Asymmetric Encryption

[pintu]

Hello everybody..

I hav some confusion regarding asymmetric encryption.As asymmetric
encryption it there is one private key and one public key.So any data
is encrypted using private key and the same is decrypted at client side
using public key and vice-versa..Now i hav confusion like i.e.

* Are both the keys available to both sender and receiver.?
* When data is encrypted using public key ,Is the same data decrypted
using private key( at client side).?
* How the keys are send to the client/receiver of message..I mean are
they assigned to browsers or they are validated or send depending on
login id/password of a user.?
*If possible kindly explain (in-short) the whole process of assymetric
encryption.!!!plz

Thanks & Regards
Priyabrata

 

[Karl Seguin [MVP]]

Asymetric encryption tends to be very good to encrypt short messages. With
this in mind, let me explain to you how WE use it. We use asymetric
encryption to securely exchange a symetric private key.

- The client (we aren't necessarily speaking a web browser), generates a
private key and a public key.
- The client sends the PUBLIC key to the server.
- The server generates a message (in our case it's a random symetric key)
and encrypts it using the PUBLIC key it got from the client
- The server sends the encrypted message
- The client uses it's PRIVATE key to decode the message
- The client and server now have a private SYMETRIC key

As you can see, the asymetric private key is NEVER sent over the wire. Only
the client (which generates it) knows it. Only the PUBLIC key is sent over
the wire (in plain text). The public key is then used by the server to
encrypt a short message. This method let's us establish a secure private key
for symetric encryption (which can do long messages).

With the public key, anyone can create an encrypted message, but only the
private key can be used to decrypt it.

This kind of exchange I explained is pretty typical, but it's still open to
a man in the middle attack. That is, when the client sends it's public key,
someone in the middle could intercept it. Then that person could create
his/her own public/private key and send THAT public key to the server. The
server (who has no way of knowing this) uses the fake public key and
encrypts the message and sends it back. The man in the middle gets THAT
message, decrypts it (since it was his public key used to encrypt it, so he
has the private key) and now has the secret message.

Things like SSL have an extra layer that help prevent man in the middle, but
that's another discussion..

Karl

 

[pintu]

Thanks Karl..Really ur posting will help me in lot..

 

[pintu]

Thanks Karl..Really ur posting will help me in lot..
But still one doubt that..
*how the keys get generated.means we use some methods of
RSACryptoProvider class or not ?and how to know which one is private
and which one is public key. and how to work on them.

Thanks
Priyabrata

 

[Karl Seguin [MVP]]

Yes, instances of the RSACryptoServiceProvider have methods, such as
ToXmlString() which'll export your keys to a Base64 hex values. You can
specify if you want to export both your private key and public key. ONce
you have the XML, it's pretty plain to see which is which (it's like
<encryption><privateKey>...</privateKey><publicKey>....</publicKey></encryption>
or something).

Karl