Prev: RSA question: Can public encryption/shared key (E+N) be used as identification ?
Next: On the general benefits of introducing dynamics into encryptionprocessing
From: Francois Grieu on 6 May 2010 11:55 On 06/05/2010 13:49, Skybuck Flying said: > I have a question about the RSA public key encryption algorithm which is the > following: > > I am wondering if it's possible to use the RSA public encryption/shared key > as a means of identification ? Yers and no. Yes, it is common practice to use an RSA key pair (composed of a *public* encryption / signature verification / shared key, and a *private* decryption / signature generation key) as a means of identification. No, the shared key is not a mean of identification: its knowledge is not enough to identify oneself as the legitimate holder of that key; the *private* key is needed for that. > So suppose two people are using the same name for example: > > iJustine > iJustine > > One of them is the real iJustine... the other one is the fake iJustine. > > How easy/hard would it be for the faker to try and fake a public key ? > > Example: > > Real iJustine's private decryption key (D): > "72939831478294294739164515853570942883997805827756672958318945914651882044984974267976913068042297636392546490845126913" > > Real iJustine's public encryption key (E): > "65537" > > Real iJustine's shared key (N): > "434174181252767774234389180350848398715772637753360526609873060556853225612779513183792437032901271239849283324448766573" > > Now the faker does not know the private key... but the faker does know the > public key (E) and shared key (N). > > Let's suppose for a moment that a "safe/secured protocol" is being used > which uses "signatures" to make sure that messages are valid... and that the > keys are working/valid... > > The mission for the faker is to find a private key (D) which will work with > the public (E) and shared key (N) in such a way that the public/shared key > is the same but the private key is different/working. This is as hard as factoring N: if you know a working D, it is not hard to factor N. > The mission for the faker is to not decrypt the message-stream ment for > iJustine but instead to fake himself pretending to be iJustine... Correct. > by simply using the same public/shared key. Incorrect. The public/shared key can NOT be used to produce the signatures needed to authenticate as the real iJustine. > So that the faker can give away the public/shared key and claim to be the > real iJustine. The faker can't do that. > The problem for the real iJustine is: > > iJustine says on her website: > > "I am the real one ! this is my public key: .... etc ...." > > the faker, fakes her and says the same thing: > > I am also the real iJustine: > > "I am the real one ! this is my public key: .... etc ...." > > Do you see the problem ? Yes; a third party can't know which website belongs to the real iJustine. However, assuming the public keys are the same on both websites, and that at least one website is from the real iJustine, a third party can know that a signed message was approved by the real iJustine. And this message could be: "my real website is http://the_website_of_iJustine.com hosted at that IP:...". > For the "public" it's impossible to tell which the real iJustine is just > based on screen information, since both public keys are the same ?!? > > The question is: > > How hard is it to fake public keys ? When things are done properly from a cryptographic standapoint (proper signature and encryption padding...), as hard as the easiest of [1] factoring N [2] otherwise recovering the private key from the legitimate holder [3] fooling the legitimate holder into signing a legitimate message [4] fooling the verifier into believing another public key is that of the legitimate holder [5] otherwise fooling the verifier into believing authentication suceeded It follows from [3] and [5] that it is not harder than compromizinf the PC used by either the legitimate key holder or the verifier. > And if it's easy... are there any solutions ? Be the judge.. Fran�ois Grieu |