Cipher v public key.

Jonathan T. Rockway jon at jrock.us
Tue May 30 23:03:41 CEST 2006


> Sorry I may be missing the point but why does it now show AES or AES256 as a
> pukey? 
>   
I think you're misunderstanding how PGP public-key encryption works.  
When you send an encrypted message, the first thing that happens is a 
random number called a session key is generated.  This session key is 
then used to encrypt the (compressed, possibly) original message with a 
symmetric cypher like AES256.  Then, this session key is encrypted with 
the recipient's public key (RSA or ElGamal).

When the message is received by the recipient, he uses his private key 
to decrypt the session key.  Then he uses the session key to decrypt the 
original message. 

If you're just using symmetric keys, you use AES256 directly.  The 
passphrase you type in is used as the session key, in this case 
(actually, there's a random number called "salt" appended to the 
passphrase to prevent certain attacks, but the idea is the same).  With 
public key cryptography, the software (via the public key algorithms) 
handles the (difficult) task of giving the recipient the decryption 
key.  With symmetric encryption, it's your responsibility to get the 
passphrase to the recipient.

If you're still not clear on this, you should definitely read something 
like Applied Cryptography, so that you can talk intelligently to your 
client about cryptography.  The biggest security problem with crypto is 
when it's misapplied (people think they're safe, but the crypto is 
merely obfuscating the message, not securing it).

Another good way to learn about symmetric encryption is to write your 
own simple encryption program.  http://ciphersaber.gurus.com/ will guide 
you through this.

Feel free to ask us any questions, though :)

Regards,
Jonathan Rockway




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 370 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060530/b4ec8928/signature.pgp


More information about the Gnupg-users mailing list