On Mon, 10 Jan 2000, Samuel W. Heywood wrote:
> There is only one "public key" that I know about. It looks like this and
> everyone either has a copy or can readily generate a copy by recalling the
> scheme by which the characters are ordered:
>
> ABCDEFGHIJKLMNOPQRSTUVWXYZ
[SNIP]
> ZABCDEFGHIJKLMNOPQRSTUVWXY
This sounds very unlike RSA - RSA does not use character, but rather huge
nimbers derived from primes blaha blah. This key you showed me looks more
like Vigenere which is something entirely different.
> With the system I am thinking of, only we and our fellow members of the secret
> net have access to OUR secret key. Everyone has the same public key, but only
> we members of the secret net have the private key.
Yes, this is what public-key systems are about. Everyone can encrypt data
with the public one and only you guys with the secret one can read it.
> With the type of crypto system that I am thinking of, the public key, as
> shown above, is the same for everyone - everyone including eavesdroppers and
> spies know how to generate the pubic key. Therefore the public key need not
> be exchanged because it is already known, and there is nothing secret about it.
> In my way of thinking, any key needed for crypto purposes and required to be
> passed somehow among members of the secret communications net is a "private
> key". It seems a contradiction in terms to refer to a "public key" as one that
> must be exchanged among the members of the secret net.
The people with the secret key should also have a copy of the public one,
just because I say so. =)
> In the system I am referring to, a code page, conventionally consisting of
> randomly generated five-letter groups is used by the secret net for
> encryption and decyption. The messages generated from the code sheet and
Uh....well....what happens if someone who shouldn't be able to decrypt
stuff, needs to encrypt something? (like, in the case of RSA in SSL)
See it this way:
Encrypts with public key
SERVER <-X------------------------------ CLIENT <- CC number sent
| | to shopiing site
| |- an eavesdropper recieves the
| encrypted data. He has al-
| ready got the public key.
| Still, he can't find out your
| credit card number. [this is the strength of SSL]
|
| Decrypts with secret key
----------------------------> CC number used ----|
|
Securely transmitted to BANK |
Draws money from card <--------------------------|
> I agree that the method of encrytion described above would not be secure
> if there did not exist a secure method of exchanging passwords among the
> members of the secret net.
You usually don't send the secret key in public-key systems.
> I still do not understand how data can be exchanged securely without first
> having exchanged passwords or pass phrases in a secure manner.
See the mathematics for RSA -
<http://world.std.com/~franl/crypto/rsa-guts.html>. Note that nothing is
100% secure when it comes to encryption (except for a technique called OTP
pads), but RSA is very very very very very very secure. The other cryptos
(except DES) in SSL are also secure - if good keylengths are used. This
makes SSL very secure.
> A secret key system remains highly secure as long as the code page is not
> compromised. People who use the secret key systems usually will afford
> themselves even higher levels of security by using a different code page
> for a different day or hour.
This is ture. But with SSL you don't want to exchange secret keys - you
have no secure way of doing so. So you say, "Hello RSA" and everythings
works securely =)
> I think we have different concepts as to
> what a "public key" is. We are talking about two different things. Hence
> my difficulty in comprehending the concepts you are presenting.
Yeah, I noticed it now =/
Public key: EVERYONE can get it. It's no secret. Used in SSL when you SEND
data. Can ONLY be decrypted with SECRET key.
Secret key: only the SSL server has it, to decrypt what it recieves. Noone
else.
Any clearer?
/petri
