Score:0

Pretty much confused about pretty good privacy-:

cn flag
  1. Authentication-:

I understand that authentication is basically digital signature. But what I don't understand is how it has been explained here specially the RSA key part. It is leading me to huge confusions.

enter image description here

enter image description here

In RSA encrpytion, we use public key(of whose sender or receiver?) for encrpytion and private key(of whom?) for decryption.

They say hash is encrypted using RSA. But why are we using PRIVATE KEY(Of sender) here(instead of public key) and public key of sender instead of private key?

  1. confidentiality-:

message known between only sender and receiver.

why are we encrypting session key? any reason for that?

here session key is encrypted using RSA USING RECEIPTENT'S PUBLIC KEY.(IT IS PUBLIC KEY AS I STATED ABOVE....BUT WAS IT REALLY RECEIPTENT'S PUBLIC KEY??) AND DECRYPTED USING RECEIVER'S PRIVATE KEY...(MAKES SENSE TO ME IF IN THE FIRST MAIN FIGURE IT WAS RECEIVER'S PRIVATE KEY

Slides taken from here, figure taken from a book "Udit Agrawal Computer networks" https://www.cs.utexas.edu/~byoung/cs361/slides8-pgp.pdf

fgrieu avatar
ng flag
Despite the "Last updated: October 25, 2019" on the first slide, the slides are outdated: SHA-1 should no longer be used, and it hard if at all possible to get a modern PGP/GPG use it to hash a message for signature. SHA-256 is the baseline. Worse, the slides use incorrect and confusing terminology: _"The hash code is encrypted with RSA using the sender’s private key"_ is incorrect. Read instead: _This hash is further padded, and the outcome submitted to the RSA private key function $x\mapsto x^d\bmod n$ (also known as textbook RSA signature function), yielding the RSA signature._
Score:1
in flag

Authentication-: I understand that authentication is basically digital signature.

You can use a digital signature for authentication, be it entity authentication (e.g. in the TLS protocol) or message authentication (e.g. in the PGP protocol). It is however also possible to use other means, e.g. a MAC if you share a secret key: the digital signature is a means to an end.

In RSA encryption, we use public key(of whose sender or receiver?) for encryption and private key(of whom?) for decryption.

You'd use the public key of the receiver. You first need to establish trust in the public key though. This is why you can e.g. sign keys in PGP so that you can utilize it's web of trust.

They say hash is encrypted using RSA. But why are we using PRIVATE KEY (of sender) here (instead of public key) and public key of sender instead of private key?

The private key of the sender used in signature generation. It is possible to show that that the private key of the sender is used by verifying the signature. The hash over the data is used so that the integrity and authenticity of the message is maintained.

It's best not to think of that as encryption with a private key, so they got that wrong. Both signature generation and encryption in RSA depend on modular exponentiation. However, that's where the similarities end. For more information see my self answered question here.


Note that two key pairs are used if you want to encrypt and sign. The encryption part is performed using the key pair of the receiver, while the signature generation is performed using the key pair of the sender. Encryption is always performed using the public key, decryption with the private key. For signature generation the private key is used, for verification the public key.

Often a data or session key is encrypted instead of the message directly. That's just because symmetric encryption is more efficient (not just in compute time but also the resulting ciphertext size). Similarly usually you sign the hash instead of the message - although there are also some security related reasons for that.

cn flag
crystal clear except for encrypting Ks(session key)..we are indeed encrypting message in confidentiality with Ks isn't it??
Maarten Bodewes avatar
in flag
The session key is just a random, message specific, symmetric key (e.g. an AES key). It is used to encrypt the data, after which it is encrypted (wrapped) itself with the recipients public key. To decrypt the receiver first decrypts / unwraps the session key using the private key and then you can use the AES key to decrypt the message. This is called a hybrid cryptosystem as it uses asymmetric (RSA) and symmetric (AES) cryptography.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.