GPGServices: I can decrypt cyphertext which is encrypted with someone elses public key
Hi, I'm playing with GPG the last few weeks and now trying it on macOS.
I have a keyring with 2 public keys and 1 secret:
me (pub + sec)
GPGtools (pub) <-- I guess
Here's the unusual thing.
When I right click on some text and click 'Encrypt selection', a box pops up to select the recipient.
If I encrypt FOR gpgtools surely I use their public key, and as such the PGP message shouldn't be decryptable.
However it is!
I can right click on the cipher text PGP message and click decrypt and it shows the plain text again.
Now maybe I'm wrong but I thought sending to someone encrypted with their pub key so only they can decrypt.
And, if as I suspect, it's actually encrypting with MY public key (even tho I select GPG as the recipient), and later decrypting with my private key, surely if I sent that PGP message to gpgtools they WOULDNT be able to decrypt.
So any ideas?
Happy to post screenshots if necessary.
thank you crypto folk.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by john.alan.woods on 18 Aug, 2017 03:07 PM
Interestingly using the command line i get the expected response.... just not with the GUI
-----BEGIN PGP MESSAGE-----
hQIOAwfq5Jrby+ZxEAf+PoqMFZhnbMXQ+JnQNImGxmIrOYNZRLQGD+4ypjOmnU83
cfn4hqwc7SB5zwjmwdCDlFxg2IRgrhzvZ6ev+PH6KZaQN2fPE+GJQAsEGBH3Ie5U
e9COoFakEF95LnvizlbxJCpSuU8E32z3jx/zBscC2+h2bbhFyX0eTel/lGqZVBTQ
vjRXi7pMWS9jCiGj34rhet5dAsEWEL/aia3zk8B737MRmoumUvMfQfc4FOTSsLrw
onGkAB3AiZxpFD/ogZCPrLXbLNESnoe32q8X++iGHWG6OVapytZe3MpeVxuvyn9l
NX+vRX7UbwYiuWNPBeRSkqsjzf9ZCbwmynT+qTW+Cwf/f/muuSaugkYAUDhNdyDi
TUc9dH5tbvMtIKqrq9VWPkQjNrv+1hpIIuUnTCOzAiHt8nFnjAtVTc3psbPGGYqe
vGPioJfq04P0MUz6CermOyxjXpOae6IvXsZ8AVDICvk2vwLYMAdNPAlpTHL+edyQ
MpdNfDlhQFlLGd9Eu/HPMRb9116lCeZ8/RDn1YdCLcaANERVR8WRncMnl42eVXUU
3nQR1q46plJxG09V7CG0bTXYzGHJ2IDZmzDnunSUef0x3poUF27lDSa7vLvqS+ow
XjJhjsPNHIvc/O7BBEs+xUzU+wBFpLnhybGu+ypPDtUKzQ1le/Iw+MaVu4hseJwG
ttJCAa3ul+BknQmL5RXg5gnej8CdSfvmJaKR4J+NCUSZ2pVo9nFmX/CHL+MmjmFu
uqOFE3G9+f2/YN9EKPApE9EzRTRv
=KL14 -----END PGP MESSAGE-----gpg: encrypted with 2048-bit ELG key, ID DBCBE671, created 2010-08-19 "GPGTools Team [email blocked]" gpg: decryption failed: No secret key
Support Staff 2 Posted by Steve on 18 Aug, 2017 03:28 PM
Hi John,
welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.
Please see this KB-article on how to manage passwords for your keys.
The third option explains how to clear the cache and remove stored OpenPGP passwords from macOS keychain.
Can you please do that and see if you are then asked for your password when trying to decrypt?
Also if you look at the GPGServices window you see when encrypted a message, it has your own key listed. And that key is used to encrypt to as well (unless you untick that option). That is why you are able to decrypt the message.
Let me know if this answers your question.
All the best,
steve
3 Posted by john.alan.woods on 20 Aug, 2017 10:43 AM
Hi Steve,
Thanks for the reply.
I think there may be an issue here, when I use GPGServices to encrypt a text snippet.
Selecting only GPGTools as the recipient (as per this screenshot: https://ibb.co/fELTWk)
I am still prompted for my password and can successfully decrypt the message after encryption. Therefore it must be using my public key to encrypt the message right?
Shouldn't it be using your public key and I should be unable to decrypt?
4 Posted by john.alan.woods on 20 Aug, 2017 11:01 AM
Steve -
I can see my mistake!
There is an 'add to recipients' checkbox.
I'm an idiot.
Best,
John
Support Staff 5 Posted by Steve on 21 Aug, 2017 08:42 AM
Hey John,
def not an idiot. You indeed found the reason why you are being asked for your OpenPGP password. If you add your own key to the recipients the message is encrypted with both the recipients key and your own key. When then trying to decrypt the message, you will be asked for your password and if that is correct will be able to decrypt the message.
Glad, this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.
Best, steve
Steve closed this discussion on 21 Aug, 2017 08:42 AM.