Public Key encryption AND Signing of messages. Help!

Question

0.00/5 (No votes)

See more:

Am writing a program which needs PCs to communicate with each other. Have got my head around public key encryption and am succesfully encrypting and decrypting messages using public keys, and locally stored private keys. Each PC knows every other PC's public keys.

However I can't quite understand the concept of signing (which I need to do so nobody can impersonate another PC, and a message can be KNOWN to come from a particular PC.) I understand that a hash is taken of the message (before encryption) by the sender and then the hash is encrypted using the sender's private key. The receiver then decrypts the message, hashes it and also encrypts the hash using the sender's public key. This encrypted hash is then compared to the encrypted hash sent by the sender. If the two match the sender is guaranteed to be who he says he is.

However - couldn't a third party, knowing the sender's public key, impersonate him by signing a message using the sender's public key? When the receiver encrypts the hash, also using the sender's public key, the two will match, and the receiver will be deceived into beleiving the source is verified. I am new to this! It's very confusing.

Posted 24-Jan-12 3:15am

AlanC12

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Accepted Answer · 2012-01-24T03:50:00

Solution 1

Your client could use the sender public key to sign/encrypt a message to send back to the sender, but you typically don't do that. Since multiple clients can have the sender public key, any client can impersonate any other client.

Typically, each client will have its own key pair, of which the server will have a copy of each clients public key. I think the rest of obvious what you do with them.

Posted 24-Jan-12 3:50am

Dave Kreskowiak

Comments

AlanC12 24-Jan-12 10:24am

Don't think I made myself clear in the question, sorry. I am set up the way you suggested (each client has its own key pair, server having a copy of public key for each client). Perhaps I can explain it with an email example.

Bob Sends Alice an email. Bob signs a hash of his message using his private key. Alice can now verify for certain the email came from Bob because she can verify the signed hash using Bob's public key.

My question - could somebody else (say Fred) sign a nessage with Bob's public key and send it to Alice, making Alice think the message came from Bob, when actually it came from Fred? Or is it not possible to sign a message with the public key?

Dave Kreskowiak 24-Jan-12 20:44pm

No. The public key cannot be used to both encrypt and decrypt the hash. Only the private key can decrypt the hash, which only Bob has.