freeborn | ελεύθερος on Nostr: A note for the #gpg newbies--from a #gpg (relative) newbie. Caveat: I realize that ...
A note for the #gpg newbies--from a #gpg (relative) newbie.
Caveat: I realize that OpenPGP and gpg are technically different, but--rightly or wrongly--I use "gpg" and "pgp" basically interchangeably in informal conversation.
There are two important aspects to encrypted messaging that are sometimes confused.
1. Encrypting the CONTENT of messages. Alice and Bob want to communicate securely, so they both create a public/private key pair. They then exchange public keys. Alice writes a message and uses Bob's public key to "shape" the content into the form of a lock that only Bob's key can open. This hides the content of Alice's messages from any prying eyes.
2. SIGNING a message. ...but, since Bob's public key is *public*, say badguy Charlie sends a message to Bob, properly encrypted with Bob's public key, but Charlie pretends to be Alice. Bob may inadvertently send information to Charlie that he intended to send for Alice's eyes only. Is there a way to ensure that the message really came from Alice? Yes: this is message SIGNING. Alice writes a message to Bob, and encrypts its CONTENT with Bob's public key--thereby forming it into the shape of a lock that only Bob's key can unlock. But then, Alice also SIGNS the message with her private key. Bob then receives an encrypted message from someone purporting to be Alice--is it *signed* by Alice's private key? Yes: OK, reasonably safe to assume it's actually from Alice. Now, let's decrypt the *content* of the message and see what she has to say.
There is CONTENT encryption, and there is message SIGNING. Both are important aspects of encrypted communication.
Side note: your NOSTR events are SIGNED by you, but the CONTENT is not encrypted. (Think about it--how could it be? You would have to encrypt it using each follower's public key, so only they could open it with their private key!) An exception might be the case of DMs, in which case your message is SIGNED by you, and the CONTENT encrypted--but I will let others chime in on the details there, as many have noted that NOSTR DMs are not as secure as they could/should/can be. I am not up to speed on exactly why, beyond the fact that "npub X is DM-ing npub Y" -- that is public information of necessity.
Just wanted to share an aha! moment I had a little while ago when trying to wrap my head around how encryption and signing works. (This explanation translates to bitcoin "messages" as well.)
Hope it's helpful to someone out there.
#encryption #gpg #pgp #privacy
Caveat: I realize that OpenPGP and gpg are technically different, but--rightly or wrongly--I use "gpg" and "pgp" basically interchangeably in informal conversation.
There are two important aspects to encrypted messaging that are sometimes confused.
1. Encrypting the CONTENT of messages. Alice and Bob want to communicate securely, so they both create a public/private key pair. They then exchange public keys. Alice writes a message and uses Bob's public key to "shape" the content into the form of a lock that only Bob's key can open. This hides the content of Alice's messages from any prying eyes.
2. SIGNING a message. ...but, since Bob's public key is *public*, say badguy Charlie sends a message to Bob, properly encrypted with Bob's public key, but Charlie pretends to be Alice. Bob may inadvertently send information to Charlie that he intended to send for Alice's eyes only. Is there a way to ensure that the message really came from Alice? Yes: this is message SIGNING. Alice writes a message to Bob, and encrypts its CONTENT with Bob's public key--thereby forming it into the shape of a lock that only Bob's key can unlock. But then, Alice also SIGNS the message with her private key. Bob then receives an encrypted message from someone purporting to be Alice--is it *signed* by Alice's private key? Yes: OK, reasonably safe to assume it's actually from Alice. Now, let's decrypt the *content* of the message and see what she has to say.
There is CONTENT encryption, and there is message SIGNING. Both are important aspects of encrypted communication.
Side note: your NOSTR events are SIGNED by you, but the CONTENT is not encrypted. (Think about it--how could it be? You would have to encrypt it using each follower's public key, so only they could open it with their private key!) An exception might be the case of DMs, in which case your message is SIGNED by you, and the CONTENT encrypted--but I will let others chime in on the details there, as many have noted that NOSTR DMs are not as secure as they could/should/can be. I am not up to speed on exactly why, beyond the fact that "npub X is DM-ing npub Y" -- that is public information of necessity.
Just wanted to share an aha! moment I had a little while ago when trying to wrap my head around how encryption and signing works. (This explanation translates to bitcoin "messages" as well.)
Hope it's helpful to someone out there.
#encryption #gpg #pgp #privacy