Thread: File-Sharing Program Slips Out of AOL Offices
View Single Post
Old 09-06-03, 01:36 AM   #135
pod
Bumbling idiot
 
Join Date: Feb 2002
Location: Vancouver, CA
Posts: 787
Default
Quote:
Originally posted by Mazer
It's not unsafe to post public keys because public keys are used for encripting info, and the private keys are used to decrypt it. To read messages on the network without logging on someone would have to steal someone else's private key.
Here's how this stuff works, from what I know.

When you create your private key, and 'mirror image' public key is created. These are based on some mathematical properties of prime numbers; you pick big enough prime numbers and it becomes computationally infeasible to brute force the private key.

You hold on to your private key, and keep it safe. It's very important. The private key is also protected by a password (more usually and passPHRASE); it is never stored in plaintext.

A message encrypted with your private key will be readable by anyone who has your public key. You publish your public key so that when people use it to decrypt this message they are sure it came from you, because only you have the corresponding private key that could be used to create the message.

When someone wants to send you something that only you can decrypt, they encrypt it with your public key. Now only your private key can decrypt it, and since, again, you're the only person who knows it, only you can decrypt that message.

So if you want secure comms, you exchange your public keys, and send messages to each other using the other's public key.

This how WASTE works. You need everyone's public keys because they all send messages using their private key. Except since it's a network with routing and proxies and such, if you have 3 people, A, B and C, if A sends a message to B, this message could pass through C, which would be able to decode it. IOW, this is not like FreeNet, where the security is end to end and you can't read what's passing through your node (unless it's for you); and this is why you only let trusted people on your network and use a network name to obfuscate matters.

A neat side-effect of this public/private scheme is that if you run a message through a one-way hash function and create a message digest (MD5 does this for example) and encrypt it with your private key, you've created a signature. So you send the signature and the message together (as is or encrypted with receipient's public key), and the recipient can now verify that the message:
a) has not been altered
b) was sent by you
pod is offline   Reply With Quote