Security Basics mailing list archives
RE: Basic Questions about PKI
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 7 Oct 2003 16:58:43 -0700
Yes, yes, and yes. For authentication, it's sufficient to sign the message digest with your private key, but you could about as easily encrypt the whole message with your private key -- the difference being that people without encryption software couldn't read it in the latter case. Think of it as an alternative way to SIGN the message. In symmetric crypotosystems, the ENCRYPT and DECRYPT algorithms are functional inverses when used with the same key. In asymmetric systems like PKI, there is a single algorithm for both operations, and pairs of keys are used which are one another's arithmetical inverses under that algorithm. It's not that there's an ENCRYPT and a decrypt, as that applying either key gets you a ciphertext to which application of the other key will recover the plaintext. Trivial example: A. Symmetric implementation The key is "2", the ENCRYPTION algorithm is "add" and the DECRYPTION algorithm is "subtract". B. Asymmetric implementation The ALGORITHM is "add" and the keys are "+2" and "-2". NOTE: The problem with "add" as an algorithm for such an asymmetric implementation is that the derivation of the second key from the first key is *trivial*. The challenge of modern cryptography is to find algorithms where the algorithm implementation is relatively frugal, but the derivation of one key from the other is sufficiently expensive to be impractical. It's success at making this operation expensive that allows one of the keys to be made public. Cryptographers are gradually finding or building better and better candidate algorithms -- and, to keep themselves honest, better and better key-derivation systems. David Gillett
-----Original Message----- From: Roger A. Grimes [mailto:rogerg () cox net] Sent: October 7, 2003 15:43 To: security-basics () securityfocus com Subject: Basic Questions about PKI Can someone that knows PKI cold confirm my knowledge of PKI? Here's what I think I know about PKI (accurate or not I'm not sure): a. People ENCRYPT messages to me with my PUBLIC key and send the encrypted message to me, and only I can open the encrypted message...because ONLY my PRIVATE key can decrypt messages encrypted with my PUBLIC key. b. If I want to SIGN a message, I use my private key to sign the message digest (ENCRYPTING the hash result). The receiver who wants to rely on my signed message uses my PUBLIC key to DECRYPT my encrypted message digest. c. Both private and public keys can decrypt, and both private and public keys can encrypt. It just depends on the situation of what we use when. Is that logic correct? Could we encrypt messages that we want to send to others with our private key (but don't because if we did anyone with our public key could read) the seemingly private message? Roger ************************************************************** ************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************** ************** ***** -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Basic Questions about PKI Roger A. Grimes (Oct 07)
- RE: Basic Questions about PKI David Gillett (Oct 08)
- Re: Basic Questions about PKI Meritt James (Oct 08)
- RE: Basic Questions about PKI Erik Rozman (Oct 08)
- Re: Basic Questions about PKI Michael Sconzo (Oct 08)
- <Possible follow-ups>
- RE: Basic Questions about PKI Kenneth Buchanan (Oct 08)
- RE: Basic Questions about PKI Chee Young, Tan (Oct 08)
- RE: Basic Questions about PKI Hussein Ghazy (Oct 09)
- RE: Basic Questions about PKI Kenneth Buchanan (Oct 08)