Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Encryption question

From: Aaron Keck <akeck () optimumdata com>
Date: Wed, 25 Feb 2004 16:14:05 -0600
Fingerprinting.

The idea behind it is that Alice will give Bob her public key in one method.  
She will then look at the fingerprint of the key, and somehow transfer that to 
him securely.  When he get's her public key, he doublechecks the key's 
fingerprint, and see if it matches the one Alice "securely" gave him.

It's far from foolproof, but if properly used, fingerprint can be quite 
effective in preventing "man-in-the-middle" spoofing such as that.


Quoting "Preston, Tony" <Tony.Preston () acs-inc com>:




Tony Preston
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181

I have what is a rather basic question...  I probably am missing something
so I thought I would ask here.

Alice and Bob both have a public and private key.

Alice encrypts her email to Bob using his public key.  Sends the email and
Bob decrypts it using his keys..

Since both Bob and Alice's public keys are known, Why can't I take Alice's
public key and create a key pair using any other private key.  Now, I fake
an electronic signature from Alice using the pair I created and send a
bogus
encrypted message to Bob with my "fake" Alice signature.  Bob checks the
signature by using the public key and it is valid.   Bob assumes the
message
is from Alice...

What prevents me from spoofing someone's electronic signature this way?



---------------------------------------------------------------------------
----------------------------------------------------------------------------





Aaron Keck


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: