Silk Road forums
Discussion => Security => Topic started by: valueaddedtax on June 03, 2012, 05:05 pm
-
Will I just add my address with my encrypted address in to the address box for each vendor?
Thanks.
-
if your cart contains items from more the one vendor you only need to put your address (encrypted) once and it will be sent to all of them, obviously if you want different items sent different places then adjust accordingly.
-
Make sure to encrypt the address with ALL the vendors PGP public keys, this is a problem I often get and it's annoying & time wasting.
-
it is worth noting 2 things
1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available
2) if you encrypt your address without additional entropy, it will be easier to reverse it using the recipients public key
if we both encrypted
John Doe
123 Cherry Rd.
Chicago, IL 60652
with the same recipient (vendor's) public key, we would end up with the same result.
John Doe
123 Cherry Rd.
Chicago, IL 60652
<different note each time>
would be theoretically 'safer' for this reason
-
I didn't think about that! I just place a completely different order for each and every vendor.
-
I just put whatever in the address box and then private message the sellers individually.
-
I just put whatever in the address box and then private message the sellers individually.
Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually! ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity
-
I just put whatever in the address box and then private message the sellers individually.
This would annoy the hell out of me! The address box is there for a reason, when i go to pack an order i do not want to have to search 5 pages deep into my inbox to find someones address, yes vendors can get 50+ pm's in a day!
-
and thats also a point we shouldend forget!
-
I just put whatever in the address box and then private message the sellers individually.
Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually! ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity
I didn't know you could address something to more than one recipient. How does that work? How does your decryption program know which password to prompt you for?
-
look here, its nearly at the end : http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html
To make your selection, choose the required certificates in the top portion and press [Add]. You will see all selected certificates in the lower dialog portion for review purposes.
Depending on the selected recipient certificate and its type (OpenPGP or S/MIME), your file is then encrypted using OpenPGP and/or S/MIME. So if you selected an OpenPGP certificate and an S/MIME certificate, you will receive two encrypted files. The possible file types for the encrypted files are found on the next page.
Now click on [Encrypt]: The file is encrypted.
-
I just put whatever in the address box and then private message the sellers individually.
Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually! ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity
I didn't know you could address something to more than one recipient. How does that work? How does your decryption program know which password to prompt you for?
When you're encrypting the text, you can select the keys of multiple people. It will become one block of encrypted text, but each person on the recipient list can use their own key to open it.
-
yes, thats it!
Thats what i want to say, but my English is not so good! :-[
;D
-
I just put whatever in the address box and then private message the sellers individually.
Thats not good either, because the Adress Box from ur Order it will delette forever after the Vendor confirm the Order!
And in the PM´s its then deletted when the Vendor do this manually! ;)
So its mutch better to make multible resipient in the encryption or u make for every Vendor a own list!
greets Zero Gravity
I didn't know you could address something to more than one recipient. How does that work? How does your decryption program know which password to prompt you for?
When you're encrypting the text, you can select the keys of multiple people. It will become one block of encrypted text, but each person on the recipient list can use their own key to open it.
this is very good info!! epic time saver!!
you learn something everyday!!
-
1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available
The Windows and Mac ports of GPG usually only include the basic options, but the standard command line GPG for Linux has the --throw-keyid option which enters zeros for the key id. In that case, your PGP client will try every private key that you own until it is able to decrypt the message or fails. Anyone to whom the message is not encrypted won't know who the recipients are, even if they have their public keys.
In that way, you could encrypt the message to multiple recipients and they won't know who the others are, although they would know how many recipients there are.
Edit: I should point out that I'm talking about the GUIs. When you extract GPG4USB, you will get gpg.exe in a subfolder called bin. It is a direct port of the Linux command line client with all of the options, so this will work
gpg.exe --throw-keyid --armor -r Recipient1 -r Recipient2 -e address.txt
Encrypted and anonymous.
-
wow!! i feel stupid for not knowing this already!! :-X
thanx astor!!
+1
-
Yeah, here's what it actually looks like with the command line client, which is more verbose than the GUIs. I've removed the other people's key IDs and email addresses in case they don't want that public.
First, I encrypt and decrypt normally:
$ gpg -r Nightcrawler -r SelfSovereignty -r astor -e hello.txt
$ gpg -d hello.txt.asc
You need a passphrase to unlock the secret key for
user: "astor <astorx@tormail.org>"
4096-bit RSA key, ID CC925AD7, created 2012-12-19 (main key ID 706EE207)
gpg: encrypted with 4096-bit RSA key, ID <KEYID>, created <DATE>
"SelfSovereignty <email@example.org>"
gpg: encrypted with 4096-bit RSA key, ID <KEYID>, created <DATE>
"Nightcrawler <email@example.org>"
gpg: encrypted with 4096-bit RSA key, ID CC925AD7, created 2012-12-19
"astor <astorx@tormail.org>"
Hi there!
Then I encrypt with throw-keyid and decrypt:
$ gpg --throw-keyid -r Nightcrawler -r SelfSovereignty -r astor -e hello.txt
$ gpg -d hello.txt.asc
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
gpg: anonymous recipient; trying secret key <KEYID> ...
<It says that a bunch of times>
gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID 00000000
gpg: encrypted with RSA key, ID 00000000
gpg: encrypted with RSA key, ID 00000000
Hi there!
As you can see, I as the recipient would have no idea that the message was also encrypted to Nightcrawler and SelfSovereignty, even though I have their public keys.
-
I didn't know you could address something to more than one recipient. How does that work? How does your decryption program know which password to prompt you for?
How it works (as Louis Cyphre explained to me a while ago) is that the message is first encrypted using a symmetric (256 bit AES if i remember correctly)key (ie one that can both encrypt and decrypt, as opposed to the asymmetric public/private key type). This key is then encrypted to each recipients public key and all is sent along with the encrypted text as one block of text.
When the text arrives, the recipients software can decrypt the symmetric key using his own private key, and then use this to decrypt the main message. I was quite pleased when Louis explained this elegant solution to me; although I'm not sure I've explained it as clearly as he did.
-
1) the recipient of the message can be identified by the encrypted block with the first few bits if those are know or the public key is available
2) if you encrypt your address without additional entropy, it will be easier to reverse it using the recipients public key
if we both encrypted
John Doe
123 Cherry Rd.
Chicago, IL 60652
with the same recipient (vendor's) public key, we would end up with the same result.
No, that's not true. The only part of two separate PGP messages that will ever be the same is the initial bytes that tells the decrypting program which algorithms and public key the session key is been encrypted with. The remainder of the message - the public key encrypted session key, and the symmetrically encrypted (and compressed) message data will never be the same for separate PGP messages.
You can even encrypt the exact same message over and over again yourself with the same public key each time and it will always produce completely different encryption results.
It's not easy to see the different parts of a PGP message because it is all base64 encoded. But basically its
[version info] + [algorithm & public key info] + [public key encrypted session key] + [session key encrypted message data] + [checksum]