On Mon, 10 Jan 2000 11:33:40 -0800, Jim Varnum wrote:
> Hi Sam...
> On Mon, 10 Jan 2000 11:44:44 +0100, Sam Heywood wrote:
>> Information I found at both sites was very interesting. Both sites speak
>> of public and private keys. Here is what I don't understand:
>> If I should encrypt a message by using a public key, and then transmit the
>> message to you, then there is nothing secret about it, because the key is
>> publicly available. On the other hand, if I should encrypt a message
>> by use of a private key, and if only you and I know what our private key is,
>> then we can encrypt and decrypt secret messages to each other. A public key
>> has no security value whatsoever.
> Oooops. This isn't how it works exactly. This is called 'asymmetrical
> encryption'. The public/private thing works like this:
> 1. You request a key set from the encrpyption program.
> 2. It generates 2 keys, 1 public and 1 private.
> 3. The important thing is that a message encrypted with one key can ONLY
> be decrypted with the other. So:
> 4. You make your public key known to all. (that's why you see PGP public key
> info in many peoples signatures)
> 5. If someone wishes to send you an encrypted message they simply use
> your Public Key to encrypt it. Remember, anything encrypted with a
> public key can only be decrypted with your private key. The fact that
> everyone on the net may have access to your public does not matter.
> 6. You receive the message and decrypt it with you private key.
> Obviously you keep your private key VERY private.
> Likewise, if you want to reply to the sender, you would encrypt the
> message with THEIR public key.
> If the key generating function is sound then the security of encryption
> is a function of the key length. That is, an 8 bit key could be broken
> by brute force within 256 tries. Therefore, a 128 or 256 bit key is very
> strong as it would take alot of very powerful computers a long time to
> brute force the code.
> Some asymmetrical techniques allow back doors (like the law enforcement
> access field 'LEAF' in Clipper) something to think about. Recently M$
> was in the hotseat when it was discovered that their key generator
> actually generated a THIRD key called the NSA KEY. Hmmmm.
> One other point to consider. Because of the 'strength' of modern
> asymmetrical encryption techniques, even a relatively short key can
> prove sufficient. The question to ask yourself is: How important is the
> data I want to encrypt?
> If it is a credit card number encrypted with a 128 bit key it would likely
> take a hacker with a room full Pentiums a few years to break. Just to
> find that you only had $1000.00 left on your credit card?? That wouldn't
> even cover the cost of the electricity to crack the card number. (the
> card would've expired by then anyway wouldn't it?)
> All of the above speaks to the technique of asymmetrical encryption
> only. I personally don't buy things on the net and have no experience
> with SSL so I can't comment on the security of that layer. Is it
> possible to sniff the data before it's encrypted? I tend to doubt it but
> I don't know.
> Jim
>> The best method of transmitting secret messages would involve only the sender
>> and the receiver having a copy of a unique randomly generated key. A
>> somewhat less secure, but fairly good method of transmitting secret messages
>> would involve the sender and the receiver agreeing to use a secret password,
>> a pass phrase, or a certain passage from a book to be used as a key for
>> encryption/decryption. No parties other than sender and receiver would have
>> knowledge as to whatever string of characters had been agreed upon for use as
>> a ciphering key.
> This is called symmetrical encryption (like one-time pads) and can be
Yes, that is exactly what I'm talking about. That is indeed the type of
encryption performed by use of "one-time pads". I refrained from using this
phrase in my original post because I felt too many people would not know
what I am referring to. Or maybe it was because I wanted to avoid the
attention of people who might ask too many questions <g>.
> frighteningly secure as long as both parties gain access to the key
> without leaking it. But it brings up an important point that I totally
> neglected to mention.
> Asymmetrical encryption is ver processor intensive when encryting or
> decrypting messages.
Also very labor-intensive and requiring one's utmost concentration and
attention to detail when doing this kind of work manually. It is very
difficult to do accurately when in high-stress situations.
>To improve efficiency when dealing with long
> messages, it is common to actually encrypt the message using
> 'Symmetrical' encryption and then to encrypt the Symmetrical Key with
> Asymmetrical encryption. That way the faster technique is used to
> encrypt the long message and the Asymmetrical technique to encrypt the
> key.
> Now you have the best of both worlds....Both parties use the same key
> while having a secure way to transmit it.
> I hope this helps.
Yep, that sure does help. I will be looking for some web sites
explaining some more details on this technology.
Sam Heywood
> Jim
> -- Arachne.....Registered.....Life doesn't get any better!!
> -- Pixel32.....Registered.....OOPS!, Life just got better!!
-- This mail was written by user of Arachne, the Alternative WWW Browser
