3

Imagine this scenario

  • A StackExchange user sends you a PGP-encrypted message
  • You decrypt the message and discover that you are being blackmailed
  • You report the message to the admins but they are unable to view the content

In this situation, is there any way to tie the plaintext to the ciphertext without revealing your private key?

If not, what precautions must one take before revealing their private key?

SWList
  • 33
  • 3
  • By the way I'm not sure if SE has a messaging feature, so please assume users can talk to each other in DMs for the purpose of this question! – SWList Oct 25 '21 at 11:55

2 Answers2

5

In principle your private key can be used to extract the random symmetric key within the message. This random symmetric key could then be supplied to decrypt the message without exposing your private key.

In practice, I'm not aware of any existing tools that support doing this. I did run across some code that claims to be a partial PoC PGP_Key_Extractor. I have no knowledge as to its veracity.

Edit

I defer to @dave_thompson_085 's answer. Apparently it's already there in GPG as an option.

user10216038
  • 7,552
  • 2
  • 16
  • 19
4

Neardupe What usually happens to the symmetric (session) key after decrypting an email? Can the key be recovered if changing private keys?

You tagged GnuPG which has a specific feature to expose the symmetric key for a single message which a third-party like your 'admin' can use to decrypt the message; see --show-session-key and --override-session-key in the 'info' on any system with the software installed or here on the web. They implemented it to allow for limiting compelled disclosure (like a subpoena) but voluntary disclosure works the same.

However, this doesn't prove the message was from 'A StackExchange user'. Unless perhaps they included payment instructions as simple as 'third washroom along' like in Monty Python. But nowadays even stupid criminals can use Bitcoin.

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28
  • I haven't tried it, but that appears to be a solid answer! I don't know how I overlooked it on the man page. Thanks! – user10216038 Oct 26 '21 at 03:51
  • Right, unless the attacker signed the message you can't prove who it came from. (I believe GPG signs the plaintext by default, but even if it didn't you can use the session key to decrypt the original signed ciphertext, whose signature you presumably verified.) – CBHacking Oct 26 '21 at 03:52
  • Thanks for providing details on how this is done in practice. Re: proof of sender: In this particular scenario, it doesn't actually matter that you can't prove that the message came from the SE user, since it is enough evidence for a moderator to ban the account (whoever might be behind it). Anyway I upvoted this answer but marked the other one as correct since it links to yours and also has some details on theory. – SWList Oct 26 '21 at 14:43