this post was submitted on 28 Apr 2024
1 points (100.0% liked)

Security

5014 readers
1 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
 

There’s a server, a client, and a hacker in a network. For encryption, the client and the server need to share their private keys. Wouldn’t the hacker be able to grab those during their transmission and decrypt further messages as they please?

top 25 comments
sorted by: hot top controversial new old
[–] [email protected] 0 points 6 months ago

Great question. Modern encryption schemes are usually composed of a handful of primitives. If we consider something like HTTPS it uses both asymmetric and symmetric parts.

Asymmetric encryption is the "magic" that you are missing. Asymmetric encryption algorithms create a keypair, one half of this is the "public key" which can be used to encrypt messages that can only be decrypted by the "private key". This means that even if the public key is public (as the name suggests) the messages can't be decrypted without the public key.

You can think of this as giving someone an open padlock. They can put something inside a box and lock it using the padlock, but they can't open it without your key.

Using this you could come up with a very simple protocol for establishing a secure channel:

  1. The server sends you their public key, along with a certificate that proves that it belongs to them.
  2. The client then uses this public key to encrypt a key for symmetric encryption.
  3. The client sends this encrypted key to the server.
  4. The server decrypts the key.
  5. Now the client and server can both use the shared key to communicate.

(Note: There are many missing features from this system, but I think it illustrates the point. Don't design your own crypto.)

[–] [email protected] 0 points 6 months ago

For encryption, the client and server need to share their private keys.

This is incorrect, for asymmetric (public-private) encryption. You never, ever share the private key, hence the name.

The private key is only used on your system for local decryption (someone sent a message encrypted with your public key) or for digital signature (you sign a document with your private key, which can be validated by anyone with your public key).

For the server, they are signing their handshake request with a certificate issued by a known certificate authority (aka, CA, a trusted third party). This prevents a man-in-the-middle attack, as long as you trust the CA.

The current gap is in inconsistent implementation of Organization Validation/Extended Validation (OV/EV), where an issuer will first validate that domains are legitimate for a registered business. This is to help prevent phishing domains, who will be operating with TLS, but on a near-name match domain (www.app1e.com or www.apple.zip instead of www.apple.com). Even this isn’t perfect, as business names are typically only unique within the country/province/state that issues the business license, or needed to be enforced by trademark, so at the end of the day, you still need to put some trust in the CA.

[–] [email protected] 0 points 6 months ago (1 children)

Certifying Authority ensures secure connection establishment. If CA is corrupt, your system will work.

[–] [email protected] 0 points 6 months ago (1 children)

CAs are irrelevant to OPs question

[–] [email protected] 0 points 6 months ago

A bit relevant, because even without sharing private keys Diffie-Hellman without prior knowledge will allow for a MitM attack.

But the answer is too short to make sense of without knowing that, I think

[–] [email protected] 0 points 6 months ago

Why are they sharing private keys?

The point of the system is you share public key so others can encrypt data and the you use your private key do decrypt it.

[–] [email protected] 0 points 6 months ago (4 children)

You've missed a key detail in how asymmetric encryption works:

  • For asymmetric encryption algorithms, you essentially have two keys - a "private" key, and a "public" key
  • If you know the private key it is trivial to calculate the public key, but the reverse isn't true - just given the public key, it is essentially impossible to calculate the private key in a reasonable amount of time
  • If you encrypt something with the public key you must use the private key to decrypt it, and if you encrypt with the private key you can only use the public key for decryption
  • This means that my server can advertise a public key, and you can use that to encrypt the traffic so that only the server that knows the private key can decrypt it
[–] [email protected] 0 points 6 months ago (2 children)

But how does the encryption work if you have the public key? Since your computer knows how to encrypt the data with the public key, couldn't you use that same public key to run that algorithm in reverse? If not, since the public and private keys are not the same, how does the private key go about decrypting that data?

[–] [email protected] 0 points 6 months ago

The actual math is way beyond me, but the algorithm is "one way" - it exploits the fact that given two prime numbers (ie, the private key) it is trivial to multiply them together, but if you only know the result (ie, the public key) it is computationally very expensive to determine the original prime factors. If you pick big enough numbers, it becomes effectively impossible to undo the multiplication

[–] [email protected] 0 points 6 months ago

No. The encryption methods are designed in a way that using a public key will not decrypt the message.

