Thoughts on Crypto

Ξ August 31st, 2008 | → 0 Comments | ∇ crypto, educateme |

I’ve been thinking about public key cryptography recently, after a conversation I had with moke, concerning the need for identity verification, and/or encryption over just about every protocol we have. What worries me about all of this PKC is this: How do we protect the initial transfer of public keys? I’ve seen this mentioned as the protection for that:

Digital signatures — a message signed with a sender’s private key can be verified by anyone who has access to the sender’s public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity.

How does this ensure authenticity during the initial transfer of keys? If all of this took place on line, how could this be protected from a MITM attack? Even with public key signing, what’s to stop someone from making Bob see a fabricated Key, instead of Alice’s real public key (assuming Bob went to Alice’s website to grab her public key.) The only way around this, that I can tell, is face to face key transfers. How could this be useful in a large scale system?

I recognize that I may be missing a large part of this, but hey, thats why I’m posting this. Educate me!

Original post by logikal

 

  • Rumours and Lies