How Digital Certification works?
I want to know better about Digital Encryptation and so on... I have downloaded GnuPG and created 2 Encryptation Keys with 4048 bits using RSA, I run gpg -e <file> and give the desired key, but how works this thing of public key and sending and receiving encrypted messages??
I have downloaded an extension to Thunderbird that encrypt my messages using gpg but I dont know how this could help-me... the other side have to have gpg too and know my password?? So whats the meaning of the Public Key ?? Please give-me a direct answer, I have read most things on gpg site and still have this doubt... for example when seeing some sites in the bottom there are a gpg key that gives a ASCII file with some encrypts... so what the meaning of this in the sites? For e.g this is taken from 2600 website (http://www.2600.com/magazine/): Code:
-----BEGIN PGP PUBLIC KEY BLOCK----- |
Well, there's a lot of material on public-key encryption out there already, even on GnuPG's own site. But the basic principle is that there are always two keys, one private and one public. A message that is encrypted with one can only be decrypted with the other and vice-versa. (This so-called asymmetric encryption is distinct from conventional, symmetric encryption in which a single key is used for both purposes.)
So, with the public-key you sent, I could send you a message that only you could decrypt. Even I couldn't decrypt it. I could print a copy of the message on the front page of the New York Times and be confident that only you (and, well, maybe the CIA...) could read it. If I received a message that I was then able to decrypt using your public key, I'd have very good reason to believe that only you could have sent it, and that no one could have tampered with it in the meantime. That is, as long as I'm certain that only you possess a copy of your private key. Why? Because only a holder of your private key could have created a message that I could successfully decrypt using your public key. Given that I did decrypt it, either you or someone who stole your private key must have written it. Your public key is safely-public because I can't determine what your private-key is. I can't determine your private-key from your public one. A "digital certificate" is like a digital identity-badge. It's built using public key techniques. It serves both as evidence of your identity, for traffic that comes from you, and as the source of a public-key that can be used to talk to "you and only you." I can't forge a copy of your certificate. "Digital signatures" and "certifying authorities" (which can be "you...") are a way to prevent me from creating a certificate that has your name-and-address on it and passing it off to some unsuspecting stranger as "coming from you." It prevents me from impersonating you, and positioning myself as a "man in the middle," by adding an un-forgeable "seal of approval" to a bona fide certificate. I can use your name but I can't add your seal of approval, and I can't use my certificate or pass it off as yours if the server that I'm sending it to requires that your seal-of-approval be present. That's the Reader's Digest version but, "hope this helps!" |
Now I see ...
So now let talk with example, I have created this two keys with gpg. So to me send you a secure email you first have to give me a public key and them I will encrypt my message using your public key and you will decrypt it with your private key that only you have? So to I send you a secure message first you have to give me your public key? And what happens when you public key expire, I will not be abble to decrypt my file neve more? And a last question, so this isnt the best way to encrypt files in my disk because I wont need a public key since the intention its protect the files from everyone else less myself? Now this come with this question, when I encrypt a file using GPG it gives me a to option, ASCII container or binary method, in ASCII I can give a CAT in the file and it returns a signature likely this one above, this is my public key? :D thanks for you pascience... |
sundialsvcs gave a very good description, but I think was on a different wavelength. I know a little about RSA encryption and digital certification is an extention of this. If you're really interested, I suggest rummaging around a university websites for course notes on "Computer Security and Cryptography" - I did a whole module on it fairly recently (I've graduated now \o/ ) and it was quite well explained. I suspect I can fish out some of my lecture notes if you wanted to have a read through, although it's skimmed through pretty fast.
