[ale] emailing public dsa key (good, bad or ugly?)

James P. Kinney III jkinney at localnetsolutions.com
Thu Jan 26 00:53:27 EST 2006 

On Wed, 2006-01-25 at 22:19 -0700, Joe Knapka wrote:
> Sid Lane wrote:
> 
> > hey,
> >
> > I am in the process of setting up an automated file transfer to an 
> > external vendor who has agreed to scp over ssh2 but is asking me to 
> > email the public key to them.
> >
> > is there any risk in doing this via email?  I understand the basic 
> > principles of asymetric cryptography and that it shouldn't be possible 
> > to decrypt w/the public key.
> 
> Sure it is. You can decrypt any message encrypted with the private key.
> 
> >
> > I was just wondering if there are any attacks/exploits that knowing it 
> > make easier.  FWIW, box that will be pushing to them is behind (a 
> > couple of) firewall(s) so nothing in the wild should even be able to 
> > attempt to initiate an ssh (or anything else for that matter) to it.
> 
> Wait...  *You* will be sending data to *them*? In that case, you need 
> *their* public key,
> not the other way around.  The public key is the one you encrypt with if 
> you want your
> message to stay private;  the private key is the one you encrypt with if 
> you want the
> receiver to be able to verify your identity.

I don't think this is correct. By putting your pub key on the remote
server, the server uses that key to send the random string to you, which
you get, decrypt and  then re-encrypt with the pub key the server just
sent over. Now the server decrypts the string you sent and that verifies
you are who you claim to be. Once the user authentication is over, the
server and client generate a random string that gets "glued" by
the ?server?. This is the encryption key for a while. It is a fast key
(like blowfish) and the key is changed often. The secret to this mess is
the key pieces are sent encrypted with the pub keys so no snooper can
get them.

The pub key can only encrypt. The private key can only decrypt. In some
situations, the required roles are reversed so the keys types are
reversed. If you try to encrypt a string with your real private key and
then decrypt it with your pub key, you would likely get a failure as the
key types are not interchangeable.
> 
> Cheers,
> 
> -- JK
> 
> > what say ye all?  o.k. to email or scp it w/password for now.
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list