Asymmetric Encryption

Question

I have an exam tomorrow in Advanced Development, but I am stuck on the topic of Encryption. I have read up on it at http://support.microsoft.com/kb/246071. However I am still confused.

If a message is encrypted using Asymmetric Encryption, using the public key, how is the decryptor going to know the private key with which to decrypt it? Surely the only way to do this is to make the private key public, but that defeats the object of Asymmetric Encryption.

Can someone please explain this in a way that a non-techie would be able to understand it? Its only Asymmetric Encryption I dont understand, not Symmetric Encryption. Thanks in advance.

Regards,

Richard

Edit: So to sum up all the answers in the case of a web application (the specific use for which I need to know about this):

1. User visits a website;
2. User is requested to provide a public key;
3. User creates public and private key-pair, keep the private one private and sends back the public key to the server;
4. Server uses the public key to encrypt anything which needs to be sent to the user and sends the information to the user;
5. User uses his / her private key to decrypt the response from the server;
6. User does what they need to and sends back a response to the server, using the private key to encrypt it;
7. Server decrypts using the public key. Steps 4 - 7 may continue many times, or they may only happen once, or only 4 and 5 may occur.

Is this all correct? If so then it should be all I need to know for the exam. I shouldnt think I would need to know any more to get the maximum 40% should a question on this subject come up - will mention the existence of certificates and signatures though.

Thank you for all the help.

Regards,

Richard

Edit: Well I have just got back from my exam and it went fairly ok I think. But no question on cryptography came up, however... The help was appreciated anyway. Thanks all.

Regards,

Richard

Answer 1

A private key is meant to be known only by its legitimate user and not distributed. Its counterpart, the public key, may be distributed to anyone.

Based on this, you can get 4 operations:

• encrypt using the public key
• decrypt using the private key
• sign using the private key
• verify the signature using the public key

The next problem you may encounter is the binding of an identity to a public key (as you wouldn't want to encrypt something with or trust something signed with the public key of an impostor). There are various models of public key distributions. Typically, you can have:

• a web of trust, where people sign each other's association between the public key and the identity: this is typically the PGP model.
• a public key infrastructure (PKI) where you get certification authorities to produce certificates, often with intermediates, in a tree-like hierarchy. (PGP can use this model too, but this seems less common.)