Re: Question about cryptography and public/private keys

On 2 Nov 2006 16:16:49 -0800, "Matthew Fanto" <mfanto@xxxxxxxxx>
wrote:


Erich Kohl wrote:
Ah, of course! And you *know* that the message came from a fraudulent
source if your private key couldn't unlock the ciphered data because
of its direct relationship to the *public* key. If the private key
doesn't work on it, the message wasn't encrypted with the proper
corresponding PUBLIC key. And ONLY YOU can decrypt messages meant for
YOU, because your private key is, well, private. ;-)

Am I understanding this correctly? I think I am.

Yep, you got encryption down. Encrypting with the public key though
doesn't do anything to prove if the other person is fraudulent. Imagine
a big phone book of public keys. Anyone can look up your public key and
send you a message. That doesn't prove anything.

So here is where we use a digital signature. I actually use my private
key to "encrypt" the data. Remember that what one key does, the other
key undoes. That means that if it's encrypted with my private key, the
public key decrypts it. So if you signed a message with your private
key, I would then go look up your public key in the phone book. I would
apply that public key to the message. Since only you could have used
your private key, if the public key "works" then I know it must have
come from you*.

*there are technical details like hash functions, and more details to
signatures, but you get the idea.

But here's another question . . . who hands out these keys? Where are
they stored? Is it the job of things like VeriSign to do that?

It depends what you are going to use your keypair for. Verisign (or
Geotrust, or a number of others) will give out keys along with
certificates (they sign the certificate with your public key in it) if
you are using SSL. Or, you can generate your own certificates and
public/private keys for webservers (this has a few issues associated).
Or if you work for an enterprise, they might give you a keypair. You
can have tons of different keys. There is no universal authority for
giving them out, although Verisign would love to become that universal
authority.

-Matt

I noticed in my Internet browser's list of certificates, a certificate
is shown which represents my bank (I do a fair amount of online
banking).

I'm assuming this means that when I connect to my bank's website, the
transactions I do on it are encrypted. Are keys transferred back and
forth during a banking session like that? Which side sends which
keys?
.

Relevant Pages

  • Re: RSACryptoServiceProvider decrypt with public key
    ... private key which my programs could decipher using a public key I've ... But since private key encryption and public key decryption isn't ... > If Alice gives Bob her public key, ...
    (microsoft.public.dotnet.security)
  • RE: PGP scripting...
    ... that you keep the private key secret. ... Here is a quick over view of the public key encryption routines (the ... Since only he, through the use of his private key, can decrypt the ...
    (SecProg)
  • RE: PGP scripting...
    ... In addition to being confused about arbitrary asymmetry in RSA cryptography ... Microsoft .NET, for example, defines a private key as inclusive of its ... .NET Framework includes the public key. ... As for encryption speed, encryption transformations with a public key ...
    (SecProg)
  • Re: Separating public and private keys
    ... exchange - identifying yourself to the other party, ... a secure key for symmetric encryption for the session. ... public key, but it's slow, and you have to split messages into short chunks. ... >>Also, if you have the private key, you implicitly (if not ...
    (microsoft.public.platformsdk.security)
  • RE: PGP scripting...
    ... cryptosystems, ... In these systems divulging your private key compromises the public ... Here is a quick over view of the public key encryption routines (the ...
    (SecProg)