Alice and Bob revisited

On June 22, 2005, in Uncategorized, by

Revisiting the Alice and Bob encryption story with an update.  Someone was asking if they send out an encrypted message and only 1/2 of the people on the mailing lists have digital certificates and the other half you don’t, the email will be encrypted to only half of the recipients?  Nope.  Doesn’t work that way at all.  Only those folks that you HAVE a public key already in your certificate store will be able to be sent an encrypted message.  Your email client will ‘barf’ on the ones that you don’t have a certificate for.  Your email client has a hidden location where it’s stored all these public certificates it’s picked up by folks merely emailing their digital certificate to you.

You MUST have their public key…that’s the key element in this… let me repeat that…YOU MUST have their key before you can SEND THEM the encrypted message.  So to start this Encryption tango, Bob must send Alice his public key in the form of merely a digitally signed email.  Once Alice has a digitally signed email from Bob, she can now encrypt the email.  Read the comment here.

As far as PGP being easier…. now … I could be wrong [this hasn’t been the first time] but PGP mail encrypts the attachments as far as I know.  It’s not encrypting the message transmission that I understand.  In discussing the situation with my fellow MVP, we discussed that right now I actually encrypt attachments, via PDF or other means, but I’m not actually encrypting the email message because 99 times out of 100, I don’t have the other person’s public key, they HAVE no public key, and when I’d automagically add my digital certificate to all of my outgoing emails so that the “Bob’s” of this world already HAD my public key, 99 times out of 100 I’d get a phone call saying “What is this attachment to your email, I can’t open it?  Do you have a virus?”

Needless to say I stopped automagically attaching it to my outgoing emails.  You ‘can’ get Bob’s public key from visiting public key repositories on the web.  You can even get them from Web Sites.  Take for example the Public Key for the Microsoft Security Response Center.  Once you add ‘their’ key to your email certificate repository you can now send THEM encrypted email [assuming you already have a security certificate of course].

See how this works?  Once you get ‘theirs’ you can now encrypt something to THEM but not before.

Right now I encrypt attachments, and if I’m sending files that I want to protect that are large, I’ll use  But right now, Alice just ain’t ready for Bob to be encrypting.

Now I could go into how folks recommend that you have a key signing party… but that’s another Alice and Bob story for another day…..

P.S.  I said “buy” a certificate, but you ‘can’ get free email only certificates as well.


2 Responses to Alice and Bob revisited

  1. Robert MacLean says:

    PGP can encrypt the entire message itself, attachments and body. It does not, as you say encrypt the transmission. I use the word can because it’s purely optional, you can also just sign the message for verification of the sender or you can do both.

    For message transmission encryption on a standard SMTP type setup you would be using SSL (or sometimes known as TLS, no idea why). Which encrypts the transmission in much the same way as HTTPS. The thing with it is that both servers (or server/client) must agree to use it. So while the transmission may be encrypted from you to the server you have no idea if it is encrypted from your server to the recipients server. The same applies on the recipients side. Should they download say with standard POP3 there is no encryption of the transmission there.

    But this is completely different to SSL certificate signing or message encryption, which is very much the same as the PGP method albeit just using a different system for security.For this you need to purchase or get a free SSL certificate. For encrypting the transmission you do not, as this is handled in the protocol itself.

    At the end of the day unless you have control over the whole route you can’t guarentee safe, secure communication. All you can do is put in as much as possible and hope it works.

  2. SiM says:

    Heh, PGP’s "web of trust" is also not so easy 😉 you should not trust PGP pubkey posted at webpage, because someone (hacker) could direct you to other website using DNS-spoofing. So ideally you should get PGP pubkey from web AND compare it’s fingerprint offline (by phone for example).

    There are also problems with ‘free’ certificates, because Verisign or Thawte certificates works automagically because most browsers have Verisign CA certificate in Trusted List, but didn’t trust CA certificate.