MozTips - A Pathfinder's Guide to Mozilla and the Open Source Universe

MozTips
- On Mozilla and Open Source Software

Recently Commented:

Online shopping, we wholesale nike shoes ,jordan shoes ,gucci shoes ,timberland shoes ,and puma shoe...
The man modeling them - ED Hardy Sunglasses the official sunglasses fans are encouraged to wear at n...
ugg boots cheap provides you the best and cheapest ugg boot. All the products at http://www.ugg-ugg-...
Online shopping nike air jordan shoes,cheap jordans,wholesale air jordans shoes for China,discount n...
This is a very good website, you see it http://www.7pmshoes.com

Recent Posts:

Posted on August 24, 2003 by jay_sheth. Edited: August 24, 2003 by jay_sheth.

I. A Brief Overview of Email Encryption and Mozilla (Part I. of V. )

Introducing Mozilla Thunderbird
As you may know, the Mozilla Foundation has produced early versions of a stand-alone email product, called Mozilla Thunderbird (hereafter Thunderbird).
While Mozilla Thunderbird is available in a 0.1 version and other periodically updated "weekly" versions, its functionality and quality far exceed what one might expect from software with a 0.1 version number. This is because Thunderbird is a stand-alone version of the four - five year old Mozilla Mail program, which is bundled with the Mozilla Suite.

Why Email Encryption?
Email is an effective way to communicate with friends and co-workers, but offers no way to verify the identity of a sender, or to ensure that an email is only decipherable by its intended recipient. A common solution to this problem is email encryption, which scrambles an email message - making it legible only by someone who has a password which can unscramble it.

An Overview of Existing Email Encryption Products:
There are many commercial encryption products which can encrypt files, which then can be attached to emails. Some commercial encryption products offer the ability to create "self decrypting" files which can be attached to emails. Suppose Joe wants to send a secret message to Beth. He can type up his message in a word processor, encrypt it, attach it, and send it to Beth. This sounds simple enough, so what's the catch? In order for Beth to open the secret message from Joe, she needs to know the password which he used to encrypt it. If he had sent this password to her by email, and someone read that email before she could, then that person would be able to intercept, decrypt and read all messages from Joe, which used the same password. Thus, the main potential pitfall to using most encryption systems is in securely communicating the password required to decrypt a secret message.

How Enigmail for Thunderbird works:

- Send Encrypted Email Without a Pre-agreed Password:
The Enigmail plugin for Thunderbird works in conjunction with another piece of freely available software, known as GnuPG, or GPG. GnuPG [Website] (I pronounce it "guh-nu-pug") is software which enables two people to exchange encrypted email messages without agreeing on a preset password in advance. You may have heard about software called PGP - GnuPG works similarly to PGP.

- Actually, there are two passwords, not just one:
A person who uses GnuPG to send encrypted email messages, typically has two passwords:

A Private Password - your private password should never be given out; it is used to decrypt a message you have received
A Public Password - your public password can be given to anyone ; anyone can use your public key to encrypt a message (before it is sent to you)

For example: John and Mary exchange encrypted messages using GnuPG. If John wants to send an encrypted message to Mary, John needs to know Mary's public key. Since it is okay to share a public password with another person, Mary emails her public password to John. John then uses Mary's public password to encrypt his message before he sends it to Mary. Now it gets interesting - a third person, Bob, wants to intercept and read John and Mary's messages.

So, to recap, John has received Mary's public password by email, after which he writes a message, encrypts it using Mary's public password, and sends the encrypted messsage to Mary. Bob opens Mary's email program when she is not at her computer, and discovers that John has sent her an encrypted message. "That's no problem" thinks Bob, who having checked Mary's sent mail folder discovers that Mary sent John her public password. "I'll just use Mary's public password to decrypt John's message", thinks Bob. But when Bob tries to decrypt the message that John sent to Mary (protected with Mary's public password), it does not work! What went wrong?

Actually, nothing went wrong. That's how it is supposed to work. Only Mary's private password can decrypt the message that John sent to her!

Question: If Joshua wants to send Mary an encrypted message, which password would he use?
Answer: Joshua would also use Mary's public password to encrypt emails which he sends to her.

Question: But why would Joshua and John not use their private passwords to send encrypted messages to Mary?
Answer: A private password is only used to decrypt email that is sent to you. Your public and private passwords have to be different. When you send someone an encrypted email, you need to use the recipient's public password to encrypt that email.

Category: Email Encryption

Comment: Read 3 comment(s)

Link: Permanent Link