2

Is it possible to get the public key from PGP message in PEM(Base64) format? Here is the message:

-----BEGIN PGP MESSAGE-----

hQEMA1W24kYEriipAQf9FEOPPTiqBj9kDSqCWTJmCvceU3n9oEqA7umKFYWG60nv
nWEk09AvrYK1dakfYVTKlolqV6kkxoQqt5DlsQ6YOa7I4Xfy58l9yzJQlf1KU/xN
vp3sBb8FHCkT789hZ8h9On/GoFFaDTp2rHB63ylLzcPNedlYdUS2DtooZQkt6g07
C8D0B9t66UGCGCPky0bEquihBz7u48oV+F3DVTdHV7XYCHayuMNuMAExiOv7hpRh
VauO3ryTm5R/6D06/QYAVsfrqR/UWaCdz26FQVmFc5Z9HqLaS00ppjqfktaYACNz
M88A6I0eUchpCSz8tqpURTUKdNZTjOun4pqQ+9c/TNLpAQ0uQRpuXSt1KYrbiq8l
4glvmrFqkSM/n8soDpoatjwW2BMu3IByV/OJZ1heWsxfUw/qImE5qZPxxI1CjLDe
3yGSb2SAE6l/mnfnkSPDEOxE3LRfSoOapUOc+9MtGl/gF3+TwYZ0qpXevSCOWKLz
1fnIuQU4PvWYHR3vkBuoxJ9+0aNtvr+JRsx1Wg1lNJqu6T5rQHc7ne7VocD5coi4
YyOENKDPfELi6o6/MhdFmMblTu4/AbUoErAg6zGP9CUMdYngFfNQyfFB9x2jG6fe
Pfq+g1Y6NW527Bjy8Qfd0Iy1Xz+838bvqZt5MhDXTWW+YYcPm5htL+1H2o3FoQhW
qmAM577UnjVQXoL4bg046dyA0fqd5E32xGlVOXKL6RgeGouZu8V43wrQKzJhROoV
pk6T7QEUMSiBiAoZjTAg5BalpIr+G/PWj5mCI0ys75tNeH3zQOgf0+Be7Q+AkO7/
PQHR0qfWVg+9PdEfR05ciuJ6A4SiI0QtqziMmHvgc213KWGqKuYqYr22xgkqcJWP
7lFT/56zCoyiObcEPWH9WEXwYYakEPxCn/i16c4HgZVzgeJ1x04I5t//ZM9cT15g
N3EBi58ANV8BjgLaklcoxm9XjOpIlW952Y6qvwDMMh3SRNCpGsq+Ma6+zi/T6fqW
O2psDgYjQsjsDaAmdPzGeHUTWAp752rJPKbMoInA9Bb3xMjjKg==
=ioKX
-----END PGP MESSAGE-----

I sent this to someone and I was just wondering what if someone other than us knows the PGP message and wants information like the recipient's pubkey or other info.

ZenXiu
  • 21
  • 2
  • What constitutes "knowing the recipients pubkey"? PGP will include a key fingerprint. It does not include the entirety of the person's public key, so their key cannot be derived directly from it, but public keys are intended to be just that, publicly known. If an attacker has intercepted the public key as it is being transmitted to you (which it is assumed they can, as it is public), they will be able to match the public key to the message you send from the fingerprint. It does not directly include the full pubkey, but it has identifying information which could easily reveal the pubkey. – arcaynia Jul 14 '20 at 16:30
  • 1
    Almost dupe https://security.stackexchange.com/questions/199427/with-gpg-can-3rd-party-verify-that-message-has-been-encrypted-by-specific-publi where it is considered ontopic, and more linked there; several previous Qs here have been closed as offtopic, and at least one I know I answered deleted. – dave_thompson_085 Jul 15 '20 at 03:29

1 Answers1

3

No, the PGP format doesn't contain the public key of the sender. But it does include a key ID of the key (pair) so that you know which private key to use to decrypt the message. It is rather easy to verify this by reading the OpenPGP specifications which defines the packet format(s) used. Or you can take a look using gpg --list-packets --verbose.

It is possible to lookup the public key (which in the case of PGP acts more like a certificate, containing more information than just the key value) using one of the various PGP servers. However, the use of these servers has become a problem in itself. Knowing the key ID is of little help if the key is not registered in a known key server or location (i.e. communicated out of band or kept locally).

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Um, currently still on different computer, you'll have to try the command yourself. – Maarten Bodewes Jul 14 '20 at 20:31
  • Once someone has the fingerprint, they can search for the public key on a public key server such as this one: https://pgp.mit.edu/ If the public key had been uploaded by anyone, other information will also be shown; namely, what the creator of the key gave as name and e-mail address. – Patriot Jul 15 '20 at 01:58
  • 1
    The long (64-bit) keyid, not the full fingerprint. But that is enough to check keyserver(s). For the message posted, pubkey enc packet: version 3, algo 1, keyid 55B6E24604AE28A9 which one of my configs finds as the encryption subkey for pgp.EncryptedChat <[email protected]> – dave_thompson_085 Jul 15 '20 at 03:33
  • 1
    That's of course only a problem (or feature, whichever way you look at it) if the public key is stored on a server in the first place (something that has become under attack lately). I usually processed keys using out-of-band procedures. – Maarten Bodewes Jul 15 '20 at 10:09