Silk Road forums

Discussion => Security => Topic started by: valueaddedtax on June 03, 2012, 05:05 pm

Title: Shopping cart contains multiple vendors - PGP
Post by: valueaddedtax on June 03, 2012, 05:05 pm
 Will I just add my address with my encrypted address in to the address box for each vendor?

Thanks.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Prawl42 on June 03, 2012, 05:15 pm
if your cart contains items from more the one vendor you only need to put your address (encrypted) once and it will be sent to all of them, obviously if you want different items sent different places then adjust accordingly.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: reich on June 03, 2012, 05:32 pm
Make sure to encrypt the address with ALL the vendors PGP public keys, this is a problem I often get and it's annoying & time wasting.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: jollygiant on June 03, 2012, 05:53 pm
it is worth noting 2 things

1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available
2) if you encrypt your address without additional entropy, it will be easier to reverse it using the recipients public key

if we both encrypted

Code: [Select]
John Doe
123 Cherry Rd.
Chicago, IL 60652

with the same recipient (vendor's) public key, we would end up with the same result.

Code: [Select]
John Doe
123 Cherry Rd.
Chicago, IL 60652

<different note each time>

would be theoretically 'safer' for this reason
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: PsilocybinTendencies on June 03, 2012, 06:06 pm
I didn't think about that! I just place a completely different order for each and every vendor.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: genghar on June 03, 2012, 06:50 pm
I just put whatever in the address box and then private message the sellers individually.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Zero Gravity on June 03, 2012, 07:05 pm
I just put whatever in the address box and then private message the sellers individually.

Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually!  ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: GreenGiant on June 03, 2012, 07:20 pm
I just put whatever in the address box and then private message the sellers individually.

This would annoy the hell out of me! The address box is there for a reason, when i go to pack an order i do not want to have to search 5 pages deep into my inbox to find someones address, yes vendors can get 50+ pm's in a day!
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Zero Gravity on June 03, 2012, 07:23 pm
and thats also a point we shouldend forget!
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: genghar on June 03, 2012, 08:47 pm
I just put whatever in the address box and then private message the sellers individually.

Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually!  ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity

I didn't know you could address something to more than one recipient.  How does that work?  How does your decryption program know which password to prompt you for?
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Zero Gravity on June 03, 2012, 09:12 pm
look here, its nearly at the end : http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html


To make your selection, choose the required certificates in the top portion and press [Add]. You will see all selected certificates in the lower dialog portion for review purposes.
 
Depending on the selected recipient certificate and its type (OpenPGP or S/MIME), your file is then encrypted using OpenPGP and/or S/MIME. So if you selected an OpenPGP certificate and an S/MIME certificate, you will receive two encrypted files. The possible file types for the encrypted files are found on the next page.
 
Now click on [Encrypt]: The file is encrypted.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: sdesu on June 03, 2012, 09:13 pm
I just put whatever in the address box and then private message the sellers individually.

Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually!  ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity

I didn't know you could address something to more than one recipient.  How does that work?  How does your decryption program know which password to prompt you for?

When you're encrypting the text, you can select the keys of multiple people. It will become one block of encrypted text, but each person on the recipient list can use their own key to open it.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Zero Gravity on June 03, 2012, 09:16 pm
yes, thats it!
Thats what i want to say, but my English is not so good! :-[
 ;D
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: murderface2012 on February 07, 2013, 12:39 am
I just put whatever in the address box and then private message the sellers individually.

Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually!  ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity

I didn't know you could address something to more than one recipient.  How does that work?  How does your decryption program know which password to prompt you for?

When you're encrypting the text, you can select the keys of multiple people. It will become one block of encrypted text, but each person on the recipient list can use their own key to open it.

this is very good info!! epic time saver!!
you learn something everyday!!
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: astor on February 07, 2013, 01:22 am
1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available

The Windows and Mac ports of GPG usually only include the basic options, but the standard command line GPG for Linux has the --throw-keyid option which enters zeros for the key id. In that case, your PGP client will try every private key that you own until it is able to decrypt the message or fails. Anyone to whom the message is not encrypted won't know who the recipients are, even if they have their public keys.

