Silk Road forums

Discussion => Security => Topic started by: MrRibena on October 27, 2011, 06:49 am

Title: Do you "sign" your encrypted PMs/emails?
Post by: MrRibena on October 27, 2011, 06:49 am
Im not sure if that would make it impossible to the recipient to read, or if it should be done. So far ive just used their public key and sent back the encrypted message. Any thoughts/help appreciated.
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: mito on October 27, 2011, 12:07 pm
This is also a question I have.

When I encrypt a message to someone, should I sign it?

If I do, then does the recipient have to have my public key imported in order to decrypt it?

If I don't, am I sure only the recipient will be able to open it?
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: crib on October 27, 2011, 03:50 pm
I always sign my communications - what this does is allow the recipient to verify that the communication is actually from you, using your public key.

If it's the first time you've communicated with the person, then it makes no difference (you have no history with them)... but say someone phishes your account and is posing as you - someone who has already has your public key would be able to detect that the sender *may* have changed.

Recap;
Encrypt with recipient's public key -> they decrypt with their private key
Sign with your private key -> recipient can verify that you sent it using your public key


Recipients will be able to decrypt whether it's signed or not. IMO, sign your communications.
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: Wolverine on October 27, 2011, 09:58 pm
are you supposed to send your public key to the recipient? i figured out how to encrypt the message but to decrpyt it i have to enter the passphrase i created? how does the recipient get my password?
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: CrunchyFrog on October 28, 2011, 01:44 am
are you supposed to send your public key to the recipient?
Yes, if you'd like an encrypted response (which you probably do).

i figured out how to encrypt the message but to decrpyt it i have to enter the passphrase i created?
Yes, to decrypt a message sent to you that's been encrypted with your public key.

how does the recipient get my password?
The recipient doesn't get the passphrase to your keys -- just as you don't get the passphrase to hers -- she gets only your public key.
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: LexusMiles on October 28, 2011, 02:08 am
I read somewhere to avoid signing. You're better protected if you don't sign or something. Hardly a convincing argument I know. But I see error messages in kleopatra when people start signing anyways so I always avoid it.

Also, none the sellers I've dealt with have been signing. If in doubt, follow your local seller.  Nah change that.. if in doubt just don't sign. Need a security expert to step in and save us here, but its a topic thats been done before at least once, so I take in upon myself to spread the word to "not sign" even though I can't quote the specific technical reasons. For me its just easier, and less errors etc.
Title: Re: Do you "sign" your encrypted PMs/emails?
Post by: Gruzel on October 30, 2011, 04:42 am
Do not sign.

Here is a brief overview of how signing works:

Step 1) You make a public/private keypair

Step 2) You give out your public keypair

Step 3) *Not technically required--but the next crypto step* The recipient contacts you via a trusted channel to verify the fingerprint of your public key.

Step 4) The recipient installs your public key

Step 5) You sign something with your private key

Step 6) ANYONE who has your public key can validate that it came from you (if it is something encrypted they can't read the content, just the signature).

It is very easy for you to accidentally do step 1 wrong, and include information you don't really want public in there (e.g. your email addry)

If your recipient isn't going to do steps 3/4/6 it serves no purpose for you.

If you are not expecting your recipient to reply back to you with encrypted messages then you don't have to do any of the above.