Security Basics mailing list archives
RE: Basic Questions about PKI
From: "Chee Young, Tan" <cheeyoung () crimsonlogic com>
Date: Wed, 8 Oct 2003 23:55:22 +0800
Usually a random key is created to encrypted the message. The random key is then encrypted by the recipient public key. The encrypted random key can be attached to the message before the transmission. It is because using Public key to encrypt the message is very slow. -----Original Message----- From: Kenneth Buchanan [mailto:K.Buchanan () Kastenchase com] Sent: Wednesday, October 08, 2003 10:05 PM To: 'Roger A. Grimes'; security-basics () securityfocus com Subject: RE: Basic Questions about PKI That is correct in theory, but we pretend it's not because exploiting that fact is highly inadvisable. It is important that you have separate private keys for signing and decryption. The operations they perform are, from a theoretical standpoint, identical, but we treat them as different operations for practical reasons. At the heart of it is that fact that the policies regulating the usage of the keys is different. For instance, it is a good idea for an organization to have a backup of decryption keys, but should never ever have a backup of signing keys (this would destroy the non-repudiation aspect of any signature being created). Any decent PKI book should explain this. In any PKI users should be issued dual key pairs, one pair for signing and signature verification, and one pair for encryption and decryption. -----Original Message----- From: Roger A. Grimes [mailto:rogerg () cox net] Sent: Tuesday, October 07, 2003 6:43 PM To: security-basics () securityfocus com Subject: Basic Questions about PKI Can someone that knows PKI cold confirm my knowledge of PKI? Here's what I think I know about PKI (accurate or not I'm not sure): a. People ENCRYPT messages to me with my PUBLIC key and send the encrypted message to me, and only I can open the encrypted message...because ONLY my PRIVATE key can decrypt messages encrypted with my PUBLIC key. b. If I want to SIGN a message, I use my private key to sign the message digest (ENCRYPTING the hash result). The receiver who wants to rely on my signed message uses my PUBLIC key to DECRYPT my encrypted message digest. c. Both private and public keys can decrypt, and both private and public keys can encrypt. It just depends on the situation of what we use when. Is that logic correct? Could we encrypt messages that we want to send to others with our private key (but don't because if we did anyone with our public key could read) the seemingly private message? Roger ************************************************************************ **** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** ***** ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Basic Questions about PKI Roger A. Grimes (Oct 07)
- RE: Basic Questions about PKI David Gillett (Oct 08)
- Re: Basic Questions about PKI Meritt James (Oct 08)
- RE: Basic Questions about PKI Erik Rozman (Oct 08)
- Re: Basic Questions about PKI Michael Sconzo (Oct 08)
- <Possible follow-ups>
- RE: Basic Questions about PKI Kenneth Buchanan (Oct 08)
- RE: Basic Questions about PKI Chee Young, Tan (Oct 08)
- RE: Basic Questions about PKI Hussein Ghazy (Oct 09)
- RE: Basic Questions about PKI Kenneth Buchanan (Oct 08)