Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!decwrl!ucbvax!bloom-beacon!athena.mit.edu!jik From: jik@athena.mit.edu (Jonathan I. Kamens) Newsgroups: comp.org.eff.talk Subject: Re: Digital Signatures and Public Key Cryptography Message-ID: <1990Aug29.150343.18120@athena.mit.edu> Date: 29 Aug 90 15:03:43 GMT References: <2960@mindlink.UUCP> Sender: daemon@athena.mit.edu (Mr Background) Reply-To: jik@athena.mit.edu (Jonathan I. Kamens) Organization: Massachusetts Institute of Technology Lines: 93 In article <2960@mindlink.UUCP>, a577@mindlink.UUCP (Curt Sampson) writes: |> Actually, a good public key/private key cryptography system would help this |> immensely. I've been looking into this myself, because I can see a strong need |> (in the future) for a decent encryption system that would allow anybody to send |> mail to a person, even over a routed network (such as usenet) but allow only |> that person to read it. Have you read the RFC's discussing privacy-enhanced mail? RSA already sells the software for an implementation of it, and we're running it here at MIT. They plan to eventually start licensing internet-wide RSA keys, so that sites can exchange PEM with each other. In other words, the encryption system already exists, and is quite workable. Don't knock yourself out writing another one, unless you think it'll be significantly better than RSA public-key encryption, and you're planning on letting the world use it for free (unlike RSA) :-). |> Two things are required for our public key/private key encryption system. |> First, the public key must be easy to derive from the private key, but the |> private key must be *very* difficult (i.e., virtually impossible) to derive |> from the public key. I fail to see why the public key must be easy to derive from the private key, since the public key is just that, public (and you therefore don't need to derive it). In RSA public-key encryption, the private key is a prime number, and the public key is the product of that prime and another prime (somebody correct me if I'm wrong here -- I'm not 100% certain about this), so you can't derive the public key from the private one. It is obvious, however, that you are correct when you say that it must be impossible to derive the private key from the public one. Otherwise the system is useless. |> Second, the encryption/decryption process must be |> reversable. That is, you must be able to decode with the private key anything |> encoded with the public key, and decode with the public key anything encoded |> with the private key. Obviously. RSA public-key encryption does this. |> Everyone would create a private key and generate their public key from it. We |> could then have directories available (regional and national) of public keys. |> If I wanted to send a message to Joe Smith in Clevland Ohio, I could just call |> up my local information service, get his public key, and send it off. I would, |> of course, include my public key in the message I sent to him. If I wanted him |> to know that the message was from me, and not from an impostor, I would encrypt |> my message with my private key before encrypting it with his public key. He |> would decrypt the message with his private key, which would expose an |> unencrypted header with my name in it and the encrypted message. He would then |> get my public key from the directory and use that to decrypt the message. Eventually, there will be directories of this sort available; however, there are ways to work things in the absence of directories. Let's say that RSA has an internet-wide key that they use to sign the institution keys of all institutions under their control. They give institution keys to MIT and Stanford, who then give personal keys to me at MIT, and my brother at Stanford. If I send PEM to my brother at Stanford, my message will contain the following in the header.... the institution key for MIT, signed in the internet-wide RSA key. My personal key, signed with the MIT institution key. I've simplified this because I don't want to go into a lengthly discourse and because I'm not sure I understand it well enough myself to go into a lengthly discourse. The "signing" process is performed by the signing institution using their private key, and is verified using the public key of that institution. Therefore, if RSA signs a key for MIT, and you can verify that key with RSA's public key, then it MUST be MIT's key, and you can then use that key to verify my personal signature. In summary, you don't *need* the directories; they make things easier, but not mandatory, since you can safely include keys in the headers of your messages. |> Releasing your own public key to enable you to claim that someone else had |> forged a letter to you would be very risky business. It would enable anyone |> who had your key to also forge anything else in your name (such as money |> transfers) and read anything sent to you. I don't see people doing it unless |> they are *very* desperate to get out of a contract. Releasing your private key |> would be basically opening yourself up to the world. You're confused. Public keys are PUBLIC. They are INTENTIONALLY released to the world. Releasing your public key would not enable you to claim that someone else had forged a letter to you. Releasing a public key is what you're SUPPOSED to do to get public-key encryption to work. As for releasing the private key, that was the original poster's whole point -- once the private key is public, the owner of the key can claim that he never signed the contract. Then, all he has to do is register a new key and start using that rather than the old one. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710