0

Is it possible to sort of verify a PGP message?

Alice sends a PGP Encrypted message to Bob.

I know Alice and Bob's public key, and I have their encrypted and plaintext message.

  1. Can I confirm that the PGP Encrypted message is the same as the plaintext message without knowing any of their private key?

  2. Can I confirm that the PGP Encrypted message is from alice or bob with only their public key?

Jane Doe
  • 1
  • 1
  • Confirmation of sender can only be done if the sender has signed it. Otherwise no, anyone can send a message to a certain public key. – Henno Brandsma Jul 07 '19 at 07:44

1 Answers1

1

No to both. Details:

  1. PGP encrypts a random symmetric key with Bob's public key, and then uses that to encrypt the message. Since you don't have that key, you can't check to see if the plaintext and ciphertext correspond under it.
  2. The public key of a message only reveals who can decrypt it. All you learn is that whoever encrypted it knew Bob's public key, which doesn't really narrow it down at all.
Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • So I noticed that I can get [Bob's encrypt subkey]'s fingerprint. Can I know that from Bob's public key? – Jane Doe Mar 19 '19 at 03:20
  • @JaneDoe Yes. That's part of his public key. – Joseph Sible-Reinstate Monica Mar 19 '19 at 03:31
  • @JosephSible: to be exact, an encrypted message normally contains (but it can be suppressed) the _long keyid_ of the recipient's (sub)key, which is the low 8 bytes of the 20-byte fingerprint, which is calculated from (but not actually in) a v4 key. Similar https://security.stackexchange.com/questions/199427/with-gpg-can-3rd-party-verify-that-message-has-been-encrypted-by-specific-pubkey – dave_thompson_085 Mar 19 '19 at 06:48