[–] [email protected] 0 points 6 months ago (1 children)

If you know the private key it is trivial to calculate the public key, but the reverse isn't true

I didn't believe this is true... In public/private key crypto there is no such thing as "private" and "public". They're just a key pair. You choose to make one public by sharing it and the other private by not sharing it.

[–] [email protected] 0 points 6 months ago

It depends on the cryptosystem. The private and public halves of the pair are often not symmetrical and often have overlap.

The parent is likely confused because in most situations the "private key file" will also contain all of the public key. Whether by necessity or for convenience.

[–] [email protected] 0 points 6 months ago (1 children)

Just a nitpick:

If you know the private key it is trivial to calculate the public key, but the reverse isn't true

The public key and the private key are just two big prime numbers. The "trivial to compute" part only works once more information has been shared over the network, like it happens during key exchange. If you were to swap the prime number before initiating any contact it would work the same way.

[–] [email protected] 0 points 6 months ago

In RSA, the private key is a pair of big semi-primes, and the public key is derived from those numbers. I think you are confusing DHKE and RSA with your other points, the private key is never transmitted over the network. For TLS you typically use an asymmetric crypto system to validate identities and encrypt the key exchange to prevent person-in-the-middle, but the key that is agreed using that process is a symmetric key for AES or similar, but that is specific to TLS.

Also, there are other asymmetric systems that don't use primes at all - eliptic curve crypto is based on completely different math

[–] [email protected] 0 points 6 months ago (2 children)

I used to know that and still struggle to understand how a handshake wouldn't allow MitM. Later I found out that it requires a third party with a trusted and known certificate for signing handshake exchange messages in order to ensure there's no man in the middle: https://stackoverflow.com/a/10496684

[–] [email protected] 0 points 6 months ago (1 children)

Yes, that's why https needs certificates (and sometimes shows a broken lock) and why you need to accept the fingerprint when first connecting to a server via ssh.

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago)

Accepting ssh key fingerprints on first ssh is a bad practice. Ssh ca’s and or sshfp are around and have been for decades. Accepting random host keys is like trusting random self signed ssl certificates.

Use ssh ca’s for user and host keys so you can revoke and rekey hosts without having to update authorized keys. And then you can revoke access to hosts for users as well and much more.

[–] [email protected] 0 points 6 months ago

A big "It Depends" on that - plenty of applications of asymmetric crypto where you just hard-code the servers public key into the client and call it a day, and GPG has its own PKI scheme that is just kinda weird.

You also don't have to use Diffie-Hellman - early versions of SSL just sent the ephemeral key (the symmetric key used for the actual AES session) directly. This works, but using DH also gives you "forward secrecy" - even if a malicious third party has captured the entire encrypted session, then later steals (or factors) your private key they still won't be able to read the encrypted traffic because they can't recover the ephemeral key because it wasn't sent over the wire in the first place

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago) (1 children)

This is the video that finally explained it in a way that I totally understood.

TLDW: the actual key exchange works by using massive exponents that are very fast to run to get a result, but very hard to use that result to get the exponent you started with

[–] [email protected] 0 points 6 months ago

Adding on to your TLDR: There's also asymmetric cryptography based on elliptic curves, so it's not always an exponent of two massive primes.

[–] [email protected] 0 points 6 months ago

Great question: it's called asymmetric cryptography for a reason.

The key pair is built by the person wanting to receive private messages. The public part is made public an can be used to encrypt messages to the owner of the private key. Without it you cant read the contents.

As this method is not really performance friendly, thus method is usually used to establish a symmetric encryption key for both parties that can't be intercepted this way.

In fact: if the attacker can switch out the public key for his own during transfer, he can use it to decrypt the messages and relay them to the first party, thereby revealing all the messages. This is called a man-in-the-middle attack. This is why authentication of the key is so important. This is usually done via a trusted third party.

Sorry to be so short, I hope I have given you enough words to Google for further reading.

[–] [email protected] 0 points 6 months ago

The beauty of a private key is that it doesn't need to be shared to be used

[–] [email protected] 0 points 6 months ago (1 children)
[–] [email protected] 0 points 6 months ago (1 children)

I don't think DH is accurately relating to this. DH key exchange is used to generate a shared secret to use symmetric cryptography by two entities from (generally temporary) private keys, which are not specifically associated with a public key (this is not a public/private key pair)

To me, two examples of public/private key usage are RSA (asymmetric cryptography) and for example SSH authentication with a key pair. DH key exchange can be used in SSH to encrypt communication, before authentication even begins

[–] [email protected] 0 points 6 months ago

Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange