Tech Off Thread

6 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Digitial Signitures and Public/Private key pairs in Server/Client Communications

Back to Forum: Tech Off
  • User profile image
    Shark_M

    Hi guys,
        I am trying to implement secure communication between clients and servers. I am studying what is the best way to ensure that data is not altered in transit and its source is authentic. Using .NET framework, i found the classes that allow for Digital signitures, and other crypto classes that allow me to make sure that the message is not altered while in transit, by using Hashing.

    Given message, and the hash of the message that was sent from the remote end, a new message hash digest is made and then a byte by byte comparison between the hash sent and the new hash digest of the decrypted message. If both match then the data is not tampered while in transit.

    I dont understand one thing here. what does the client have to send for this to work? It sends the Hash digest of the message, and the digital key?? or what?

    So client send  x,y,z,          server gets it and does a verification

    but how does the server get the actual message that was encrypted as hash  to do the verification check? again i dont understand what the client has to send in order for this to work?


    about digital signitures, how does it really work? what does the client do and what does it send? and what does the server do after that?

    I am new to this, and want to understand  how it works in the simplist terms possible.

    Thanks

  • User profile image
    amotif

    Have you considered using HTTPS?


  • User profile image
    rheaney

    If you want to know more about public/private keys and digital signatures, I suggest you pick up "Invitation to Cryptology" from Amazon (or somewhere else). I takes you through it all, and although its a bit pricey, it does quite a good job of explaining the process in detail.

  • User profile image
    Shark_M


    rheaney wrote:
    If you want to know more about public/private keys and digital signatures, I suggest you pick up "Invitation to Cryptology" from Amazon (or somewhere else). I takes you through it all, and although its a bit pricey, it does quite a good job of explaining the process in detail.


    thanks , i will look into that

    but in the mean time, can you give me a general idea, as to how private/public keys work? why is the public key public, while the private key private? how is the public key used, and by what side, and what about the client? Is it wise to have public keys?

    what is better than public/private keys? i mean Master Secrete key was old, and public/private keys came after it to replace it, i am woundering if public/private keys are replaced by something newer?

    thanks again

  • User profile image
    spod

    Shark_M wrote:

    rheaney wrote: If you want to know more about public/private keys and digital signatures, I suggest you pick up "Invitation to Cryptology" from Amazon (or somewhere else). I takes you through it all, and although its a bit pricey, it does quite a good job of explaining the process in detail.


    thanks , i will look into that

    but in the mean time, can you give me a general idea, as to how private/public keys work? why is the public key public, while the private key private? how is the public key used, and by what side, and what about the client? Is it wise to have public keys?

    what is better than public/private keys? i mean Master Secrete key was old, and public/private keys came after it to replace it, i am woundering if public/private keys are replaced by something newer?

    thanks again


    I'll have a go at explaining this. Not sure how well i'll do Smiley

    Up until the 1970s all encryption was done using symettric key techniques, which is basically where the two people wanting to send secret messages have a shared secret key that only they know., and encrypt and decrypt using the same key ( hence symmettric ).

    The obvious problem here is that the secret key needs to be transferred between the people wanting to exchange messages, and this has to be done out of band from the normal message transfer. It's this key exchange problem that public key cryptography solves, and which was why it was such a significant breakthrough when it was discovered in the late 70s.

    The basic assumption behind public key crypto is that there exist mathematic functions that are one-way; things that are easy to do in one direction, but extremely difficult to do in the other. The canonical example is factoring large numbers ( which forms the basis of the RSA cryptosystem )

    So given a number 1457 say, it is hard for me to tell you what all the factors are. But if i give you the numbers 31 and 47, it is easy for you to multiply those numbers together to get 1457. Obviously this wouldnt fool a computer for long as it could simply try all possible factors, but make the numbers big enough ...

    Once you accept the assumption that factoring is hard, and multiplying is easy you can build a simple crypto system around it. Continuing the toy number example...

    Call 1457 your public key and publish it to the world
    keep 31 secret ( this is your private key ).
    destroy 47

    Now even though everyone can read your public key, they can't derive your private key because factoring 1457 is too hard.
     
    Now with a bit more mathematic trickery you can arrange it so that messages encrypted with the public key can only be decrypted by the private key, and messages encrypted with the private key can only be decryted with the public key. This forms the basis of how all public key crypto systems work ( with different choices of one-way function ).

    So, to encrypt data for someone so that only they can read it i encrypt with their public key ( which i and everyone else knows ), and this guarantees confidentiality since i know only they know their private key and can decrypt it.

    Similarly to sign something, i encrypt it with my private key. Everyone can decrypt this, but because only i know my private key only i could have done the initial encryption. This is what makes digital signatures work  - if you can successfully decrypt a message sent from me, you know no-one has tampered with it on the way. Also i can't easily say that i didn't sign it ( since only i can... ) so you get both integrity and a degree of non-repudiation ( provided you can prove the public key is mine )

    Asymettric crypt doesn't replace symettric crypto, it complements it and helps you solve a wider set of problems. One issue is that assymettric crypto is about 1000x slower than symettric crypto, so you can't use it for bulk operations. A typical use is to establish a shared secret so that we can use symettric crypto to pass a series of messages. A very simple ( and easily attacked ) protocol to do this could be:

    I choose a secret key, and encrypt it in your public key. I now know that only you can decrypt it. I then sign the encrypted package using my private key and send it to you.

    You check the signature on the data, and confirm it comes from me. Then you decrypt the package to get the shared secret key. We can now use this key to bulk encrypt messages.

    It's a big subject though, so this is probably all miles off what you were really after knowing Smiley


  • User profile image
    Shark_M

    thanks, it really helps,


Conversation locked

This conversation has been locked by the site admins. No new comments can be made.