This is due to the fact that Sam sent this to two lists and I first went
over the SURVPC list... Some of these things have been already been
explained by others but some have not.
Sam Heywood wrote:
>If no one knows of a web site that explains how this system works,
>is there some one out there who can explain in a nutshell how this
>system is supposed to work?
Ok, I don't actually know how these "secure sites" work, but I can perhaps
add a little knowledge anyway.
IIRC the system used is RSA (Rivest, Shamir and Adleman). This system works
like this:
(looking in book...)
1. Choose two large primes, p and q, (typically larger than 10^100)
2. Compute n = p * q and z = (p - 1) * (q - 1)
3. Choose a number relatviely prime to z and call it d
4. Find e such that e * d = 1 mod z
(...all done)
With these computed the encryption starts. Next the text we want to encode
is split into diffrent blocks, these are all less or equal to n and named P.
To encrypt the message the computer does C = P^e mod n and decrypting is: P
= C^d mod n
The code to read this decrypted message is then (e, n) while we used (d, n)
to create it.
So the server will know that it was you that ordered a message to be sent,
since only you can make them. This message could of course be taken by
anyone listening, but it would be the same as the earlier one and I think
there are timestamps on them).
Of course if someone uses a key generator and your number got up then
you're in a little bad luck. (But this is not actually your problem, but
between the company and your bank).
And since the prime numbers are so high this makes it very hard to actually
break them.
If we increase the min prime number it gets even harder - and more prime
numbers are found than new computer power is made. Of course this can be a
problem if enough computers are used (as was exemplified with that if every
Chinese had a small computer and they all worked to break the DES code it
would take less than a minute) and if a very good program is made - and now
we aren't refering to coding in ASM vs Visual Basic but what the code does
- it might very well be possible.
AFAIK PGP works in the same way. (But with larger keys which makes it even
more safe).
The RSA keys are longer inside the US (and as an effect the GSMs encryption
is stronger in Europe) so they are more or less easy to break depending on
were you live. (Or actually on what browser you're using).
IIRC I "illegaly" downloaded the US version of Netscape 3.04G ;)
And in a new mail Sam wrote:
>If I should encrypt a message by using a public key, and then transmit the
>message to you, then there is nothing secret about it, because the key is
>publicly available. On the other hand, if I should encrypt a message
>by use of a private key, and if only you and I know what our private key is,
>then we can encrypt and decrypt secret messages to each other. A public key
>has no security value whatsoever.
Only I can say that I'm who I am. For instance:
"Who of you is Sam Heywood?"
"Me!"
"No, I am!"
("Diamonds are forever" have this problem for James Bond and he shoots the
wrong guy because of it - but he isn't out to get Sam <g>).
What we need is some way to know who the real Sam Heywood is. For us here
on the list we are probably happy enough with the name and e-mail but
others might not believe that it's actually Sam Heywood. This is what PGP
and RSA solves for us, if we assume that we believe that it really is Sam
Heywood who is giving us the key.
>The best method of transmitting secret messages would involve only the sender
>and the receiver having a copy of a unique randomly generated key. A
>somewhat less secure, but fairly good method of transmitting secret messages
>would involve the sender and the receiver agreeing to use a secret password,
>a pass phrase, or a certain passage from a book to be used as a key for
>encryption/decryption. No parties other than sender and receiver would have
>knowledge as to whatever string of characters had been agreed upon for use as
>a ciphering key.
A phrase and/or single words are way to easy to break. Prime numbers are
needed to get it secure enough.
>What I mean to say here is that I cannot think of any method by which sender
>and receiver can transmit secret messages to each other over public channels
>of communication with any reasonable level of security unless both parties
>have previously agreed on an encryption/decryption key.
The messages aren't secret that's not the point. The point is to create
messages that let us know who we are talking to. (And with erspect to the
secure sites who we are ourselves).
//Bernie
http://hem1.passagen.se/bernie/index.htm DOS programs, Star Wars ...