Because it's so fundamental, I want to make clear now that both keys (public and private) are one-way. You cannot use the same key in a pair to decrypt a message that has been encrypted by that same key. This is why giving out a public key is so secure, it can't be used to decrypt a message encrypted with itself. I don't want to go into detail about the maths behind it all (it gives me a headache), but for simplicity, I will be "combining" things like this: XY = Z. To reiterate: it is not a mathematical computation, it merely says: "do somethingt to X based on Y to obtain an output of Z". To show the trap-door nature of the public/private key pair: Public key = Kpublic Private key = Kprivate Message = M Encrypted message = Mencrypt Two valid examples: 1. Kpublic M = Mencrypt ---> Kprivate Mencrypt = M 2. Kprivate M = Mencrypt ---> Kpublic Mencrypt = M NOT VALID!: Kpublic M = Mencrypt --->Kpublic Mencrypt = M <--- you cannot do this if Kpublic was used to encrypt M! So, with some specific examples, first of all let's get our people sorted out: User A (maginotjr) has 2 keys: Apublic and Aprivate (public and private keys, respectively) User B (sundialsvcs) has 2 keys: Bpublic and Bprivate (public and private keys, respectively) maginotjr (user A) wants to send a secret message to sundialsvcs (user B). Let us assume they do not know each other; so the first step is to exchange public keys. Public keys are so-called because they can be left in the public domain without fear of people cracking your messages. Now that user A has given user B his public key (and vice versa, for simplicity), maginotjr (user A) can send sundialsvcs (user B) an encrypted message. So User A takes our message M, and encrypts it using B's public key: Bpublic M = Mencrypted Mencrypted is then sent in plain text to user B. Since user B has the private key, he can decrypt Mencrypted like this: Mencrypted Bprivate = M Sundialsvcs reads the message and is overjoyed that maginotjr can make it to his party =D But wait! It could be a trap! Sundialsvcs doesn't know who that message is from - only that it has maginotjr's name at the end of it. It could be from anybody, since sundialsvcs has published his public key (Bpublic) on his website, so people can contact him securely. So how can you be sure who a message is from *and* have it sent securely? You sign the message using a digital signature! So, User A writes a message M and takes a digest of it. A message digest is basically a sophisticated hash function. Now the digest (Mdigest) is encrypted using User A's PRIVATE key to generate a message signature: Aprivate Mdigest-sent = Asignature The signature can now be sent along with the original message to prove who it came from. How? Well, the receiver (User B) gets an email that has 2 parts: the message and the signature. He decodes the signature like this: Apublic Asignature = Mdigest-sent And also recreates the message digest himself: Mdigest-check He then compares the two digests. If they differ, the message has been tampered with and cannot be trusted. Sundialsvcs now knows that maginotjr must have sent that message, because only maginotjr's public key would be able to decrypt a message encrpyted by maginotjr's private key. What if you don't want people reading the message? Well, then you wrap the whole thing up in the sender's public key! So the steps are now as follows: 1. User A writes message M, creates message digest Mdigest-sent 2. User A "signs" the message by encrypting Mdigest-sent: Aprivate Mdigest-sent = Asignature 3. User A puts the message M next to the signature Asignature and encrypts the WHOLE lot with User B's public key: (M + Asignature) Bpublic = Mencrypted 4. User A sends Mencrypted to User B. 5. User B first decrypts the message: Mencrypted Bprivate = (M + Asignature) 6. User B then reads the signature with who he suspects sent the message (User A in this case): Asignature Apublic = Mdigest-sent 7. User B recreates the message digest from message M: Mdigest-check 8. User B checks the two digests for discrepancies: Mdigest-check = Mdigest-sent 9. If the two digests are identical, then the message hasn't been tampered with and is definitly from maginotjr (User A)! 10. maginotjr enjoys sundialsvcs's party =) ~~~~~~~~~~~~~~~~~~~ To answer maginotjr's questions directly: Quote:
Quote:
Quote:
~~~~~~~~~~~~~~~~~~~ I hope that's clearly shown how public/private key encryption works, but I strongly advise reading up on it some more if you're looking for more detail! Many thanks to sundialsvcs for throwing a party for us all! ;) - Piete. ~~~~~~~~~~~~~~~~~~~ Disclaimer: If I've got something wrong, please please please correct me - I've done most of this from memory and my exams were a while ago! |
ummmm
very good, very good, but at first look it can be something messy... but Im really interested, not that I have such importante email to be sent to my friends (I dont know anyone who can play this with me lol) but I want to understand and know how to make it works since it is such a important thing and this talks about privacy and stuff... The theory is very simple to understand, but my problem is when I go to my thunderbird with gpg exetension and have a bounch of option and names and codes and them I get a little lost... I may search for this myself, but trusting on your experience can you give me any (very) good link (or links) that can make my understanding and pratices lot easy and functional ? I have read something already in Computer Networks from Tanenbaum, but its only the theory and how things works, now Im want to see more about the real world and making things working... :D thanks for you time to answer my question |
for e.g, how I can pass to you my public key so you can use it?