In that way, you could encrypt the message to multiple recipients and they won't know who the others are, although they would know how many recipients there are.

Edit: I should point out that I'm talking about the GUIs. When you extract GPG4USB, you will get gpg.exe in a subfolder called bin. It is a direct port of the Linux command line client with all of the options, so this will work

   gpg.exe --throw-keyid --armor -r Recipient1 -r Recipient2 -e address.txt

Encrypted and anonymous.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: murderface2012 on February 07, 2013, 01:30 am
wow!! i feel stupid for not knowing this already!!  :-X
thanx astor!!
+1
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: astor on February 07, 2013, 03:08 am
Yeah, here's what it actually looks like with the command line client, which is more verbose than the GUIs. I've removed the other people's key IDs and email addresses in case they don't want that public.

First, I encrypt and decrypt normally:

Code: [Select]
$ gpg -r Nightcrawler -r SelfSovereignty -r astor -e hello.txt

$ gpg -d hello.txt.asc

You need a passphrase to unlock the secret key for
user: "astor <astorx@tormail.org>"
4096-bit RSA key, ID CC925AD7, created 2012-12-19 (main key ID 706EE207)

gpg: encrypted with 4096-bit RSA key, ID <KEYID>, created <DATE>
      "SelfSovereignty <email@example.org>"
gpg: encrypted with 4096-bit RSA key, ID <KEYID>, created <DATE>
      "Nightcrawler <email@example.org>"
gpg: encrypted with 4096-bit RSA key, ID CC925AD7, created 2012-12-19
      "astor <astorx@tormail.org>"

Hi there!

Then I encrypt with throw-keyid and decrypt:

Code: [Select]
$ gpg --throw-keyid -r Nightcrawler -r SelfSovereignty -r astor -e hello.txt

$ gpg -d hello.txt.asc
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
<It says that a bunch of times>

gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID 00000000
gpg: encrypted with RSA key, ID 00000000
gpg: encrypted with RSA key, ID 00000000

Hi there!

As you can see, I as the recipient would have no idea that the message was also encrypted to Nightcrawler and SelfSovereignty, even though I have their public keys.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: Hungry ghost on February 07, 2013, 09:30 am
Quote
I didn't know you could address something to more than one recipient.  How does that work?  How does your decryption program know which password to prompt you for?

How it works (as Louis Cyphre explained to me a while ago) is that the message is first encrypted using a symmetric (256 bit AES if i remember correctly)key (ie one that can both encrypt and decrypt, as opposed to the asymmetric public/private key type). This key is then encrypted to each recipients public key and all is sent along with the encrypted text as one block of text.
      When the text arrives, the recipients software can decrypt the symmetric key using his own private key, and then use this to decrypt the main message. I was quite pleased when Louis explained this elegant solution to me; although I'm not sure I've explained it as clearly as he did.
Title: Re: Shopping cart contains multiple vendors - PGP
Post by: SorryMario on February 11, 2013, 09:10 pm
1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available
2) if you encrypt your address without additional entropy, it will be easier to reverse it using the recipients public key

if we both encrypted

Code: [Select]
John Doe
123 Cherry Rd.
Chicago, IL 60652

with the same recipient (vendor's) public key, we would end up with the same result.
No, that's not true. The only part of two separate PGP messages that will ever be the same is the initial bytes that tells the decrypting program which algorithms and public key the session key is been encrypted with. The remainder of the message - the public key encrypted session key, and the symmetrically encrypted (and compressed) message data will never be the same for separate PGP messages.

You can even encrypt the exact same message over and over again yourself with the same public key each time and it will always produce completely different encryption results.

It's not easy to see the different parts of a PGP message because it is all base64 encoded. But basically its
[version info] + [algorithm & public key info] + [public key encrypted session key] + [session key encrypted message data] + [checksum]