Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Public key cryptography : Public key cryptography Server Time
12 Jul 2025 13:07:57 EDT (-0400)
  Public key cryptography  
From: Invisible
Date: 10 Jul 2009 10:48:44
Message: <4a5754cc$1@news.povray.org>
 
OK, so here's how it works:

You want to send a file to somebody securely over the Internet. 
Obviously the only way to do this is to encrypt it somehow. But 
presumably you'd like the person at the other end to be able to decrypt 
it, right?

But that's the problem, isn't it? You could just email them the 
encryption key along with the file... but then why did you bother 
encrypting the file? You could... I don't know... send the key in a 
seperate email? Hmm, but that doesn't help much. Or I guess you could 
send the key by post or read it over the phone or something...

In theory, even if you do one of these things, somebody might be reading 
your mail or tapping your phone. Absurdly unlikely, but possible. So, a 
bunch of mathematical geniuses came up with a system which neatly solves 
the whole problem: asymmetric encryption.

Essentially, instead of having one key, you have two. Anybody who has 
the encryption key can encrypt data, but they can't decrypt it. Anybody 
with the decryption key can decrypt data, but not encrypt it. And by 
carefully controlling who has access to which key(s), you can obtain 
security.

For example, if you want to send a file securely, get the intended 
recipient to build a pair of keys, and send you the encryption key only. 
You then encrypt your file with this encryption key, safe in the 
knowledge that the only person on Earth who knows what the hell the 
decryption key is just happens to be the person you're sending the file to.

You can use the same system backwards to provide authentication rather 
than security, and you can use several keys at once to gain 
authentication *and* security at the same time, for one or both 
endpoints, and so on. This is how systems such as HTTPS and SFTP work.

In particular, for something like SSH or SFTP, typically both you and 
the server you're trying to contact have a keypair, and server and 
client exchange only their public keys, keeping their private ones 
secret. So to set up an account on a given server, you generate a 
keypair and email the public key only to the server admin, who then sets 
up your account.

So what did *Pfizer Incorporated* just go and do? They generated a 
keypair on our behalf and emailled both of the keys to us in the clear, 
thus completely circumventing the entire purpose of asymmetric 
encryption. >_<

Why do I bother?

(I especially like the way they emailled the keys password-protected, 
with the password in the same email as the keys - even though the 
instructions say that they won't ever do this... Almost as amusing as 
the instructions being marked "draft" and dated March 2005...)


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.