security of key if someone gets original and encrypted file - PGP

This is a discussion on security of key if someone gets original and encrypted file - PGP ; Hello all, accidentally I forgot to delete the unencrypted original after encrypting it to myself with my own public key, so the unencrypted original and the encrypted file stayed in the same folder on my hard disk for some while. ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: security of key if someone gets original and encrypted file

  1. security of key if someone gets original and encrypted file

    Hello all,
    accidentally I forgot to delete the unencrypted original after
    encrypting it to myself with my own public key, so the unencrypted
    original and the encrypted file stayed in the same folder on my hard
    disk for some while.

    Now if some "third party" gets both the unencrypted and the encrypted
    file, would it be possible for them to reconstruct the key, or could the
    security of the key be impaired?


    --
    Wilfried Hennings
    please reply in the newsgroup, the e-mail address is invalid

  2. Re: security of key if someone gets original and encrypted file

    In message , Wilfried
    Hennings writes
    >Hello all,
    >accidentally I forgot to delete the unencrypted original after
    >encrypting it to myself with my own public key, so the unencrypted
    >original and the encrypted file stayed in the same folder on my hard
    >disk for some while.
    >
    >Now if some "third party" gets both the unencrypted and the encrypted
    >file, would it be possible for them to reconstruct the key, or could the
    >security of the key be impaired?


    Happily, no.

    The file is actually encrypted with a one time session key. Only that
    session key is compromised by possession of the plain & the encrypted.
    That session key was made randomly.

    The random session key was then encrypted with your private key, so that
    anyone with your public key would be able to get the session key & so
    decrypt the file.



    Regards
    --
    Dave English Senior Software & Systems Engineer
    Internet Platform Development, Thus plc

  3. Re: security of key if someone gets original and encrypted file

    On Wed, 05 Dec 2007 09:06:28 -0500, Wilfried Hennings wrote:

    > Now if some "third party" gets both the unencrypted and the encrypted
    > file, would it be possible for them to reconstruct the key, or could the
    > security of the key be impaired?


    That's called a "known plaintext attack.

    PGP/GPG encrypts the file using a randomly generated key and the symmetric
    cipher you've chosen. It then encrypts a copy of the randomly generated key,
    for each public key you've specified, using the specified public key cipher.

    Having both, known plaintext, and the encrypted message doesn't help much.
    The plaintext tells the attacker nothing about the the private key, that
    they didn't already know. All it does, is give them extra information,
    for trying to determine the randomly generated key, which, since it's only
    used for the one message, doesn't help them anyway.

    I'm using gpg, which lists the following for the supported ciphers ...
    Symmetric - IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Public key -RSA, RSA-E, RSA-S, ELG-E, DSA

    In addition, before you ask , if you sign the message, pgp/gpg calculates
    a hash of the message, and then encrypts the hash using the private key.
    Anyone verifying the sig uses the public key to decrypt the hash, and
    compares it to a newly calculated hash of the signed file, to see if they
    are the same.

    The version of gpg I'm using lists the following hash algorithms ...
    MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

    The biggest risk, is allowing an attacker to have access to your computer, to
    get a copy of your secret key, and install a keylogger to capture your
    passprhase, or using a weak passphrase, that they can easily guess.

    Hope this helps. You may want to bookmark
    http://www.mccune.cc/PGPpage2.htm

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  4. Re: security of key if someone gets original and encrypted file

    On 12/5/2007 6:47 AM, Dave English wrote:
    > In message , Wilfried
    > Hennings writes
    >> Hello all,
    >> accidentally I forgot to delete the unencrypted original after
    >> encrypting it to myself with my own public key, so the unencrypted
    >> original and the encrypted file stayed in the same folder on my hard
    >> disk for some while.
    >>
    >> Now if some "third party" gets both the unencrypted and the encrypted
    >> file, would it be possible for them to reconstruct the key, or could the
    >> security of the key be impaired?

    >
    > Happily, no.
    >
    > The file is actually encrypted with a one time session key. Only that
    > session key is compromised by possession of the plain & the encrypted.
    > That session key was made randomly.
    >
    > The random session key was then encrypted with your private key, so that
    > anyone with your public key would be able to get the session key & so
    > decrypt the file.
    >
    >
    >
    > Regards


    You have it backwards.

    The session key is encrypted using a PUBLIC key (your own, the
    recipient's, or both). The private key -- with its passphrase -- is
    used to decrypt the session key.

    Theoretically, everyone has your public key. That's why it's called a
    "public key".

    --
    David E. Ross


    Natural foods can be harmful: Look at all the
    people who die of natural causes.

  5. Re: security of key if someone gets original and encrypted file

    In message , David E. Ross
    writes
    >On 12/5/2007 6:47 AM, Dave English wrote:

    ....
    >> The random session key was then encrypted with your private key, so that
    >> anyone with your public key would be able to get the session key & so
    >> decrypt the file.

    ....
    >You have it backwards.
    >
    >The session key is encrypted using a PUBLIC key (your own, the
    >recipient's, or both). The private key -- with its passphrase -- is
    >used to decrypt the session key.


    You are quite right, of course. At that point I confused the encryption
    process with signing.

    Thanks
    --
    Dave English Senior Software & Systems Engineer
    Internet Platform Development, Thus plc

+ Reply to Thread