Re: Basic question about RSA
- From: "William L. Bahn" <william@xxxxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 23:55:01 -0600
<tomstdenis@xxxxxxxxx> wrote in message
news:1149308986.412941.268780@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
William L. Bahn wrote:Alice's
To send an authenticated message:
1) Alice sends Bob a message that has been encrypted with
youprivate key.
2) Bob decrypts the message with Alice's public key.
Wrong.
1) Alice encrypts the message with Bob's public key.
2) Alice signs the encrypted message by encrypting it further
with Alice's private key.
3) Bob unsigns the received message with Alice's public key.
4) Bob decrypts the encrypted message with Bob's private key.
Wrong again [for the same reason].
You never want to sign [or encrypt for that matter] raw message
material. At the very least you only sign hashes but even then
still need padding.private
It's best to not think of signatures as "encrypting with the
exponent" because it leads you to make the mistake you justdid.
I don't understand what you mean by saying that you never want to
encrypt raw message material. What's the alternative?
I am using "message" as a generic label to keep the discussion
simple - but I can see how doing so can create confusion - and
didn't want to throw in a lot of system-level stuff involving
symmetric keys and hashes and message digests.
Is there anything *conceptually* wrong with using an adequate
assymetric encryption algorithm as described? For instance, if we
had one that was as fast an symmetric algorithms and that didn't
expose the keys no matter how much material was encrypted.
From a practical standpoint, I certainly understand that signinga message by encrypting it with the private key using RSA is
extremely slow. IIRC, there are larger issues associated with
providing a lot of cipher text that has been RSA-encrypted - but
I'm not sure I'm remembering that correctly.
In practice - and I'm building this up as I type so please
correct me - if Alice wants to send Bob a message that is both
confidential and authenticated, one way is to first generate a
message digest and sign the digest using her private key. She
then appends the signed digest to the original message. She then
selects a symmetric key and encrypts the extended message with
the symmetric key. She then encrypts the symmetric key with Bob's
public key. She then sends the encrypted symmetric key and
message to Bob who first decrypts the symmetric key. Then, using
the symmetric key, he decrypts the remainder of the message. He
then separates and unsigns the message digest from the original
message. He can then generate a message digest of the original
message and compare it to the one that was unsigned. Of course,
Alice and Bob have to agree on this protocol in all of its fine
details, but that can be done over an open channel.
.
- Follow-Ups:
- Re: Basic question about RSA
- From: tomstdenis
- Re: Basic question about RSA
- References:
- Basic question about RSA
- From: b . fokke
- Re: Basic question about RSA
- From: William L. Bahn
- Re: Basic question about RSA
- From: tomstdenis
- Basic question about RSA
- Prev by Date: Re: TEA for real-life embedded project?
- Next by Date: Associate Research Fellow in Cryptography - 3 years - UoW Australia
- Previous by thread: Re: Basic question about RSA
- Next by thread: Re: Basic question about RSA
- Index(es):
Relevant Pages
|
