RE: Encryption question

From: Hollis Johnson (hollis_at_cisco.com)
Date: 02/26/04

  • Next message: Navaneetharangan: "RE: Why Security testing is required" 
    Date: Wed, 25 Feb 2004 16:23:29 -0800
To: Gene LeDuc <Gene.LeDuc@tns-md.com>, "'Preston, Tony'" <Tony.Preston@acs-inc.com>

    Tony. One more point. The public/private keys are a pair. Defining one
    defines the other. Or rather, as you defined the pair, there is a
    relationship.

    I don't have the algorithm memorized (although many on this alias might) --
    and no ref. books at hand. But it has to do with the relationship of 2
    "very large" (I recall 100 digits) primes to which you ..... I don't remember.

    But that's the answer to your last sentence -- they are a pair -- I msg
    encrypted with one part (public or private) can only be decrypted via the
    compliment.

    encrypt(public) -> decrypt(private) assures confidentiality

    encrypt(private) -> decrypt(public) verifies the sender (authentication) -

    both assuming the private key is not compromised.

    I refer you to: http://oregonstate.edu/dept/honors/makmur/

    The challenge of public-key cryptography is developing a system in which it
    is impossible to determine the private key. This is accomplished through
    the use of a one-way function. With a one-way function, it is relatively
    easy to compute a result given some input values. However, it is extremely
    difficult, nearly impossible, to determine the original values if you start
    with the result. In mathematical terms, given x, computing f(x) is easy,
    but given f(x), computing x is nearly impossible. The one-way function used
    in RSA is multiplication of prime numbers. It is easy to multiply two big
    prime numbers, but for most very large primes, it is exremely
    time-consuming to factor them. Public-key cryptography uses this function
    by building a cryptosystem which uses two large primes to build the private
    key and the product of those primes to build the public key.

    If you want to know more there are a number of lovely books you can spend
    your saturday nites reading :-)

    Hope this helps as well. Hollis

    At 12:45 PM 2/25/2004 -0500, Gene LeDuc wrote:
    >Alice encrypts the message to Bob using Bob's public key and then signs it
    >using her private key. Bob verifies that the message is from Alice by using
    >her public key to check the signature and then decrypts the message with his
    >private key. The encryption only hides the contents, it does not
    >authenticate the message. The signing authenticates the message but does
    >not hide the contents. You need both if you want to have a secure
    >conversation.
    >
    >-----Original Message-----
    >From: Preston, Tony [mailto:Tony.Preston@acs-inc.com]
    >Sent: Tuesday, February 24, 2004 11:01 AM
    >To: security-basics@securityfocus.com
    >Subject: Encryption question
    >
    >
    >
    >
    >Tony Preston
    >Systems Engineer, AS&T Inc.
    >Division of L3 Corporation
    >(609) 485-0205 x 181
    >
    >I have what is a rather basic question... I probably am missing something
    >so I thought I would ask here.
    >
    >Alice and Bob both have a public and private key.
    >
    >Alice encrypts her email to Bob using his public key. Sends the email and
    >Bob decrypts it using his keys..
    >
    >Since both Bob and Alice's public keys are known, Why can't I take Alice's
    >public key and create a key pair using any other private key. Now, I fake
    >an electronic signature from Alice using the pair I created and send a bogus
    >encrypted message to Bob with my "fake" Alice signature. Bob checks the
    >signature by using the public key and it is valid. Bob assumes the message
    >is from Alice...
    >
    >What prevents me from spoofing someone's electronic signature this way?
    >
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Navaneetharangan: "RE: Why Security testing is required"

    Relevant Pages

    • Re: Simple authenticated channel
      ... protocols (in this case, I assume Bob uses a DH keypair), followed by ... It is assumed Alice already has an authetic copy of Bob's public key. ... The attacker therefore does not hold k, ...
      (sci.crypt)
    • Re: PGP Lame question
      ... i think that given Q and Bob's public key, ... Q can be linked as encrypted to Bob ... can verify that Alice signed something somehow connected to Bob? ... Alice encrypts M with R and gets an output, ...
      (sci.crypt)
    • Practical improvement of DH-ElGamal scheme
      ... Improving DH-ElGamal public key encryption scheme can be done in ... For person Alice: ... Linking between 2 persons (Alice and Bob): ... Attacking this encryption scheme: ...
      (sci.crypt.research)
    • Re: GPG
      ... In a practical sense, only Bob may decrypt ... Alice on the way to Bob and prevent it from reaching Bob. ... Alice may encrypt the message with Bob's public key, ... the others) before issuing their certificates. ...
      (comp.os.linux.security)
    • Re: RSACryptoServiceProvider decrypt with public key
      ... private key which my programs could decipher using a public key I've ... But since private key encryption and public key decryption isn't ... > If Alice gives Bob her public key, ...
      (microsoft.public.dotnet.security)