Silk Road forums
Discussion => Security => Topic started by: stemcell on January 21, 2013, 02:19 pm
-
i would have potsed this in the newbie forum but there is no "post new thread" or reply on the tabs when i go to ask for help.
i know how to take a vendors PGP and send them an encrypted message. What I cant figure out is how to generate my own PGP key so someone can message me encrypted, then also how to un encrypt it. can anyone tell me the steps? surely it cant be any more complicated than sending an encrypted message.
Thank you in advance.
-
This is a guide made by SR member astor : 32yehzkk7jflf6r2.onion/gpg4usb/ if you use gpg4usb.
If you use a different program just google it for fast answer, there are many guides out there.
-
i would have potsed this in the newbie forum but there is no "post new thread" or reply on the tabs when i go to ask for help.
i know how to take a vendors PGP and send them an encrypted message. What I cant figure out is how to generate my own PGP key so someone can message me encrypted, then also how to un encrypt it. can anyone tell me the steps? surely it cant be any more complicated than sending an encrypted message.
Thank you in advance.
What has me a little confused is how you say you can encrypt a message to a vendor, yet you don't know how to generate your own key? Most implementations of GPG that I've seen will prompt you, after installation, to generate a PGP key of your own.
I fimd myself wondering if you're using one of those blasted web implementions like igolder.com. Is that what you're using (or PortablePGP), which is equally as bad?
If you don't tell us what you're using, how do you expect anyone to be able to help you? We're not mind-readers.
If I were in your shoes, I'd use GPG4USB. You can see Astor's excellent tutorial here: http://32yehzkk7jflf6r2.onion/gpg4usb/
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
im using GnuPG.
for me to be using that and encrypt a message to a supplier does that mean that i somehow have already created my own key and didnt even know it?
-
I have a bit of an issue myself. I am using gpg4usb.
Now when I went thru the review and set it up, I made my own key ( altho I have never found a reason for anyone to message me using my own key)
I know how to copy a vendor key and import it from clipboard. So, that being said,
When I type a message/shipping info in the box, check the vendor who's key I want to use to encrypt, then hit encrypt, it works, no issue. ( i think ) ( have not had a problem yet )
But a vendor replied back to me the other day in what I am assuming was his public key, so, I copy pasted what he said on Sr, placed it in the box that I use to type my own messages, clicked that vendor from the right, and hit decrypt. Error decrytping pops up, say's decryption failed, no secret key, no private key with id ******* present in key ring.
Odd, right? I don't get it. So, I just sent a message to another vendor, encrypted using his public key, then copy pasted exactly what I sent him back into my gpg4usb, hit decrypt using the same key that I just encrypted it with, and same thing. Same message. Now I made that encryption.... so i'm totally lost. What am I missing here? Anyone got any ideas?
Thanks in advance, has me scratching my head.
-
i just watched a video and sometimes it does not work, there are different versions out there that are not compatible the guy said but try it a couple times cause sometimes its a glitch.
-
so, I copy pasted what he said on Sr, placed it in the box that I use to type my own messages, clicked that vendor from the right, and hit decrypt. Error decrytping pops up, say's decryption failed, no secret key, no private key with id ******* present in key ring.
So, I just sent a message to another vendor, encrypted using his public key, then copy pasted exactly what I sent him back into my gpg4usb, hit decrypt using the same key that I just encrypted it with, and same thing. Same message. Now I made that encryption.... so i'm totally lost. What am I missing here? Anyone got any ideas?
Either,
A) Two vendors mistakenly encrypted messages to the wrong key
B) You sent the wrong public key (ie, someone else's public key in your key ring) to both of them
C) Somehow your private key was deleted.
Following my tutorial, can you make a backup of your private key? Does the key ID match the key that they are encrypting their messages with? Does it match another public key in your key ring?