so many questions in my head right now lol |
Quote:
|
Usually, people who wish to receive secure messages will post their public keys onto a "key server." They retain the corresponding private-keys and keep them secret. They should change the keys periodically, giving each public key that they release a "drop-dead date."
So let us be introduced once again to our friends, "Alice :) and Bob :p ." And of course to "Eve," :jawa: ... the eve-il eve-sdropper. Alice (of course...) wants to send a message to Bob. She obtains Bob's public key from a key server, encrypts the message with it and sends it. Only Bob can decrypt it, using the private key that only he knows. Eve intercepts a copy of the message, but she can't read it and she can't alter the ciphertext; doing so would render the message un-decipherable. Bob decrypts the message successfully, but ... did the message that seems to be so friendly, "Hi, Bob!" ... actually come from Alice? :confused: Bob can be sure that the message did come from Alice by checking the digital signature that she thoughtfully attached. :cool: This signature was prepared thusly:
E-mail programs can usually accept an encrypted message, automatically decrypt it, verify it, and confirm to you that the message is authentic ... all in one easy step. |
okay, the things is getting clear and clear ....
now lets continue my series of question lol So, I take my ascii public-key and give it to you. Ok. When you receive it what you will do with it??? And how do I put my public key in a server?? How do you search for it? thanks again! |
Note: if you do change your keys periodically, ALWAYS sign your new key with your old with "Ultimate" trust. This way, people know it's really your new key. :) And don't do it TOO often.
|
Quote:
random.sks.keyserver.penguin.de pgp.dtype.org keyserver.kjsl.com ldap://certserver.pgp.comminsky.surfnet.nl pgp.mit.edu random.sks.keyserver.penguin.de pgp.dtype.org keyserver.kjsl.com Cheers, Leon. |
okay, everything is making sense now...
I created a Key. Created a .asc file with my public-key so I can give to anyone who I need to make secure contact. Have sucessfuly exported and imported keys, Enigmail is compreensive now. Two more question: 1. Why when I exported my Key is made 2 containers in the asc file, one with the Public-key and other with the Private-Key?? Isnt the Public-key the only needed? 2. I can encrypt file with two option, ascii-armored and binary. Whats the diference? I supose that ascii-armored are for text messages that I can use -d option to read it direct from the console and binary for more security? I want to make a test, can anyone send me an encrypted email so I can test it here? This is my public key: Code:
thanks! Regards! |
As far as I know, 'ASCII armored' files contain only characters that are guaranteed to be transmittable in the body of an e-mail. After being generated as usual, the binary data is expanded using a well known translation formula that uses only printable, non-HTML characters. A similar technique (MIME encoding) is used for many types of e-mail.
|
and whats the diference and pros of them??
Wanna thanks for those who send me an email to help me with my understanding about how pgp and encryptation works... if you need is just ask :D |
Just FYI: ASCII-armored is base64 encoding. (64 possible values: 26 uppercase letters, 26 lower case letters, 10 digits, and '+' and '/')
|
All times are GMT -5. The time now is 02:32 PM. |