Silk Road forums
Discussion => Security => Topic started by: wannabud on April 25, 2012, 09:13 pm
-
I read in some thread here you should send your public keys only encrypted. Really don't understand why, if it is public keys.
And what about upload them in a keyserver? They can track it back to you? Even if you are using liberte or tails?
-
Well, at least Alice or Bob has to send their public key unencrypted.
Best thing ->
Person A sends public key with plaintext.
Person B encrypts their public key with Person A's public key and sends that to Person A.
Person A decrypts Person B's message to find Person B's public key. Person A makes a new public key and encrypts that with Person B's public key.
Person B decrypts and obtains Person A's new public key
Now you are twice as secure as before. The outer 'shell' of encryption must be broken before getting access to the inner shell of encryption. A bit mind boggling though.
Notice how one could potentially exchange dozens of 'nested' public keys to enhance PGP to any level of security you wanted. That, I reckon, is the seed of ideas like the Tor onion routing network.
Doing too much of this is kinda pointless for the majority of messages sent. Much like using weak passwords on sites like the NY Times or WSJ, since it's not exactly pivotal if an attacker gains access, you ought to use different levels of cryptography for different purposes.
Obviously if you need stronger encryption that what PGP can offer, then your main attack vector is far more likely to be a keylogger to obtain your passphrase or LE malware to get a copy of your private key.
-
Didn't get where is the lack of security.
In this case, every seller here would be vulnerable?
-
I read in some thread here you should send your public keys only encrypted. Really don't understand why, if it is public keys.
And what about upload them in a keyserver? They can track it back to you? Even if you are using liberte or tails?
Mind linking to that thread?
The whole point of the public key is that it's public... Anything encrypted with it can only be un-encrypted using the matching private key that only the person who owns the public key should have access to - thus providing confidentiality.
Unless there's some sort of backdoor method allowing a person to generate the private key by using the public key there's no problem with having your public key floating out there for others to use.