Full Disclosure mailing list archives
Re: stealing ssh keys
From: "Raj Mathur (राज माथुर)" <raju () linux-delhi org>
Date: Thu, 25 Oct 2012 10:23:12 +0530
On Thursday 25 Oct 2012, Thor (Hammer of God) wrote:
I think you're over reacting just a bit. You can give out your private key to whomever/whatever you want to be able to decrypt data encrypted with the public key. It all depends on the use-case, and what you want done. Just because its a private key doesn't mean it's automatically some critical security component. Many times it is, but it doesn't have to be.
That statement is deeply flawed. A private key is meant to be exactly that: private. If a process or entity is handing out its private key to another process/entity for any reason whatsoever, then there is something seriously wrong in the way the interaction has been designed. The basis of public-key cryptography is that you (generic you) have two keys: public and private. These two keys are orthogonal to each other, so: A. Data encrypted with your private key can only be decrypted by using your public key, and B. Data encrypted with your public key can only be decrypted using your private key. With this, we can implement the two basic requirements of crypto. In very general terms, these are: 1. Data privacy. When someone needs to send data privately to you, they encrypt it with your public key. Then only the person who has the corresponding private key (you) can decrypt the data. Anyone else intercepting the message will only have junk. 2. Identity. When you need to establish the ownership of data originating from you, you encrypt the message with your private key. Since only your public key can decrypt that message, any recipient can check (by decrypting with your public key) that your private key has been used to encrypt. This establishes you as the originator of the data. As you can see, in both cases the recipient of the data only needs your public key, while only you need your private key. There is no reasonable circumstance under which you would need to share your private key with someone else. Regards, -- Raj -- Raj Mathur || raju () kandalaya org || GPG: http://otheronepercent.blogspot.com || http://kandalaya.org || CC68 It is the mind that moves || http://schizoid.in || D17F
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- stealing ssh keys Daniel Sichel (Oct 23)
- Re: stealing ssh keys Jacqui Caren (Oct 24)
- Re: stealing ssh keys Thor (Hammer of God) (Oct 24)
- Re: stealing ssh keys Raj Mathur (राज माथुर) (Oct 24)
- Re: stealing ssh keys Thor (Hammer of God) (Oct 24)
- <Possible follow-ups>
- Re: stealing ssh keys Ivaylo Hubanov (Oct 26)
- Re: stealing ssh keys Thor (Hammer of God) (Oct 26)
- Re: stealing ssh keys Jeffrey Walton (Oct 26)
- Re: stealing ssh keys Raj Mathur (राज माथुर) (Oct 26)
- Re: stealing ssh keys gold flake (Oct 29)
- Re: stealing ssh keys Jeffrey Walton (Oct 29)
- Re: stealing ssh keys Thor (Hammer of God) (Oct 26)
- Re: stealing ssh keys Jacqui Caren (Oct 24)