RE: Encryption question

[Gene LeDuc <Gene.LeDuc () tns-md com>]

Alice encrypts the message to Bob using Bob's public key and then signs it
using her private key.  Bob verifies that the message is from Alice by using
her public key to check the signature and then decrypts the message with his
private key.  The encryption only hides the contents, it does not
authenticate the message.  The signing authenticates the message but does
not hide the contents.  You need both if you want to have a secure
conversation.

-----Original Message-----
From: Preston, Tony [mailto:Tony.Preston () acs-inc com]
Sent: Tuesday, February 24, 2004 11:01 AM
To: security-basics () securityfocus com
Subject: Encryption question




Tony Preston
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181

I have what is a rather basic question...  I probably am missing something
so I thought I would ask here.

Alice and Bob both have a public and private key.

Alice encrypts her email to Bob using his public key.  Sends the email and
Bob decrypts it using his keys..

Since both Bob and Alice's public keys are known, Why can't I take Alice's
public key and create a key pair using any other private key.  Now, I fake
an electronic signature from Alice using the pair I created and send a bogus
encrypted message to Bob with my "fake" Alice signature.  Bob checks the
signature by using the public key and it is valid.   Bob assumes the message
is from Alice...

What prevents me from spoofing someone's electronic signature this way?



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------