Hi
"Samuel W. Heywood" <[EMAIL PROTECTED]> wrote:
SH> Information I found at both sites was very interesting. Both sites speak
SH> of public and private keys. Here is what I don't understand:
OK ... first some general remarks. (please forgive my bad english - as you
know I'm no native english speaker)
In asymmetrical cryptography (PGP,SSL) a key consists of 2 parts:
a private/secret part and a public part.
The public part is known, and can be distributed and the secret key is known
only by the owner. (and is usually protected by a password)
The 2 parts form a BIG prime number.
The crypto effect is that is is much easier to multiply 2 numbers, than to get
the prime factors from the result of that multiplication.
SH> If I should encrypt a message by using a public key, and then transmit
SH> the message to you, then there is nothing secret about it, because the
SH> key is publicly available.
NO ... first you generate a session key. (randomly ... here is a point where
you could possibly compromise the whole thing, if the RNG is deffective, eg
the numbers are not well distributed)
Than you take the newly generated session key, and apply the public key of
your partner to the public part of your key.
This can only be decrypted by anybody, who knows the _SECRET_ part of your
partners key.
Your partner sends answers back using the public part that you sent to him
encrypted just before.
These answers can only be decrypted with the secret part of the session key,
that you have generated.
SH> On the other hand, if I should encrypt a message by use of a private
SH> key, and if only you and I know what our private key is, then we can
SH> encrypt and decrypt secret messages to each other. A public key has no
SH> security value whatsoever.
You don't understand the asymmetrical crypto scheme.
NEVER EVER give away you're secret key. ONLY YOU need it.
GIVE away you're public key. Others need it to send crypted messages to you.
SH> The best method of transmitting secret messages would involve only the
SH> sender and the receiver having a copy of a unique randomly generated key.
yes ... this is what SSL does.
SH> What I mean to say here is that I cannot think of any method by which
SH> sender and receiver can transmit secret messages to each other over
SH> public
SH> channels of communication with any reasonable level of security unless
SH> both parties have previously agreed on an encryption/decryption key.
See above ...
I'm no crypto expert ... but if there would be a serious security flaw, than
this would have been revealed loooooooooong time ago.
The biggest problem is the extreme st*pidness of the american government
conecrning crypto regulation.
American programs which are exported can only use 40 bit keys.
These are very insecure.
Inside of the US and programs not made in the US use 128 bit keys, wich are
secure ...
PS: Rumour has it, that the USA government will drop these stupid crypto
export regulations. (because they compomize free market, because US companys
can't sell strong crypto to the rest of the world, while non US companies can)
SH> Sam Heywood
CU, Ricsi
--
Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.}
-=> Beware of the opinion of someone without any facts <=-