Edit: Hang on, I just caught this:
I just sent a message to another vendor, encrypted using his public key, then copy pasted exactly what I sent him back into my gpg4usb hit decrypt using the same key that I just encrypted it with, and same thing
If you encrypt a message with someone else's public key, only they can decrypt it with their private key. (That's why it's a good idea to encrypt it to the recipient and yourself)
What you describe in the second paragraph is not the same thing that you describe in the first paragraph.
-
Ahhhhh, my brain hamster has fallen off his wheel!
When I set up my gpg4usb, I followed the guideline. I made a back up of my key and saved it to my d-top.
( now as i said, I copy the vendor key from their page, and import it from the clip board, the smaller box then comes up with the name, and email and that of the vendor, which add's itself to the list on the right)
I then click the box for that vendor, write a message and hit encrypt, copy it, paste it into the Sr message box, and send it. Now, when they reply back to me, i am assuming they use their own public key to encrypt, so I copy it, paste it into my gpg4usb box and click that vendor from the right, and hit de crypt. And that error box comes up.
Even if I copy paste what I just encrypted using the vendor public key, and try to de crypt what I just typed with that same key I just used, it say's the same. Now, shouldn't it be able to de crypt what I just encrypted? This is what is so confusing.
As for my key, I never use it, never sent it to a vendor, never done anything with it, other then that thing I saved to my desktop. So I assume any message they send me is encrypted using their own public key. Man, I am so lost here. I have 3 order's I have placed by encrypting with they key off the vendor page. 2 different vendor's and everything went to in transit, so I assume they could de crypt what i sent them?
Sorry for hijacking this thread, hoping to get it figured out, as it could pose problems for me. Thanks.
-
Now, when they reply back to me, i am assuming they use their own public key to encrypt, so I copy it, paste it into my gpg4usb box and click that vendor from the right, and hit de crypt. And that error box comes up.
Quoting my tutorial:
They [your friends, vendors] use your public key to encrypt messages to you. You use your private key to decrypt messages.
You have to select your key to decrypt the message, not theirs.
If they encrypted the message with their public key, then only they (with their private key) could decrypt it. These keys are mathematically related.
Even if I copy paste what I just encrypted using the vendor public key, and try to de crypt what I just typed with that same key I just used, it say's the same. Now, shouldn't it be able to de crypt what I just encrypted? This is what is so confusing.
No, because you encrypted it with THEIR public key, not yours. You can only decrypt message that are encrypted with your public key, because you have the corresponding private key that is used to decrypt.
-
You create a pair of keys that are mathematically related to each other, one is public and the other is private.
Never share your private key with anyone. [It is used to decrypt messages to you.]
Give your public key to your friends. [It is used to encrypt messages to you.]
Collect public keys from your friends. Use their public keys to encrypt messages to them.
They use your public key to encrypt messages to you.
You use your private key to decrypt messages. [Meaning you have to select your key in the interface.]
-
Oh thank you, I get it now.
So when the vendor replied to me, and it was encrypted, they could not have sent me a correct message, because I never sent them my public key? Right?
-
If you never sent them your public key, then there was never a way for you to decrypt their messages.
I would hope that a vendor would have figured out PGP enough to ask for your public key, maybe that's not the case.
There's a notable vendor on SR right now getting rave reviews, and I was very close to ordering from him, but when I imported his key I realized it was only 1024 bits. Red flag. Who knows how good the rest of his security is. I never ordered.
Sometimes you have to lose a few battles in order to win the war.
-
I have a small issue with the PGP encryption
I'd sent a encrypted message to a vendor (including my Public Key) and he wrote an encrypted message back (I guess he had used my public key) so I copy pasted the message in my decryption software (I use GnuPG Version 2.0.17) and got the message "Error in operation result: No valid UTF-8 position 56" Wondering what has happened, thinking there's something wrong with the GNU PG. So I downloaded the GPG4USB and imported my public key (and as I thought my private key) in that Software and tried again, this time I got the error message "Decryption failed no secret key wit id blablabla found"
Thinking what is that shit... So I encrypted a message for me with GNU PG and tried to decrypt it with the GPG4USB and guess what "no secrete key found with ID "other bla bla as above"
So I tried it the other way; encryption with GPG4usb to me; decryption with GNU PG.... Message "no correct encrypted message in...." More WTF
So I'm stuck at that point can't imagine whats wrong except maybe a problem do to different Versions but no step forward to encrypt the vendors message which starts like:
"-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0........"
