Decrypting GPG/PGP email messages

François Pinard pinard at iro.umontreal.ca
Fri Sep 2 14:19:03 CEST 2005


[Piet van Oostrum]
> >>>>> Alessandro Bottoni <alessandro.bottoni at infinito.it> (AB) wrote:

> >AB> Of course, I want to be sure that only the allowed people is
> >AB> able to send such dangerous messages to my server so I will ask
> >AB> my users to encrypt and digitally sign their messages using
> >AB> Thunderbird, Enigmail and GPG ...

> What benefit is there in encrypting the messages?  It would only
> prevent people intercepting the message from seeing what's inside, but
> it won't give you any additional protection on the server.

Whenever a message contains sensitive information, it is a good idea to
crypt it.  Humans, and not only computers, may be harmful! :-) There
are cases where information may not leak, when it vehicles private
information about people.  Companies also have industrial secrets.  The
mere fact that two people are communicating is often a secret in itself.

> And if somebody can intercept the messages there is a much bigger danger:
> They could save the message and replay it later. You can't protect against
> this with encryption (well, with encryption they won't know what they
> are doing). Neither with a digital signature.

Protection against replay is easily guaranteed by sequencing requests,
that is, including a sequence number within the message, each originator
his sequence.  A digital signature prevents someone from tampering with
the sequence number without being detected.

-- 
François Pinard   http://pinard.progiciels-bpi.ca



More information about the Python-list mailing list