RE: Basic Questions about PKI

[Kenneth Buchanan <K.Buchanan () Kastenchase com>]

That is correct in theory, but we pretend it's not because exploiting that
fact is highly inadvisable.

It is important that you have separate private keys for signing and
decryption.  The operations they perform are, from a theoretical standpoint,
identical, but we treat them as different operations for practical reasons.

At the heart of it is that fact that the policies regulating the usage of
the keys is different.  For instance, it is a good idea for an organization
to have a backup of decryption keys, but should never ever have a backup of
signing keys (this would destroy the non-repudiation aspect of any signature
being created).

Any decent PKI book should explain this.  In any PKI users should be issued
dual key pairs, one pair for signing and signature verification, and one
pair for encryption and decryption.


-----Original Message-----
From: Roger A. Grimes [mailto:rogerg () cox net]
Sent: Tuesday, October 07, 2003 6:43 PM
To: security-basics () securityfocus com
Subject: Basic Questions about PKI


Can someone that knows PKI cold confirm my knowledge of PKI?

Here's what I think I know about PKI (accurate or not I'm not sure):

a.  People ENCRYPT messages to me with my PUBLIC key and send the encrypted
message to me, and only I can open the encrypted message...because ONLY my
PRIVATE key can decrypt messages encrypted with my PUBLIC key.

b.  If I want to SIGN a message, I use my private key to sign the message
digest (ENCRYPTING the hash result).  The receiver who wants to rely on my
signed message uses my PUBLIC key to DECRYPT my encrypted message digest.

c.  Both private and public keys can decrypt, and both private and public
keys can encrypt.  It just depends on the situation of what we use when.

Is that logic correct?

Could we encrypt messages that we want to send to others with our private
key (but don't because if we did anyone with our public key could read) the
seemingly private message?

Roger


****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
*****


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------