RE: Encryption question

From: Jordan, Jason D. \ (Jason.Jordan_at_honeywell-tsi.com)
Date: 02/25/04

  • Next message: Hollis Johnson: "RE: Encryption question" 
    To: "'Preston, Tony'" <Tony.Preston@acs-inc.com>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Wed, 25 Feb 2004 12:45:13 -0500

    Tony,
        I believe, in order to spoof a digital signature of Alice, you would need to get her private key....which she should have securely stored somewhere. A hash of the message is done and then encrypted with Alices private key. The only other key that
    can decrypt it is the public key generated with her original key pair. You could substitute Alice's public key with your public key so when Bob used that public key to encrypt the message meant for Alice, you could intercept it and read the message.
    Then you could re-encrypt it with Alice's real public key and send it on to her. Kinda like a man in the middle deal. I think this is how it works, I could be wrong. Does that help any?

    Dallas Jordan MCSE, CCNA, Security+
    Electronics Technician II
    Honeywell Technology Solutions
    1010 Bankton Drive
    Hanahan, SC 29406
    843-744-1221 Ext 11

     -----Original Message-----
    From: Preston, Tony [mailto:Tony.Preston@acs-inc.com]
    Sent: Tuesday, February 24, 2004 1:01 PM
    To: security-basics@securityfocus.com
    Subject: Encryption question

    Tony Preston
    Systems Engineer, AS&T Inc.
    Division of L3 Corporation
    (609) 485-0205 x 181

    I have what is a rather basic question... I probably am missing something
    so I thought I would ask here.

    Alice and Bob both have a public and private key.

    Alice encrypts her email to Bob using his public key. Sends the email and
    Bob decrypts it using his keys..

    Since both Bob and Alice's public keys are known, Why can't I take Alice's
    public key and create a key pair using any other private key. Now, I fake
    an electronic signature from Alice using the pair I created and send a bogus
    encrypted message to Bob with my "fake" Alice signature. Bob checks the
    signature by using the public key and it is valid. Bob assumes the message
    is from Alice...

    What prevents me from spoofing someone's electronic signature this way?

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Hollis Johnson: "RE: Encryption question"

    Relevant Pages

    • Re: Is SSL/TSL really secure?
      ... computers to record the private and public keys as they pass from my ... So both partners have such a keypair, say Alice has K1, K2 and Bob has ... Now Alice keeps K1 strictly secret - it's her "private key". ... with the public key of Bob, ...
      (comp.security.misc)
    • Re: Encryption question
      ... What you are saying, "take Alice's public key and create a key pair", is as ... > Alice encrypts her email to Bob using his public key. ...
      (Security-Basics)
    • Re: GPG
      ... In a practical sense, only Bob may decrypt ... Alice on the way to Bob and prevent it from reaching Bob. ... Alice may encrypt the message with Bob's public key, ... the others) before issuing their certificates. ...
      (comp.os.linux.security)
    • Re: Simple authenticated channel
      ... protocols (in this case, I assume Bob uses a DH keypair), followed by ... It is assumed Alice already has an authetic copy of Bob's public key. ... The attacker therefore does not hold k, ...
      (sci.crypt)
    • Practical improvement of DH-ElGamal scheme
      ... Improving DH-ElGamal public key encryption scheme can be done in ... For person Alice: ... Linking between 2 persons (Alice and Bob): ... Attacking this encryption scheme: ...
      (sci.crypt.research)