0

I have been reading about public key encryption for the past day or2 and got thinking about something, and am hoping someone here can offer some insight. anyways here it goes

Since public key encryption is based off of the person sending the info being able to get the other guys public key to perform the encryption to his data before its sent. What if the public key he is about to receive gets intercepted and changed to the hackers public key that corresponds with the hackers private key. So when the guy gets the public key to do the encryption he thinks its his friends so when he sends out his encrypted info and it gets intercepted on this bugged line the hacker can decrypt it perfectly since it was encrypted with his public key and not the other person's. Is this possible and if so is it addressed somewhere in a particular network protocol.

2
Contributors
2
Replies
3
Views
8 Years
Discussion Span
Last Post by cam875
0

That is a problem, yes. That's why public keys are cryptographically signed (look this term up) by third parties. For example, the 'certificates' that websites using https have are signed by Verisign and other organizations that browsers know about.

Suppose you're friends with Ken and Ken's friends with John. Since your Ken's friend, you and he have traded public keys, and since John's friends with Ken, he's traded public keys with Ken too. When John traded his keys with Ken, well, Ken took the opportunity to sign John's key, saying that, yes, this is in fact John. So then when John sends you his public key (along with Ken's signature), you can see that, hey, it truly is John, and you know so because Ken said so. And he said so in a cryptographically secure fashion. Now hopefully, Ken's signed your key, and that way John can trust that you are who you say you are. Sometimes (usually) that's not necessary -- maybe John doesn't care or maybe John has other ways of recognizing you, like, by asking for a password.

This is what nerds with no life do at key signing parties.

0

so in the end there has to be somekind of verification and exchange that is safe before the public key can be used. Thanks for the info.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.