<div dir="ltr">The method can very a bit. Usually it goes like this.<div><br></div><div>Public key is shared with everyone.</div><div><br></div><div>Private key is only on the server.</div><div><br></div><div>Client generates a symmetric key, encypts it with the public key, and sends it. All the actual data you care about is encrypted with the symmetric key.</div><div><br></div><div>Server receives the symmetric key that has been encrypted with the public key and decrypts it with the private key (usually the public and private key combined, but that's beside the point). Then decrypts the data with the symmetric key it just got.</div><div><br></div><div>In this way, the very expensive asymmetric encryption system is used as little as possible. All your datas are encrypted with a much quicker encryption method. The symmetric key is discarded at the end of the session.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 16, 2015 at 7:56 PM, Michael Havens <span dir="ltr"><<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">no.... no..... Joseph says it is like two locks.When you unlock one you lock the other? hmmmm....</div><div class="gmail_extra"><br clear="all"><div><div>:-)~MIKE~(-:</div></div><div><div class="h5">
<br><div class="gmail_quote">On Mon, Feb 16, 2015 at 7:49 PM, Michael Havens <span dir="ltr"><<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">and then the public key everyone can see and the private one only you can see?</div><div class="gmail_extra"><br clear="all"><div><div>:-)~MIKE~(-:</div></div><div><div>
<br><div class="gmail_quote">On Mon, Feb 16, 2015 at 7:45 PM, Michael Havens <span dir="ltr"><<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">is a real simplified version that it is like two locks locked together and each key opens one of the locks?<div class="gmail_extra"><br clear="all"><div><div>:-)~MIKE~(-:</div></div><div><div>
<br><div class="gmail_quote">On Mon, Feb 9, 2015 at 7:05 PM, Joseph Sinclair <span dir="ltr"><<a href="mailto:plug-discussion@stcaz.net" target="_blank">plug-discussion@stcaz.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Lots of confusion here. Let me try to clarify (a small amount).<br>
<br>
Background:<br>
"Public Key" cryptography is also called "Asymmetric Cryptography".<br>
The reason is that there are two different keys, and they only work together in an "asymmetric" fashion (whatever one key does, the other key undoes).<br>
The keys are "related" mathematically, but it is (currently) not possible to figure out one key from the other (so having a public key does not help you determine the private key).<br>
<br>
1) There are two keys.<br>
a) There are also two *actions*, encryption (hiding content from unauthorized viewers) and verification (proving a message is authentic and from a known entity).<br>
2) *Either* key can be used to encrypt, but the *other* key is needed to decrypt.<br>
a) that means public(encrypt) ==> private(decrypt) *or* private(encrypt) ==> public(decrypt).<br>
b) a single key cannot both encrypt and decrypt the same message (That's why it's called "asymmetric encryption", the keys are *not* interchangeable).<br>
3) The "Public" key is meant to be published far and wide. It is used to encrypt a message intended for the key "owner", and it is also used (by decrypting a hash) to "verify" that a message was sent by the real owner (signature).<br>
4) The "Private" key is meant to be kept strictly secret. It can decrypt any message encrypted by the public key. It can also encrypt a message that only the "Public" key can decrypt (see signature below).<br>
<br>
Encryption is the function most people understand (it's also very rarely used**). You encrypt a message using the "Public" key as the encryption key.<br>
Once encrypted the data is essentially static to anyone who does not possess the "Private" key.<br>
There are a ton of details involved, so it's rarely explained further than that without reading an entire textbook (or 3).<br>
<br>
There is a *related* function called "verification" or "Digital Signature". This is used to prove (without ever exposing a secret) that a particular entity possesses the secret "Private" key.<br>
This is how you know your HTTPS connection is connected to the correct endpoint rather than some imposter (it's also how ssh passwordless login works).<br>
This involves (very simplified) using the "Private" key to encrypt the hash of a message (to sign the message) or a "nonce" value (to verify endpoint identity, e.g. SSL).<br>
Once the value (hash or nonce) is encrypted by the "Private" key, only the matching "Public" key will decrypt it.<br>
So if someone sent you a message and it's encrypted hash, then you decrypt the hash with the "Public" key, and if it decrypts correctly you know it is valid.<br>
Of course, you would also hash the message (there are standard algorithms for generating these "hash" values) and see if your results match what you decrypted (if they don't, then the message isn't what the sender meant to send).<br>
<br>
There are several ways of implementing assymetric cryptography, the most commonly used is with the RSA family of algorithms.<br>
The "elliptic curve" (or "EC") family of algorithms have grown in popularity in recent years, but are still only occasionally used.<br>
The two are mostly different in the mathematics behind how and why they work.<br>
The basic concepts (two keys, two operations, what one key does the other undoes) are the same.<br>
<br>
Hopefully that helps a bit.<br>
<br>
Public Key Cryptography (and Asymmetric Cryptography in general) is a huge and complex topic, so I second Todd's suggestion that if you want to really understand this, you will want to read a few good textbooks on the subject.<br>
<br>
==Joseph++<br>
<br>
** Some will say that SSL uses public key encryption. This is true, but misleading, because the public key encryption is only used during the "handshake" where the SSL connection is setup to encrypt the exchange of symmetric keys. This "key exchange" is what Diffie and Helman invented that makes modern PKI possible.<br>
The encryption that does all the heavy lifting of keeping the SSL tunnel secure is always a "block" (symmetric) algorithm, most commonly AES (for modern systems where security is properly implemented) or 3DES (slightly older but still pretty secure) or RC4 (completely insecure and used by extremely badly managed sites running ancient and horribly flawed web server software, unfortunately there are still far too many very large businesses that do this).<br>
<div><div><br>
<br>
On 02/09/2015 06:01 PM, Michael Havens wrote:<br>
> helps some but you state:<br>
><br>
> you want others to be able to check that you actually<br>
> sent the message (by using your public key)<br>
><br>
> Where do they get your public key?<br>
> How does your public key and private key decrypt when it seems the public<br>
> key changes.<br>
><br>
> :-)~MIKE~(-:<br>
><br>
> On Mon, Feb 9, 2015 at 5:48 PM, someone wrote:<br>
><br>
>> So if I'm right calling it a 'key' is a misnomer. I am a very literal<br>
>> person. if they call it a key it unlocks things, not creates them.<br>
>> That is where my confusion is from. Am I correct?<br>
>><br>
>> Not quite correct...<br>
>><br>
>> Both the public and private keys ARE keys... they're just used a<br>
>> little differently.<br>
>><br>
>> You keep your private key secure, and use it to digitally sign a<br>
>> message when you want others to be able to check that you actually<br>
>> sent the message (by using your public key). Others can send an<br>
>> encrypted message that only you can decode, by encrypting the message<br>
>> using your public key. When you get the message, you can use your<br>
>> private key to undo the encryption that was done using your public<br>
>> key.<br>
>><br>
>> So, in a way, the public and private keys can be thought of as two<br>
>> pieces of a single, combined key. The software that does the signing<br>
>> or encryption (using the keys), such as gnupg, pgp, etc., is more like<br>
>> the lock that the keys fit.<br>
>><br>
>> I hope that helps.<br>
>> --<br>
>> Kevin O'Connor<br>
>><br>
><br>
><br>
><br>
</div></div><div><div>> ---------------------------------------------------<br>
> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
><br>
<br>
</div></div><br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>
<br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">James McPhee<br><a href="mailto:jmcphe@gmail.com">jmcphe@gmail.com</a></div>
</div>