Re: Is symmetric key distribution equivalent to symmetric key generation?

From: Alan (a__l__a__n_at_hotmail.com)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 14:20:14 -0400

chuckles wrote:
> Well how do you assure yourself you are actually using someone's public
> key?

With great care, if the stakes are very high and/or there is a suspected
imminent threat.

Face to face exchange of public keys is the best way (assuming you know each
other well enough to eliminate the risk of an imposter). As an alternative
to public keys, you could exchange a shared secret which would be used for
authentication (not encryption) in subsequent communications.

Next best is for each person to have a face to face key exchange with a
third party trusted by both people. The third party signs both parties'
keys so they can be verified using the third party's public key.

If face to face exchanges are not possible, there are ways to get
certificates signed by a third party without a face to face meeting, but
with less assurance that the certificate actually belongs to the person it
claims.

You could also exchange public keys electronically, and then use a side
channel (phone conversation for example; videophone might be better) to
confirm the key by reading off a "fingerprint" or hash of the keys.
Assuming of course that you would be able to recognize an impostor over the
side channel.

Quantcast