private key
Sign with your private key -> recipient can verify that you sent it using your public key
Recipients will be able to decrypt whether it's signed or not. IMO, sign your communications.
-
are you supposed to send your public key to the recipient? i figured out how to encrypt the message but to decrpyt it i have to enter the passphrase i created? how does the recipient get my password?
-
are you supposed to send your public key to the recipient?
Yes, if you'd like an encrypted response (which you probably do).
i figured out how to encrypt the message but to decrpyt it i have to enter the passphrase i created?
Yes, to decrypt a message sent to you that's been encrypted with your public key.
how does the recipient get my password?
The recipient doesn't get the passphrase to your keys -- just as you don't get the passphrase to hers -- she gets only your public key.
-
I read somewhere to avoid signing. You're better protected if you don't sign or something. Hardly a convincing argument I know. But I see error messages in kleopatra when people start signing anyways so I always avoid it.
Also, none the sellers I've dealt with have been signing. If in doubt, follow your local seller. Nah change that.. if in doubt just don't sign. Need a security expert to step in and save us here, but its a topic thats been done before at least once, so I take in upon myself to spread the word to "not sign" even though I can't quote the specific technical reasons. For me its just easier, and less errors etc.
-
Do not sign.
Here is a brief overview of how signing works:
Step 1) You make a public/private keypair
Step 2) You give out your public keypair
Step 3) *Not technically required--but the next crypto step* The recipient contacts you via a trusted channel to verify the fingerprint of your public key.
Step 4) The recipient installs your public key
Step 5) You sign something with your private key
Step 6) ANYONE who has your public key can validate that it came from you (if it is something encrypted they can't read the content, just the signature).
It is very easy for you to accidentally do step 1 wrong, and include information you don't really want public in there (e.g. your email addry)
If your recipient isn't going to do steps 3/4/6 it serves no purpose for you.
If you are not expecting your recipient to reply back to you with encrypted messages then you don't have to do any of the above.