On Tue, 11 Jan 2000 04:33:18 +0100 (CET), Petri <[EMAIL PROTECTED]> wrote:
> On Mon, 10 Jan 2000, Samuel W. Heywood wrote:
>> There is only one "public key" that I know about. It looks like this and
>> everyone either has a copy or can readily generate a copy by recalling the
>> scheme by which the characters are ordered:
>> ABCDEFGHIJKLMNOPQRSTUVWXYZ
> [SNIP]
>> ZABCDEFGHIJKLMNOPQRSTUVWXY
> This sounds very unlike RSA - RSA does not use character, but rather huge
> nimbers derived from primes blaha blah. This key you showed me looks more
> like Vigenere which is something entirely different.
The system I was describing above is used for ciphering with OTP,
one-time-pads, conventionally consisting of code pages with randomly
generated five-character groups. The "public key" is used only for
deriving the character appearing at the coordinates defined by the
the encoded character and the "real" character. Someone else described
this system of encryption as "synchronous". This method of encryption is
among the most secure known. It is far more secure than RSA and SSL.
This system has the disadvantage of requiring all members of the secret net
to be supplied with the code pages by some secure manner, such as by
dead-drop or by hand-delivery by an authorized courier. As long as the
code pages are not compromised, and as long as no one has any idea as to
what kind of information may be contained in the encrypted messages, a brief
encrypted message simply cannot be decoded by any means, regardless of the
vast resources of the would-be code-breakers. The reason for this is that
a short series of randomly-generated characters could represent an almost
infinite set of possible texts that would make sense.
With this system encryption and decryption is always done with the private
key. The public key is used only to determine the character appearing at
the coordinates defined by the encrypted character and the corresponding
"real" character. Everyone has the same public key. The public key is of
no value to the would-be code-breaker if the only information he has is the
encrypted text. If, however, the code-breaker has an encrypted message
known to have been sent from an enemy observation post whose location is
known, (i.e. by DF fix) and if the code-breaker knows what kind of activity
the enemy observer has most probably reported, and if he knows the standard
format that the enemy uses for his observation reports, then the code
breaker can easily deduce what is in the encrypted message. Knowing all
of that, the code-breaker can re-construct the enemy's secret code page.
The enemy is of course aware of this, and for that reason, the enemy will
not use the same code-page more than once. The allies were able to break
the Nazi enigma code because the Nazis were not smart enough to think of
resorting to a different setup for their enciphering machines for each
transmission. The allies correctly guessed that on a certain date each year
all of the Nazi field commanders would send an encoded message to Hitler
wishing him a happy birthday, and that the secret messages on that day would
contain standard formalized birthday greetings that are appropriate for
a person of lower rank to say to a high-ranking superior. Hence, it was
easy to reconstruct the setup on a captured enigma engine.
>> With the system I am thinking of, only we and our fellow members of the secret
>> net have access to OUR secret key. Everyone has the same public key, but only
>> we members of the secret net have the private key.
> Yes, this is what public-key systems are about. Everyone can encrypt data
> with the public one and only you guys with the secret one can read it.
The type of system I was describing is entirely different. Messages are
encrypted and decrypted with the private key. The public key is used only
for determining the character appearing at the coordinates defined by the
"real" character and the encrypted character.
>> With the type of crypto system that I am thinking of, the public key, as
>> shown above, is the same for everyone - everyone including eavesdroppers and
>> spies know how to generate the pubic key. Therefore the public key need not
>> be exchanged because it is already known, and there is nothing secret about it.
>> In my way of thinking, any key needed for crypto purposes and required to be
>> passed somehow among members of the secret communications net is a "private
>> key". It seems a contradiction in terms to refer to a "public key" as one that
>> must be exchanged among the members of the secret net.
> The people with the secret key should also have a copy of the public one,
> just because I say so. =)
>> In the system I am referring to, a code page, conventionally consisting of
>> randomly generated five-letter groups is used by the secret net for
>> encryption and decyption. The messages generated from the code sheet and
> Uh....well....what happens if someone who shouldn't be able to decrypt
> stuff, needs to encrypt something? (like, in the case of RSA in SSL)
Good question. The system I have described would not be practical for
use by secure web sites because there would be no practical means for
rapid and secure transmission of the secret code pages.
> See it this way:
> Encrypts with public key
> SERVER <-X------------------------------ CLIENT <- CC number sent
> | | to shopiing site
> | |- an eavesdropper recieves the
> | encrypted data. He has al-
> | ready got the public key.
> | Still, he can't find out your
> | credit card number. [this is the strength of SSL]
> |
> | Decrypts with secret key
> ----------------------------> CC number used ----|
> |
> Securely transmitted to BANK |
> Draws money from card <--------------------------|
>> I agree that the method of encrytion described above would not be secure
>> if there did not exist a secure method of exchanging passwords among the
>> members of the secret net.
> You usually don't send the secret key in public-key systems.
>> I still do not understand how data can be exchanged securely without first
>> having exchanged passwords or pass phrases in a secure manner.
> See the mathematics for RSA -
> <http://world.std.com/~franl/crypto/rsa-guts.html>. Note that nothing is
> 100% secure when it comes to encryption (except for a technique called OTP
> pads), but RSA is very very very very very very secure. The other cryptos
> (except DES) in SSL are also secure - if good keylengths are used. This
> makes SSL very secure.
>> A secret key system remains highly secure as long as the code page is not
>> compromised. People who use the secret key systems usually will afford
>> themselves even higher levels of security by using a different code page
>> for a different day or hour.
> This is ture. But with SSL you don't want to exchange secret keys - you
> have no secure way of doing so. So you say, "Hello RSA" and everythings
> works securely =)
>> I think we have different concepts as to
>> what a "public key" is. We are talking about two different things. Hence
>> my difficulty in comprehending the concepts you are presenting.
> Yeah, I noticed it now =/
> Public key: EVERYONE can get it. It's no secret. Used in SSL when you SEND
> data. Can ONLY be decrypted with SECRET key.
> Secret key: only the SSL server has it, to decrypt what it recieves. Noone
> else.
> Any clearer?
This is still somewhat confusing to me because, although it has been well
explained as to how the system is used, I still don't understand how it
works. In other words, I think I know enough now in order to use the
system, but I don't know enough to understand what I am doing. I feel
like a child that has been taught how to use a jack to lift up the wheel
of a car and without first having been taught a science lesson on the physics
of levers. The child will only marvel at the work he can do with the jack,
but he will not learn anything about the principle involved, unless he is
curious enough to ask questions and can be given the guidance to the right
answers. The child will keep pestering the adults with his questions until
the most basic principles are explained and demonstrated. From that point
on, the child is equipped with the knowledge to conduct further
investigations and experiments on his own.
My attitude is like that of the curious child.
Sam Heywood
> /petri
-- This mail was written by user of Arachne, the Alternative WWW Browser
