On Mon, 10 Jan 2000 17:09:51 +0100 (CET), Petri <[EMAIL PROTECTED]> wrote:
Hello -
Thanks for the dissertation. Please see my comments and befuddlements.
>> If I should encrypt a message by using a public key, and then transmit the
>> message to you, then there is nothing secret about it, because the key is
>> publicly available.
> False; only the person with the corresponding SECRET key can read what the
> PUBLIC outputs.
There is only one "public key" that I know about. It looks like this and
everyone either has a copy or can readily generate a copy by recalling the
scheme by which the characters are ordered:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
BCDEFGHIJKLMNOPQRSTUVWXYZA
CDEFGHIJKLMNOPQRSTUVWXYZAB
DEFGHIJKLMNOPQRSTUVWXYZABC
EFGHIJKLMNOPQRSTUVWXYZABCD
FGHIJKLMNOPQRSTUVWXYZABCDE
GHIJKLMNOPQRSTUVWXYZABCDEF
HIJKLMNOPQRSTUVWXYZABCDEFG
IJKLMNOPQRSTUVWXYZABCDEFGH
JKLMNOPQRSTUVWXYZABCDEFGHI
KlMNOPQRSTUVWXYZABCDEFGHIJ
LMNOPQRSTUVWXYZABCDEFGHIJK
MNOPQRSTUVWXYZABCDEFGHIJKL
NOPQRSTUVWXYZABCDEFGHIJKLM
OPQRSTUVWXYZABCDEFGHIJKLMN
PQRSTUVWXYZABCDEFGHIJKLMNO
QRSTUVWXYZABCDEFGHIJKLMNOP
RSTUVWXYZABCDEFGHIJKLMNOPQ
STUVWXYZABCDEFGHIJKLMNOPQR
TUVWXYZABCDEFGHIJKLMNOPQRS
UVWXYZABCDEFGHIJKLMNOPQRST
VWXYZABCDEFGHIJKLMNOPQRSTU
WXYZABCDEFGHIJKLMNOPQRSTUV
XYZABCDEFGHIJKLMNOPQRSTUVW
YZABCDEFGHIJKLMNOPQRSTUVWX
ZABCDEFGHIJKLMNOPQRSTUVWXY
>> On the other hand, if I should encrypt a message
>> by use of a private key, and if only you and I know what our private key is,
>> then we can encrypt and decrypt secret messages to each other.
> Wrong; explained above.
> If I give you MY public key, and you give
> me YOUR public key, we can communicate securely: If you encrypt something
> with my public key, only I can read it (only I have access to my SECRET
> key). When I reply, I use your public key. Again, only you can read it
> with YOUR secret key. This is the strength of public-key crytography, as
> used in SSL.
With the system I am thinking of, only we and our fellow members of the secret
net have access to OUR secret key. Everyone has the same public key, but only
we members of the secret net have the private key.
With the type of crypto system that I am thinking of, the public key, as
shown above, is the same for everyone - everyone including eavesdroppers and
spies know how to generate the pubic key. Therefore the public key need not
be exchanged because it is already known, and there is nothing secret about it.
In my way of thinking, any key needed for crypto purposes and required to be
passed somehow among members of the secret communications net is a "private
key". It seems a contradiction in terms to refer to a "public key" as one that
must be exchanged among the members of the secret net.
In the system I am referring to, a code page, conventionally consisting of
randomly generated five-letter groups is used by the secret net for
encryption and decyption. The messages generated from the code sheet and
by using the public key as an overlay are of course also streams of random
characters. Messages encoded in this way will totally defy any code-breaking
system based on a statistical analysis of the frequency of the occurences of
certain character groups. As there is no character substitution involved,
and because the characters are all randomized, this method is highly secure.
> Authentication is the reverse process - I encrypt something with my secret
> key, then you decrypt it with my public key to see if it matches.
> This public-key system is what makes SSL works. (of course, the mechanisms
> are more complex than this, but this is the part you need to know)
> The mathematics behind this is very complex, but it actually works. SSL
> *is* safe, works very well, and IMHO should be implemented in every web
> browser. =)
>> somewhat less secure, but fairly good method of transmitting secret messages
>> would involve the sender and the receiver agreeing to use a secret password,
>> a pass phrase, or a certain passage from a book to be used as a key for
>> encryption/decryption. No parties other than sender and receiver would have
>> knowledge as to whatever string of characters had been agreed upon for use as
>> a ciphering key.
I agree that the method of encrytion described above would not be secure
if there did not exist a secure method of exchanging passwords among the
members of the secret net.
> a) It is much less secure if you do not have a secure way of xchanging
> passwords, as is the case with SSL webservers. Besides, you're supposed to
> be able to communicate securely per SSL without having to do special key
> setup.
I still do not understand how data can be exchanged securely without first
having exchanged passwords or pass phrases in a secure manner.
> b) Only a secure group of people can use it - can't be used in public
> systems.
>> What I mean to say here is that I cannot think of any method by which sender
>> and receiver can transmit secret messages to each other over public channels
>> of communication with any reasonable level of security unless both parties
>> have previously agreed on an encryption/decryption key.
> You only need to exchange public keys with SSL, and because they are
> public, it doesn't matter if thousands of people can see them - they are
> still secure. Not so with secret-key systems.
A secret key system remains highly secure as long as the code page is not
compromised. People who use the secret key systems usually will afford
themselves even higher levels of security by using a different code page
for a different day or hour.
Here is one thing that I utterly fail to grasp:
Why do we use the term "public key", outside the context of being a key
readily available to the public just for the asking, as in the case of the
"public key" that I have posted. I think we have different concepts as to
what a "public key" is. We are talking about two different things. Hence
my difficulty in comprehending the concepts you are presenting.
Sam Heywood
> Hope you (and the other Arachnids) understand it better now =)
-- This mail was written by user of Arachne, the Alternative WWW Browser
