Re: Encryption question

From: Aaron Keck (akeck_at_optimumdata.com)
Date: 02/25/04

  • Next message: Theo Chaojareon: "Re: Encryption question" 
    Date: Wed, 25 Feb 2004 16:14:05 -0600
To: "Preston, Tony" <Tony.Preston@acs-inc.com>

    Fingerprinting.

    The idea behind it is that Alice will give Bob her public key in one method.
    She will then look at the fingerprint of the key, and somehow transfer that to
    him securely. When he get's her public key, he doublechecks the key's
    fingerprint, and see if it matches the one Alice "securely" gave him.

    It's far from foolproof, but if properly used, fingerprint can be quite
    effective in preventing "man-in-the-middle" spoofing such as that.

    Quoting "Preston, Tony" <Tony.Preston@acs-inc.com>:

    >
    >
    > Tony Preston
    > Systems Engineer, AS&T Inc.
    > Division of L3 Corporation
    > (609) 485-0205 x 181
    >
    > I have what is a rather basic question... I probably am missing something
    > so I thought I would ask here.
    >
    > Alice and Bob both have a public and private key.
    >
    > Alice encrypts her email to Bob using his public key. Sends the email and
    > Bob decrypts it using his keys..
    >
    > Since both Bob and Alice's public keys are known, Why can't I take Alice's
    > public key and create a key pair using any other private key. Now, I fake
    > an electronic signature from Alice using the pair I created and send a
    > bogus
    > encrypted message to Bob with my "fake" Alice signature. Bob checks the
    > signature by using the public key and it is valid. Bob assumes the
    > message
    > is from Alice...
    >
    > What prevents me from spoofing someone's electronic signature this way?
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    >
    >

    Aaron Keck

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Theo Chaojareon: "Re: Encryption question"

    Relevant Pages

    • Re: Is SSL/TSL really secure?
      ... computers to record the private and public keys as they pass from my ... So both partners have such a keypair, say Alice has K1, K2 and Bob has ... Now Alice keeps K1 strictly secret - it's her "private key". ... with the public key of Bob, ...
      (comp.security.misc)
    • Re: GPG
      ... In a practical sense, only Bob may decrypt ... Alice on the way to Bob and prevent it from reaching Bob. ... Alice may encrypt the message with Bob's public key, ... the others) before issuing their certificates. ...
      (comp.os.linux.security)
    • Re: Simple authenticated channel
      ... protocols (in this case, I assume Bob uses a DH keypair), followed by ... It is assumed Alice already has an authetic copy of Bob's public key. ... The attacker therefore does not hold k, ...
      (sci.crypt)
    • RE: Need some education: Man-in-the-Middle Attacks
      ... the public key being presented is the same as Alice's public key. ... way to do this is usually an out-of-band exchange where Bob calls Alice ... matches the fingerprint of the key he's being presented. ... "Only if Eve gets in the way of the very first connection attempt, ...
      (SSH)
    • Practical improvement of DH-ElGamal scheme
      ... Improving DH-ElGamal public key encryption scheme can be done in ... For person Alice: ... Linking between 2 persons (Alice and Bob): ... Attacking this encryption scheme: ...
      (sci.crypt.research)