[RC5] How are keys kept secret?

Lee Dilkie Lee at Dilkie.com
Fri Apr 30 17:52:50 EDT 1999


Giorgio,

It does all work correctly, let me assure you. Here's the basics of browser
security (SSL it's called).

First. There are actually two different encryption schemes in use, one is
called symmetric encryption and is what you described, the same key (128
bits or whatever) is used for both encrypting and decrypting. This key is
randomly generated for each session so it's not possible to know in advance
what it will be. The problem with this scheme is how to tell both sides of
the session (the client and the server) what the key is without letting
someone who might be listening also get the key. That problem is solved with
the second encryption scheme... RSA, or public key, or asymmetric
encryption. In this scheme, there exist a pair of keys, one used for
encrypting (the public key), and one used for decrypting (the private key).
I don't want to get into all the details, you can find better descriptions
at our web site, http://www.entrust.com, but what happens is that the server
sends his public key to the client. The client generates a random symmetric
key to encrypt the session with and encrypts this key with the public key
given to him by the server. He sends the encrypted session key to the
server. The server decrypts the session key using his private key and from
then on, both the client and server encrypt/decrypt data using that session
key.

This is the basics of what happens, I didn't go into how the client trusts
the server. That is actually the important part and you should go read up on
certificates to understand how that is done.

---
Lee Dilkie, Entrust Technologies  http://www.entrust.com/
mailto:Lee.Dilkie at entrust.com     Telephone: 613-831-3246
                      __|__
               -- at --@--(_)-- at --@--
If at first you don't succeed... skydiving is not for you.
                      __|__
               -- at --@--(_)-- at --@--



-----Original Message-----
From: Giorgio Elsner [mailto:etjazz at infol.it]
Sent: Friday, April 30, 1999 7:39 AM
To: rc5 at lists.distributed.net
Subject: [RC5] How are keys kept secret?


Hi all
Having followed for some time the discussions going on in this list, a
question came up in my mind which clearly shows that I am completely
dumb in the crypto business (which may come from the fact that I have no
secrets). I need encryption when I work with my bank via internet
(and probably this is right so - I wouldn't want somebody else to clear
my bank account). The bank asks for 128 bit encryption what gives me a
lot of trouble since living in Italy and working with a Swiss bank (I'm
Swiss BTW), I'm officially not entitled to get e.g. the Netscape
Communicator with strong encryption, and SecureNet does not work
properly on a Mac. Fortunately there exists replay.com which, however,
did not upgrade Netscape for the Mac to version 4.5.1 and there is a bug
in 4.5. OK, that's life. 
Now, I do not understand something. How is that encryption done in
practice? For communicating encrypted between two points, I assume that
both points have to know somehow the key used in this communication. I
personally do not know the key, of course, but the software on my Mac
must or it wouldn't understand the received message and couldn't encrypt
the messages it sends. Now, if I would be a professional hacker, I would
find a way - by unassembling the code and with real fancy reasoning - to
detect this key, even if it would have a multiple of 128 bits. Following
this reasoning, there must be only one key used in the whole world or
encryption and decryption wouldn't work between arbitrary sites. Knowing
this key one would have access to all encryption of any interest going
on over the net. Thus, encryption seems to be quite useless!
There must be a flaw in my arguments, I cannot believe that so much
fuss is done around crypto if it does actually not work in practice. Is
there a link somewhere on the net which makes all the work and is
securely protected? But then this would mean that the messages are sent
unencrypted over a big part of the net. Or is a new key used in every
transaction? But then this key has to be transmitted somehow and can be
read by a good hacker.
Can anybody enlighten my darkness? If I would be correct in all this
(which I doubt), d.net's efforts to find a 64bit key would seem to me
even more ridiculous as it already does (sorry, but I really wait for
something more useful to be done - the basic idea of distributed net is
too great to be spoiled by such a vanity), not to say anything about
the exportation blockade by the US government.

Juerg (Giorgio) Elsner, Piombino, Italy.

--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list