Re: Encryption question

From: Jamie Pratt (jamie_at_nucdc.org)
Date: 02/25/04

Next message: Josh Mills: "RE: How to find a changing IP on ethernet network"

Previous message: Tom Milliner: "MS IIS Urlscan - Preventing OS Detection"
In reply to: Preston, Tony: "Encryption question"
Next in thread: SERGIO OTERO: "Re: Encryption question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Feb 2004 13:43:02 -0500
To: security-basics@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmm.. I would think that this just won't work unless the "faked" public
key has no passphrase, otherwise pgp/gpg can't generate the public key's
signature, because the public key's passphrase is required to sign
anything...? (Not to mention the fact that the sig is a bit different
each time it's generated)

regards,
jamie

Preston, Tony wrote:

|
| Tony Preston
| Systems Engineer, AS&T Inc.
| Division of L3 Corporation
| (609) 485-0205 x 181
|
| I have what is a rather basic question... I probably am missing something
| so I thought I would ask here.
|
| Alice and Bob both have a public and private key.
|
| Alice encrypts her email to Bob using his public key. Sends the email and
| Bob decrypts it using his keys..
|
| Since both Bob and Alice's public keys are known, Why can't I take Alice's
| public key and create a key pair using any other private key. Now, I fake
| an electronic signature from Alice using the pair I created and send a
bogus
| encrypted message to Bob with my "fake" Alice signature. Bob checks the
| signature by using the public key and it is valid. Bob assumes the
message
| is from Alice...
|
| What prevents me from spoofing someone's electronic signature this way?
|
|
|
|
-
---------------------------------------------------------------------------
|
-
----------------------------------------------------------------------------
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: GPG/PGP Digital Signatures Increase Security For Everyone

iD8DBQFAPOyqFnM/ewGVQ7IRAmqMAJ9pV/gK+wlUA8k+8pSO80R56Fmr+ACeLRU4
VLD2+RDwNdpEPNdKKXgh6+o=
=PUFO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Josh Mills: "RE: How to find a changing IP on ethernet network"

Previous message: Tom Milliner: "MS IIS Urlscan - Preventing OS Detection"
In reply to: Preston, Tony: "Encryption question"
Next in thread: SERGIO OTERO: "Re: Encryption question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: PGP Lame question
... >> that Alice, ... Bob needs nothing from Alice but her public key. ... > would not be able to produce a signature that verifies using Alice's ...
(sci.crypt)
Re: Help need for British address
... > Now here's a detail image of the address: ... > I am also curious about his signature on the back of the cover. ... > simplify the censorship process; the signature on this cover seems like ... Bob ...
(rec.collecting.stamps.discuss)
Re: Choosing key to verify someone elses sig?
... > - Given a signed document from Bob, you shouldn't assume that Bob was ... - Given a signature that verifies with Bob's key, ... Bob's public key, so the most we can verify is that some holder of Bob's ...
(sci.crypt)
Re: VISTA?
... signature if you'd remembered to remove it in your post? ... Doug Steele, Microsoft Access MVP ... honestly and has to resort to spam to try to get money. ... Bob Larson ...
(microsoft.public.access.formscoding)
Re: Ultra-Fast Stateless Forward Signing
... to Bob having Alice's public key, Alice and Bob are allowed to have a ... Fast signature schemes: Take a look at ECC, NTRU, BiBa, MicroTesla, ... three-prime RSA, and Boneh's other variants of RSA. ... Bernstein's scheme ...
(sci.crypt)