Hi Sam...
On Mon, 10 Jan 2000 11:44:44 +0100, Sam Heywood wrote:
> Information I found at both sites was very interesting. Both sites speak
> of public and private keys. Here is what I don't understand:
> If I should encrypt a message by using a public key, and then transmit the
> message to you, then there is nothing secret about it, because the key is
> publicly available. On the other hand, if I should encrypt a message
> by use of a private key, and if only you and I know what our private key is,
> then we can encrypt and decrypt secret messages to each other. A public key
> has no security value whatsoever.
Oooops. This isn't how it works exactly. This is called 'asymmetrical
encryption'. The public/private thing works like this:
1. You request a key set from the encrpyption program.
2. It generates 2 keys, 1 public and 1 private.
3. The important thing is that a message encrypted with one key can ONLY
be decrypted with the other. So:
4. You make your public key known to all. (that's why you see PGP public key
info in many peoples signatures)
5. If someone wishes to send you an encrypted message they simply use
your Public Key to encrypt it. Remember, anything encrypted with a
public key can only be decrypted with your private key. The fact that
everyone on the net may have access to your public does not matter.
6. You receive the message and decrypt it with you private key.
Obviously you keep your private key VERY private.
Likewise, if you want to reply to the sender, you would encrypt the
message with THEIR public key.
If the key generating function is sound then the security of encryption
is a function of the key length. That is, an 8 bit key could be broken
by brute force within 256 tries. Therefore, a 128 or 256 bit key is very
strong as it would take alot of very powerful computers a long time to
brute force the code.
Some asymmetrical techniques allow back doors (like the law enforcement
access field 'LEAF' in Clipper) something to think about. Recently M$
was in the hotseat when it was discovered that their key generator
actually generated a THIRD key called the NSA KEY. Hmmmm.
One other point to consider. Because of the 'strength' of modern
asymmetrical encryption techniques, even a relatively short key can
prove sufficient. The question to ask yourself is: How important is the
data I want to encrypt?
If it is a credit card number encrypted with a 128 bit key it would likely
take a hacker with a room full Pentiums a few years to break. Just to
find that you only had $1000.00 left on your credit card?? That wouldn't
even cover the cost of the electricity to crack the card number. (the
card would've expired by then anyway wouldn't it?)
All of the above speaks to the technique of asymmetrical encryption
only. I personally don't buy things on the net and have no experience
with SSL so I can't comment on the security of that layer. Is it
possible to sniff the data before it's encrypted? I tend to doubt it but
I don't know.
Jim
> The best method of transmitting secret messages would involve only the sender
> and the receiver having a copy of a unique randomly generated key. A
> somewhat less secure, but fairly good method of transmitting secret messages
> would involve the sender and the receiver agreeing to use a secret password,
> a pass phrase, or a certain passage from a book to be used as a key for
> encryption/decryption. No parties other than sender and receiver would have
> knowledge as to whatever string of characters had been agreed upon for use as
> a ciphering key.
This is called symmetrical encryption (like one-time pads) and can be
frighteningly secure as long as both parties gain access to the key
without leaking it. But it brings up an important point that I totally
neglected to mention.
Asymmetrical encryption is ver processor intensive when encryting or
decrypting messages. To improve efficiency when dealing with long
messages, it is common to actually encrypt the message using
'Symmetrical' encryption and then to encrypt the Symmetrical Key with
Asymmetrical encryption. That way the faster technique is used to
encrypt the long message and the Asymmetrical technique to encrypt the
key.
Now you have the best of both worlds....Both parties use the same key
while having a secure way to transmit it.
I hope this helps.
Jim
-- Arachne.....Registered.....Life doesn't get any better!!
-- Pixel32.....Registered.....OOPS!, Life just got better!!
