> If I should encrypt a message by using a public key, and then transmit the
> message to you, then there is nothing secret about it, because the key is
> publicly available.
False; only the person with the corresponding SECRET key can read what the
PUBLIC outputs.
> On the other hand, if I should encrypt a message
> by use of a private key, and if only you and I know what our private key is,
> then we can encrypt and decrypt secret messages to each other.
Wrong; explained above.
If I give you MY public key, and you give
me YOUR public key, we can communicate securely: If you encrypt something
with my public key, only I can read it (only I have access to my SECRET
key). When I reply, I use your public key. Again, only you can read it
with YOUR secret key. This is the strength of public-key crytography, as
used in SSL.
Authentication is the reverse process - I encrypt something with my secret
key, then you decrypt it with my public key to see if it matches.
This public-key system is what makes SSL works. (of course, the mechanisms
are more complex than this, but this is the part you need to know)
The mathematics behind this is very complex, but it actually works. SSL
*is* safe, works very well, and IMHO should be implemented in every web
browser. =)
> somewhat less secure, but fairly good method of transmitting secret messages
> would involve the sender and the receiver agreeing to use a secret password,
> a pass phrase, or a certain passage from a book to be used as a key for
> encryption/decryption. No parties other than sender and receiver would have
> knowledge as to whatever string of characters had been agreed upon for use as
> a ciphering key.
a) It is much less secure if you do not have a secure way of xchanging
passwords, as is the case with SSL webservers. Besides, you're supposed to
be able to communicate securely per SSL without having to do special key
setup.
b) Only a secure group of people can use it - can't be used in public
systems.
> What I mean to say here is that I cannot think of any method by which sender
> and receiver can transmit secret messages to each other over public channels
> of communication with any reasonable level of security unless both parties
> have previously agreed on an encryption/decryption key.
You only need to exchange public keys with SSL, and because they are
public, it doesn't matter if thousands of people can see them - they are
still secure. Not so with secret-key systems.
Hope you (and the other Arachnids) understand it better now =)
