Decrypting GPG/PGP email messages
pinard at iro.umontreal.ca
Fri Sep 2 14:19:03 CEST 2005
[Piet van Oostrum]
> >>>>> Alessandro Bottoni <alessandro.bottoni at infinito.it> (AB) wrote:
> >AB> Of course, I want to be sure that only the allowed people is
> >AB> able to send such dangerous messages to my server so I will ask
> >AB> my users to encrypt and digitally sign their messages using
> >AB> Thunderbird, Enigmail and GPG ...
> What benefit is there in encrypting the messages? It would only
> prevent people intercepting the message from seeing what's inside, but
> it won't give you any additional protection on the server.
Whenever a message contains sensitive information, it is a good idea to
crypt it. Humans, and not only computers, may be harmful! :-) There
are cases where information may not leak, when it vehicles private
information about people. Companies also have industrial secrets. The
mere fact that two people are communicating is often a secret in itself.
> And if somebody can intercept the messages there is a much bigger danger:
> They could save the message and replay it later. You can't protect against
> this with encryption (well, with encryption they won't know what they
> are doing). Neither with a digital signature.
Protection against replay is easily guaranteed by sequencing requests,
that is, including a sequence number within the message, each originator
his sequence. A digital signature prevents someone from tampering with
the sequence number without being detected.
François Pinard http://pinard.progiciels-bpi.ca
More information about the Python-list