Member Avatar for cam875

I have been reading about public key encryption for the past day or2 and got thinking about something, and am hoping someone here can offer some insight. anyways here it goes

Since public key encryption is based off of the person sending the info being able to get the other guys public key to perform the encryption to his data before its sent. What if the public key he is about to receive gets intercepted and changed to the hackers public key that corresponds with the hackers private key. So when the guy gets the public key to do the encryption he thinks its his friends so when he sends out his encrypted info and it gets intercepted on this bugged line the hacker can decrypt it perfectly since it was encrypted with his public key and not the other person's. Is this possible and if so is it addressed somewhere in a particular network protocol.

  • 2 Contributors
  • 2 Replies
  • 101 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by cam875
Member Avatar for thoughtcoder

That is a problem, yes. That's why public keys are cryptographically signed (look this term up) by third parties. For example, the 'certificates' that websites using https have are signed by Verisign and other organizations that browsers know about.

Suppose you're friends with Ken and Ken's friends with John. Since your Ken's friend, you and he have traded public keys, and since John's friends with Ken, he's traded public keys with Ken too. When John traded his keys with Ken, well, Ken took the opportunity to sign John's key, saying that, yes, this is in fact John. So then when John sends you his public key (along with Ken's signature), you can see that, hey, it truly is John, and you know so because Ken said so. And he said so in a cryptographically secure fashion. Now hopefully, Ken's signed your key, and that way John can trust that you are who you say you are. Sometimes (usually) that's not necessary -- maybe John doesn't care or maybe John has other ways of recognizing you, like, by asking for a password.

This is what nerds with no life do at key signing parties.

Member Avatar for cam875

so in the end there has to be somekind of verification and exchange that is safe before the public key can be used. Thanks for the info.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.