Endpoint Encryption

 View Only

  • 1.  Basic questions about PGP keys

    Posted Aug 15, 2012 11:50 AM

    Dear Tom,

    It will be quite a long text and there is no urgency in answering but your help and clearification would be highly appreciated.

    I have been using PGP-WDE for years now (both Win and Mac with passphrases) and only recently start using PGP regulary for signing and encrypting emails.

    I got a bit confused with the feature of adding separate subkeys and in particular  how a keyring/keypair/public key is composed of, and how the terminology is correctly used.

    I created a new PGP key (“testkey”) and exported/reimported it with or without private key  and checked the key properties.

    First the problem with terminology:

    On page 60 in the user manual is stated:

    A PGP Desktop keypair consists of these elements:

    • the Master Key, for signing only;

    • one mandatory Subkey for encryption;

    • one or more optional Separate Subkey(s) for signing, encryption, or signing/encryption.

     

    If I look at the key properties of the private key, following IDs can be found:

    Masterkey (?): 0x937F5352  (ID immediately below the email of the key)

    encryption subkey: 0xCC8E8E63

    signing subkey: 0xE4A0AA42

    Per definition this should be a Private Key, but actually it looks that its is a Keypair consisting of private and public key (?) – if I open the private key with TextEdit both parts of private and public key block can be found.

    +) First Question: is the “private key” actually always a keypair consisting of private and public key or is it possible to obtain the private key separately only?

    +) Second Question: is the Masterkey also for decryption? Searching the whole manual I could not find which part of the key is actually responsible for decryption (only the Masterkey is described as “for signing only” but no word about decryption)

    I checked the features of the public key and surprisingly all subkeys can be found there again (for signing and encryption), however a public key is not for signing (?)

    +) third Question (related to the first question): are all (sub)keys of the public key actually existing but only the subkey for encryption is active or is simple the private/public key concept a mathematical connected “mirror-sandwich” of the masterkey+subkeys where one half serves as public key and both halfes together as “private key” ?

    Should therefore be the very correct terminology: public key and private keypair (where then the “private key” performs signing + decryption)?

    I encrypted a file with the testkey:

    If I remove both subkeys PGP states “by removing all subkeys encryption to this key will be disabled”, so I assumed only the features of signing+decryption are left, however PGP will not decrypt the file to an “unknown” key, which is understandable as I deleted the subkey responsible for encryption but also signing of a file with this key is not working (it does not appear in the list of private keys for signing). However under “keys” the private key without subkeys still is called “keypair” , trust was set to implicit. So therefore in addition to the statements in the usermanual I am asking the

    +) fourth question: what are the minimal features/composition for a PGP key?

    I understood from the descriptions that the advantage of adding subkeys is the possibility to exchange them in case the private key becomes compromised as only the masterkey is signed by other users, so the public PGP key keeps its ID  with the signatures from other users -– correct?

    Any short answers would be very helpful (simply inline)

    Thanks a lot for your time,

    kind regards,

    Stork



  • 2.  RE: Basic questions about PGP keys
    Best Answer

    Posted Aug 15, 2012 12:31 PM

    +) First Question: is the “private key” actually always a keypair consisting of private and public key or is it possible to obtain the private key separately only?

    For PGP, the private key block does contain the public key.  But without the extra components (such as photo ID, and signatures from others that are included in the public key block).

    +) Second Question: is the Masterkey also for decryption? Searching the whole manual I could not find which part of the key is actually responsible for decryption (only the Masterkey is described as “for signing only” but no word about decryption)

    I checked the features of the public key and surprisingly all subkeys can be found there again (for signing and encryption), however a public key is not for signing (?)

    In this instance, the Master Key is only the signing key - this is the Key ID that identifies the key as a whole. 

    Encryption is to the encryption subkey (the public portion).  Decryption is with the private portion of the encryption subkey.  Regardless of what function you are designating subkeys as being able to be used for, the public portion of all parts of the key are in your "Public Key".  The public part of encryption subkeys have to be there for the encryption to your key.  The public part of your signing key has to be there so that signatures you make with your private signing key can be verified by others. 

    +) third Question (related to the first question): are all (sub)keys of the public key actually existing but only the subkey for encryption is active or is simple the private/public key concept a mathematical connected “mirror-sandwich” of the masterkey+subkeys where one half serves as public key and both halfes together as “private key” ?

    Should therefore be the very correct terminology: public key and private keypair (where then the “private key” performs signing + decryption)?

    I encrypted a file with the testkey:

    If I remove both subkeys PGP states “by removing all subkeys encryption to this key will be disabled”, so I assumed only the features of signing+decryption are left, however PGP will not decrypt the file to an “unknown” key, which is understandable as I deleted the subkey responsible for encryption but also signing of a file with this key is not working (it does not appear in the list of private keys for signing). However under “keys” the private key without subkeys still is called “keypair” , trust was set to implicit. So therefore in addition to the statements in the usermanual I am asking the

    I think I may have actually answered this already.  However, to be sure:

    The public key has all public portions of your keypair.  Encryption is to the public portion of your encryption subkey, so others can encrypt to you.  The public portion of your signing key is also included so that signatures you make can be verified by others.  Only your private key includes the private portions of your Master Key and the subkeys - so that only you can decrypt encryptions to your public key, and only you can make signatures with your signing key.

    +) fourth question: what are the minimal features/composition for a PGP key?

    I understood from the descriptions that the advantage of adding subkeys is the possibility to exchange them in case the private key becomes compromised as only the masterkey is signed by other users, so the public PGP key keeps its ID  with the signatures from other users -– correct?

    A PGP key has a signing key and an encryption encryption subkey.

    The Master Key is designated as such, so that the key can continue to be identified by the same Key ID regardless of what additional subkeys you choose to add.  This lets you use different subkeys for different purposes if you want to do this for whatever reason.  Signatures are actually to the User ID (usually consisting of a name and email address).  When you sign someone's key, you are stating that this is who the key really belongs to.



  • 3.  RE: Basic questions about PGP keys

    Posted Aug 16, 2012 12:23 PM

    Dear Tom,

    thank you VERY much for your prompt answer and your clear description!  I understand now.

    kind regards, Stork