Bob has Alice's public key also, and Alice signed the message with her private key. Bob uses Alice's public key to verify the signature.
Bob has Alice's public key also, and Alice signed the message with her private key. Bob uses Alice's public key to verify the signature. Go in reverse for Alice to ensure the message was from Bob.
All you have to do now is make sure that Bob has Alice's real public key and not one injected by a man in the middle.
The scenario you describe does indeed not provide authenticity. So both Alice and Bob cannot be certain that they are talking to each other. The scenario does only provide confidentiality and as such also not secrecy.
Bob would have to manually confirm with Alice that the public key he thinks is Alice's public key is indeed hers (by calling her and reading it out load and confirming by her voice that it is Alice). This problem is normally solved with a trusted third party (a Certificate Authority for example, like VeriSign) that issues certificates stating the e.g. Alice is indeed the owner of this particular public key. This is the way it is solved in modern browsers and this is the way all SSL sessions (with your bank of choice) work.
A certificate authority signs the certificate from your bank (stating that your bank is indeed the owner of the public key the certificate contains) and your browser has an already built-in certificate from the certificate authority (building a chain of certificates that can be verified). The scenario you describe is vulnerable to a so called MITM (Man-in-the-middle) attack and not solvable purely with public-key-encryption.
What you are talking about very very very loosely looks like another implementation of an Asymmetric Encryption Algorithm found in the . Net framework. .
Net employs two branches for Asymmetric Encryption! RSA ** Grand Mac daddy used for all asymmetric enc' purposes. DSA ** more related to using and creating digital signature to verify an author.
Both are Abstract Both are very similar to one another as to how they work and how a developer implements them but underneath I have read that two very different algorithms exist. You are talking option 2. .
Net provides a class called DSACryptoServiceProvider which allows you tag your data with a value that is commonly referred to as signature. According to a MS official course textbook heres roughly how it works. Data >>> Hash Alg >>> Hash Value >>>>>>>>> Asymm' Alg >>>> Signature Sender's PVT.
KEY >>> Below shows how Bob can check to see if Alice is indeed the sender. Data >>> Hash Alg >>> Hash Value || Decrypted Signature ==? As you can see Bob has to compare the generated Hash and Decrypted Signature in order to verify that Alice is the sender.
The DSACrypto' class has 4 methods that can be used here but only two are effective contextually speaking.At this point in time, this is all Bob can do, if his public key is not alice's public key, then essentially the software application should stop Bob dead in his tracks from proceeding any further as bob is trying to use a bogus public key when trying to communicate with Alice. This is the imposed relationship and stressed importance of the public key. The signature allows you verify the public keys owner.
Here why? :: If Bob has Alice's public key then he can use the same algorithm again to decrypt the encrypted data using the . VerifyHash or VerifyData methods.
Should be straight forward what they do given this context. This is all done ofc using the Alice's Public Key. Only Alice can use the SignHash and SignData methods as they require Alice's Private Key.As you can see above, a certain level of functionality is encapsulated already inside the DSA and RSA CryptoServiceProvider classes.
It boils down to how well you implement them to verify Alice's as the sender everytime as the DSA algorithm allows you to certify a sender by matching the generated output. A certain signature and hash should match, if they do then in essence DSA has granted you a certain level of confidentiality between Bob and Alice.
I hope this makes sense as it coming from a student who is trying to pass the 70-536 exam. As the above is the second of two answers I have posted here on stack overflow relating to Cryptography. – IbrarMumtaz Apr 20 '10 at 1:16.
Because you make the assumption that a private key is really "private" --i.e. , alice and bob don't leave their usb keys plugged into their machine when they leave work.
– Inuyasha Mar 2 '10 at 17:11 "You" didn't, I meant the proverbial "you"; and yes you don't use this sort of encryption unless there is a trust channel between Alice and Bob which a certification authority is an indirect instance of. Peh, I can't remove my upvote to your question. – Hassan Syed Mar 2 '10 at 17:20 I have no idea what you're getting at.
The question was about verifying the source of the message. Reread the last sentence in the question and notice that your answer didn't address it. This had nothing to do with keeping the keys secure.
Your reply to my comment didn't address the question either. Why did you answer? – Inuyasha Mar 2 '10 at 22:44 To verify the source of the message from a sink you need a third party.
You only get to a "omg this won't really work" stage if you make an assumption that the key is sent in plaintext. It obviously won't work if it sent in plaintext, A third-party secured mechanism takes care of this aspect -- the most well known mechanism is a certificate authority; however, it is not the only way to do it. The part where you talk about "public hashes" is a certificate authority -- however you don't need a certificate authority.
Bob and alice can meet in person and exchange keys. – Hassan Syed Mar 2 '10 at 23:07 If you don't understand the gist of a reply you don't need to attack the person trying to answer your question. You could simply ask the person what,specifically, you don't understand.
– Hassan Syed Mar 2 '10 at 23:13.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.