GPGServices: I can decrypt cyphertext which is encrypted with someone elses public key

john.alan.woods's Avatar

john.alan.woods

18 Aug, 2017 03:04 PM

Hi, I'm playing with GPG the last few weeks and now trying it on macOS.

I have a keyring with 2 public keys and 1 secret:

me (pub + sec)
GPGtools (pub) <-- I guess

Here's the unusual thing.

When I right click on some text and click 'Encrypt selection', a box pops up to select the recipient.

If I encrypt FOR gpgtools surely I use their public key, and as such the PGP message shouldn't be decryptable.

However it is!

I can right click on the cipher text PGP message and click decrypt and it shows the plain text again.

Now maybe I'm wrong but I thought sending to someone encrypted with their pub key so only they can decrypt.

And, if as I suspect, it's actually encrypting with MY public key (even tho I select GPG as the recipient), and later decrypting with my private key, surely if I sent that PGP message to gpgtools they WOULDNT be able to decrypt.

So any ideas?

Happy to post screenshots if necessary.

thank you crypto folk.

  1. 1 Posted by john.alan.woods on 18 Aug, 2017 03:07 PM

    john.alan.woods's Avatar

    Interestingly using the command line i get the expected response.... just not with the GUI

    -----BEGIN PGP MESSAGE-----

    hQIOAwfq5Jrby+ZxEAf+PoqMFZhnbMXQ+JnQNImGxmIrOYNZRLQGD+4ypjOmnU83
    cfn4hqwc7SB5zwjmwdCDlFxg2IRgrhzvZ6ev+PH6KZaQN2fPE+GJQAsEGBH3Ie5U
    e9COoFakEF95LnvizlbxJCpSuU8E32z3jx/zBscC2+h2bbhFyX0eTel/lGqZVBTQ
    vjRXi7pMWS9jCiGj34rhet5dAsEWEL/aia3zk8B737MRmoumUvMfQfc4FOTSsLrw
    onGkAB3AiZxpFD/ogZCPrLXbLNESnoe32q8X++iGHWG6OVapytZe3MpeVxuvyn9l
    NX+vRX7UbwYiuWNPBeRSkqsjzf9ZCbwmynT+qTW+Cwf/f/muuSaugkYAUDhNdyDi
    TUc9dH5tbvMtIKqrq9VWPkQjNrv+1hpIIuUnTCOzAiHt8nFnjAtVTc3psbPGGYqe
    vGPioJfq04P0MUz6CermOyxjXpOae6IvXsZ8AVDICvk2vwLYMAdNPAlpTHL+edyQ
    MpdNfDlhQFlLGd9Eu/HPMRb9116lCeZ8/RDn1YdCLcaANERVR8WRncMnl42eVXUU
    3nQR1q46plJxG09V7CG0bTXYzGHJ2IDZmzDnunSUef0x3poUF27lDSa7vLvqS+ow
    XjJhjsPNHIvc/O7BBEs+xUzU+wBFpLnhybGu+ypPDtUKzQ1le/Iw+MaVu4hseJwG
    ttJCAa3ul+BknQmL5RXg5gnej8CdSfvmJaKR4J+NCUSZ2pVo9nFmX/CHL+MmjmFu
    uqOFE3G9+f2/YN9EKPApE9EzRTRv
    =KL14 -----END PGP MESSAGE-----gpg: encrypted with 2048-bit ELG key, ID DBCBE671, created 2010-08-19 "GPGTools Team [email blocked]" gpg: decryption failed: No secret key

  2. Support Staff 2 Posted by Steve on 18 Aug, 2017 03:28 PM

    Steve's Avatar

    Hi John,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    Please see this KB-article on how to manage passwords for your keys.

    The third option explains how to clear the cache and remove stored OpenPGP passwords from macOS keychain.

    Can you please do that and see if you are then asked for your password when trying to decrypt?

    Also if you look at the GPGServices window you see when encrypted a message, it has your own key listed. And that key is used to encrypt to as well (unless you untick that option). That is why you are able to decrypt the message.

    Let me know if this answers your question.

    All the best,
    steve

  3. 3 Posted by john.alan.woods on 20 Aug, 2017 10:43 AM

    john.alan.woods's Avatar

    Hi Steve,

    Thanks for the reply.

    I think there may be an issue here, when I use GPGServices to encrypt a text snippet.

    Selecting only GPGTools as the recipient (as per this screenshot: https://ibb.co/fELTWk)

    I am still prompted for my password and can successfully decrypt the message after encryption. Therefore it must be using my public key to encrypt the message right?

    Shouldn't it be using your public key and I should be unable to decrypt?

  4. 4 Posted by john.alan.woods on 20 Aug, 2017 11:01 AM

    john.alan.woods's Avatar

    Steve -

    I can see my mistake!
    There is an 'add to recipients' checkbox.

    I'm an idiot.

    Best,
    John

  5. Support Staff 5 Posted by Steve on 21 Aug, 2017 08:42 AM

    Steve's Avatar

    Hey John,

    def not an idiot. You indeed found the reason why you are being asked for your OpenPGP password. If you add your own key to the recipients the message is encrypted with both the recipients key and your own key. When then trying to decrypt the message, you will be asked for your password and if that is correct will be able to decrypt the message.

    Glad, this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  6. Steve closed this discussion on 21 Aug, 2017 08:42 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac