Re: PGP Lame question

Hello Milan,

Milan VXdgsvt wrote:

>Only the owner of the key can:
> a) Perform Sign(),
> b) Reverse Crypt().
> Anyone can (given the public key):
> a) Reverse Sign(),
> b) Perform Crypt().

agree

>
> > > > A wants to send a message M to B. So, she:
> > > > 1. Generates a random key R.
> > > > 2. Computes a signature S:=Sign_A(Crypt_B(R))
> > > > (encrypt R with B's public key, then sign with her private key)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > A signs something identifiable as encrypted to B's key
>
> No. The Q, Q:=Crypt_B(R) is just another number. No signature
> identifiable. What is identifiable is it's connection to R.

and its connection to B
>
> Anyone can, given R, find the Q.

agree

> But only Bob can, given Q, find the R

agree

> Someone else, Cindy, could find R2, such that Q=Crypt_C(R2).
> Someone else, Dave, could find R3, such that Q=Crypt_D(R3).

agree

> As you can see from this, Q in itself does not tell if it's R encrypted
> with Bob's key, or R2 encrypted with Cindy's key. Q is just a number

do not agree (or at least, i do not think so)

i think that given Q and Bob's public key,
Q can be linked as encrypted to Bob


> The Q is a random number. It does not know how it was generated.
> Only if it's passed along with R, those *together* tell that Bob's key
> was used (either the public key, to find Q from R, or the private key
> for the other way).

do not agree (or, again, at least, do not think so)

> You see, Q is not truly random; it was computed. The point is that Bob
> could have forged the signature. So he cannot prove he didn't.

agree,
but that is not the issue,
the issue is if there is a connection between Bob and Alice

lets try to agree or disagree one step at a time :-)

(1) do you agree
that if Bob gives up his public and private keypair, (and passphrase,
if one is used),
then anyone having Alice's public key,
can verify that Alice signed something somehow connected to Bob?

>
> > > R -> anyone can -> Q -> only A can -> S
> > > R <- only B can <- Q <- anyone can <- S
>
> Do you understand that picture above?
no

please state clearly:
(a) what Alice signed
(b) what Alice encrypted to Bob's key

what i *think* you are saying
(and i may be misunderstanding)
is the following:

[i] Alice starts with a message M, a random key R, Bob's public key,
and Alice's private key

[ii] Alice encrypts R to Bob's public key, and gets an output, let's
call it E
(i believe that this is what you were calling Q)

[iii] Alice signs E

[iv] Alice encrypts M with R and gets an output, lets call it F

[v] Alice sends E and F together to Bob

is this a correct understanding of what you mean?

if no, please correct me,


if yes,
then do you see that anyone with Alice's public key can verify that
Alice signed E?

if yes,
then the only thing left to demonstrate,
is that if Alice knows that E is connected to Bob,
and Alice signs it, then Alice 'knows' Bob

in order to demonstrate this,
Bob produces R, Bob's public key, and whatever padding was used in the
encryption, which Bob recovers upon decryption,
and shows that E is R encrypted to Bob's key

Alice now has to explain why she would sign E if she didn't know Bob

(again, i agree with you that no one can link M to Alice's signature,
but only that Alice can still be linked to Bob)

> I'm in a good mood now, I can explain this in more detail, just tell me
> what your knowledge level is?

reasonably proficient hacker level in working with pgp/gnupg

beginner level in learning underlying cryptography theory and algorithm
structure


vedaal

.

Relevant Pages

  • Re: Simple authenticated channel
    ... protocols (in this case, I assume Bob uses a DH keypair), followed by ... It is assumed Alice already has an authetic copy of Bob's public key. ... The attacker therefore does not hold k, ...
    (sci.crypt)
  • Practical improvement of DH-ElGamal scheme
    ... Improving DH-ElGamal public key encryption scheme can be done in ... For person Alice: ... Linking between 2 persons (Alice and Bob): ... Attacking this encryption scheme: ...
    (sci.crypt.research)
  • Re: GPG
    ... In a practical sense, only Bob may decrypt ... Alice on the way to Bob and prevent it from reaching Bob. ... Alice may encrypt the message with Bob's public key, ... the others) before issuing their certificates. ...
    (comp.os.linux.security)
  • Re: Is SSL/TSL really secure?
    ... computers to record the private and public keys as they pass from my ... So both partners have such a keypair, say Alice has K1, K2 and Bob has ... Now Alice keeps K1 strictly secret - it's her "private key". ... with the public key of Bob, ...
    (comp.security.misc)
  • Re: Basic question about RSA
    ... Let's say Alice wants to send a message to Bob. ... Alice uses Bobs' public key and her own private key to ... Alice encrypts the signed message with Bob's public key. ...
    (sci.crypt)