W dniu 2018-04-04 o 02:58, Andrew Rowley pisze:
On 4/04/2018 10:53 AM, Charles Mills wrote:
No, a digital signature does not require an authority.
I publish my public key on my Web site.
How do I verify that the key that I see browsing your website is
really yours and hasn't been e.g. substituted in transit? Key exchange
is the hardest bit of cryptography.
It is simple.
ServerPac content is something non-secret - we don't want to encrypt it,
we only want to be sure it is not altered by bad guys. (Let's assume it
for a while)
So, we checksum he content using SHA. Everybody can check it is not
tampered by repeating cheksum and comparing hash values with ...with WHAT?
Hash values can also be modified!
Of course IBM could pay for TV and newspaper commercial advertisement
containing those values, but it is not practical way. ;-)
However such way shows one of possible solutions: to deliver checksums
using alternate way.
The other method could be to SIGN the hash value. Sign is a method from
assymetric cryptography family. IBM sign the hash (in fact they sign
whole serverpac) using it's PRIVATE key, which is the deepest secret of
IBM, however *everybody* (including bad guys) can obtain PUBLIC key
from IBM and the public key plus method allows everybody to confirm (or
deny) this information was signed by IBM.
Note, the content is still not encrypted.
Is it possible to encypt it? For SSL/TLS download , it is unnecessary,
because whole transmission is encrypted (and hard to break despite
gossips).
If you really want to encrypt the content (ie. DVD files) then you have
to make your pair of PRIVATE/PUBLIC keys. Yes, the customer has to do it
and ask IBM to use his public key. A little bit complex - IBM would
have to collect and maintain keys from every customer. Each customer
should take care about the keys again disclosure and ...lost. Keys
should be replaced periodically, etc. IMHO much to much trouble for
such content.
--
Radoslaw Skorupka
Lodz, Poland
======================================================================
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is
intended solely for business use of the addressee. This e-mail may only be
received by the addressee and may not be disclosed to any third parties. If you
are not the intended addressee of this e-mail or the employee authorized to
forward it to the addressee, be advised that any dissemination, copying,
distribution or any other similar activity is legally prohibited and may be
punishable. If you received this e-mail by mistake please advise the sender
immediately by using the reply facility in your e-mail software and delete
permanently this e-mail including any copies of it either printed or saved to
hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
www.mBank.pl, e-mail: [email protected]ąd Rejonowy dla m. st. Warszawy XII
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców
KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2018 r. kapitał
zakładowy mBanku S.A. (w całości wpłacony) wynosi 169.248.488 złotych.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
