Silk Road forums
Discussion => Security => Topic started by: g01d3n on January 12, 2013, 05:32 am
-
Hello, g01d3n here. I guess you could consider me a n00by, but I take security very seriously and want to protect myself, and most importantly, the vendor. I want to be 110% positive that I am encrypting correctly, but every time I try to decrypt someones message, I get an error screen. I guess in the end all that matters is that the seller can read the encrypted message. Can someone please tell me if I'm doing this correctly. Thank you so much for you time.
Test message below
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)
hQEMA0gDbhCYZD3lAQgAnIhR82CAFqzG1K1bY9Hj7C3a7io6pJgSCBXRF4P6jZ9q
GzeTXQKc1I8MZjRRaxW/xq1Gm5avxQMatmA5PhklGvjfQNVnt1CUQnTzexl76UEs
V+76JSTsWlbetVKckc5WDIURbGcOB6mOETqLlroPKZmC6fiwlT3OYSVVBbMBfYlC
S3hkXafSAuo9MgWTLEeRLEu+xvWK9w3pJSUAgMainBxCrJM0nW3k9OrajsgoQ8is
lJcmcdP3YTu6nsRGc4fi/m2jyrLGCxAv8IeWhjd23Zizr7YWWqk4Q12qZq20jCW7
eKx35Z4v1YtvY71+vDAlY2DLbO/xmoTF8vgSt5egB9LAFAH/yVR+a3QYxAqHN+Ve
me8d3nAFp5QBbo9ZDxBUyQm87Mgt4A346BknqMBE5hsmrahtBQogV7JviDfwKDpN
Ha9vs41fjYezkgVHmrSU4OjAc+4+HZitBKvbNXakl/5eMY56ak/f6wKuMqvJemD8
dpajGeC5v3xNehlEI/18/HpqnXvsPJfYS75Lnt7IZh7d16zhdZwNknI8BSoYab+a
AgTlTrH0MQXnOGNJJo+i5MgNulWxWSXwK/QpWqq5RWpchAvYguYGO7mTzO0yBXmc
5Tnpw721
=VF0q
-----END PGP MESSAGE-----
-
Only the private key that's paired to the public key, which you used to encrypt that message, can decrypt it. You don't possess that key, only the recipient of your intended message does (that's not you, I'm assuming).
So it should give an error. You don't have the key :)
-
I think I get it. When I send an encrypted message to the vendor (assuming I bought something) he also gets a key that he can use to decrypt the message... Or am I way off?
-
You use the vendors Public Key to encrypt the message you send to them. They then use their Private Key to decrypt it. If you want an encrypted response from the vendor, you will need to send the vendor your Public Key so they can use it to encrypt a message to you.
-
Wadozo is exactly right -- to be clear, when the vendor generated his public key and then put it up on his profile for customers to use, the program at the same time generated the matching private key that can decrypt messages encrypted with the public key. They're a pair of keys (that's why they're called key pairs) :)
So he doesn't get any key at all. He has it already. Either that, or nobody will ever be decrypting your address, hah.
-
so when I sen my message, he receives my key with the encryption? I'm sorry for such nooby questions. I just want to be completely sure
-
It's fine, if you don't understand go ahead and ask :) No, he receives nothing. But he didn't just magically wave his hands to make the public key that you use to encrypt your address appear out of nowhere. He used a program to generate it.
At the same time, that program generated the paired private key which can be used to decrypt messages that have been encrypted with the paired public key. They're different keys. One encrypts, the other one decrypts (but only decrypts what that paired key encrypted). So he doesn't receive anything but your encrypted address. He already has the key he needs to decrypt it :)
You can do the same thing -- meaning generate a public & private key pair. Anybody who uses THAT public key to encrypt, you can decrypt by using THAT private key. So Wadozo meant that if you don't want him to answer your message in plaintext (unencrypted), you should generate a key pair and include your public key in your message to him so that the response will also be encrypted.
There's two things I'm talking about without being aware that it's confusing, sorry -- one is encrypting your address when ordering. There shouldn't be any response to this and you don't need to include any keys or anything. The second situation is sending a message talking about buying drugs or something -- that situation is one where you expect a response, and you should probably include a key for him to use to encrypt said response. I hope that makes it clearer.
-
So if I send a message like this:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)
hQEMA0gDbhCYZD3lAQf/QwIroslszRvMGonbpq0LOh8QPG34XUI6qZXO7GEvbizf
wtLMWRBE++W4XgeLNRBG27BLtSOnUpmX6ASv8cTKDhCVrPO5k0Qj8COfE5CKyiIA
vG9ieT7OBpUptjVZoQFoaFmCO8FVZ3DGAq4koEPExJ6GXf3pmBD4xUnI5E2/UgzD
BnLQy0H9ZoNVixema+7gkC8G5E7zQqBoQG5Qe7UunftKkrPsJCZHV91G4IUQN31K
MT7xqe8GyZGLlbhF1ID5N+UwT4fyka3MOS/iWBH+Ui8253TewYOr52ZGgKTELbgd
QJ1BYvECMSHxT14CxsUwOCDee6WGiA1V+/r+vpAZddJjAae0CYoN1a74M5vWYHgd
X//5sNdlWalIjkGFSfn8+wgxQikjmjniUfHFjkJ3/wLupi/cu+DHe0uHdniE9zLj
J9i8/Ba0LRZD5pnJv4kvTnh+Vkd0xLXSvml2/q1NMIL/kLVI
=bg9w
-----END PGP MESSAGE-----
It can already be decrypted by him, as long as I don't expect a response?
-
Well... I can't really answer that with any certainty. Whoever possesses the private key that was generated, at the same time as the public key, can decrypt that message. Yes. But I mean, if you used the wrong public key to encrypt the message or something, the guy won't be able to decrypt it. But unless that happened -- yes, he can already decrypt that message. He can decrypt it even if you do expect a response, but if you don't include a public key for him to use to encrypt his response, he can't encrypt his answer.
I mean if that's your encrypted address, then yes, it's all good.