Any suggestions to solve that riddle, would be very helpful?
If it should be a problem do to different versions, how we could send each other messages without downloading for each specific message a new version?
Apart, during my time in the puppy section I tries the encryption decryption with some people and never had any problems....
-
O.K no further Help needed, I found the solution.
If you hear hooves, think about horses and stop looking for zebras xD
-
im using GnuPG.
That, unfortunatley, is not at all helpful. Saying that you use GnuPG is like saying you drive a car -- is it a Ford, Yugo, Mercedes? Similarly, there are any number of GnuPG implementations, some good, some not so good. Some of these are: GPG4USB (good) GPG4WIN (not so good), PortablePGP (execrably bad) and iGolder.com (execrably bad.)
GnuPG is identical for all platforms when run from the command-line; the differences in the various interfaces (or front-ends) for Windows, Linux, and Mac OS X are literally enormous. Without knowing which one you're using, there is no way to help you, because we have no way of knowing what you are using, we cannot give you instructions or help.
for me to be using that and encrypt a message to a supplier does that mean that i somehow have already created my own key and didnt even know it?
Basically, that is why I am confused. It is simply not possible to generate a key without knowing it, as you will have to fill-in information such as key-size, user-id, etc. You will also have to provide keyboard/mouse input to help with entropy generation. So, no, it's not possible to generate a key, and not know it.
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
I have a small issue with the PGP encryption
I'd sent a encrypted message to a vendor (including my Public Key) and he wrote an encrypted message back (I guess he had used my public key) so I copy pasted the message in my decryption software (I use GnuPG Version 2.0.17) and got the message "Error in operation result: No valid UTF-8 position 56" Wondering what has happened, thinking there's something wrong with the GNU PG. So I downloaded the GPG4USB and imported my public key (and as I thought my private key) in that Software and tried again, this time I got the error message "Decryption failed no secret key wit id blablabla found"
Thinking what is that shit... So I encrypted a message for me with GNU PG and tried to decrypt it with the GPG4USB and guess what "no secrete key found with ID "other bla bla as above"
So I tried it the other way; encryption with GPG4usb to me; decryption with GNU PG.... Message "no correct encrypted message in...." More WTF
So I'm stuck at that point can't imagine whats wrong except maybe a problem do to different Versions but no step forward to encrypt the vendors message which starts like:
"-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0........"
FWIW, all versions of PGP/GPG are 99.999% interoperable. The type of error you're describing sounds like a malformed key or message block -- it doesn' t happen often, but it does happen. What *really* raises the hairs on the back of my neck is the version string: Version: BCPG C#v1.6.1.0" This version string tells me that the software the vendor uses is
not only broken, but BADLY broken.
Java based PGP/GPG implementations based on the BouncyCastle Java crypto libraries should be avoided like the proverbial plague. These versions, as a general rule, are out of date, and produce dangerously undersized PGP keys. The current standard calls for a minimum of 2048-bits; the version that your vendor is using defaults to 1024-bits. Some versions even have encryption keys as small as 512-bits. I wouldn't be caught dead using any vendor who relies on such a small key (and broken software) for their security.
[snip]
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
Thank you Nightcrawler for you little inside info. Didn't know about Bouncy Castle and how very very very bad + bad it is. I guess I should propose the vendor to do a software switch, link him to you post as he can see for himself what a bad broken shit the bouncing Castle is.
My problem in fact was not a malfunctioning key, it was just me being to stupid and ignorant understanding that you can also encrypt files and have them decrypted through the decrypt file function and not the decrypt text. But like you can just learn from mistakes I gathered a lot of information about PGP/GPG looking for a solution myself. :)