4

I'm working on a Single Sign On solution to allow my company to integrate with other vendors.

As I'm doing my research, one thing is constantly confusing me.

My understanding of Public/Private key is that data is always encrypted with the vendor's public key and they decrypt using their private key. So far so good.

However, to validate that the message is really coming from me, I will compute the hash of the message and encrypt the hash with my private key (this process is also known as signing). To verify that the message is coming from me, the vendor will use my public key to decrypt the Hash and compare it with the unencrypted hash. If they match, the vendor can be confident that it came from me.

So how come my private key is used to encrypt the message..and how can public key decrypt the message? I thought Asymmetric keys doesn't allow that..! i.e Public Key always encrypts and private key always decrypts. Any explanations will be greatly appreciated..!

Iftikhar Ali
  • 369
  • 3
  • 12

3 Answers3

2

i found this link very helpful : http://www.nusphere.com/products/library/ssl.htm

Wayback Machine archive from 2007 of the above nusphere link.

HTH Ohad

EDIT

after 2.5 years, I see that the link is broken. So this one is good as well.

And in case it will be broken again in 2.5 years from today, here is the summary:

The Public Key is what its name suggests - Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.

Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.

Public Key Cryptography can therefore achieve Confidentiality. However another important aspect of Public Key Cryptography is its ability to create a Digital Signature.

BillD
  • 23
  • 5
OhadR
  • 8,276
  • 3
  • 47
  • 53
2

Encryption and signature are two different systems. In some ways, they work in opposite directions.

With public-key encryption, anybody can encrypt data with the public key. Only the owner of the private key can decrypt encrypted messages to recover the data.

With signatures, only the owner of the private key can sign messages. Anybody can use the public key to verify the signature of a message.

My understanding of Public/Private key is that data is always encrypted with the vendor's public key and they decrypt using their private key.

That's correct. But it only covers public-key encryption, not other uses of public-key cryptography such as signatures.

However, to validate that the message is really coming from me, I will compute the hash of the message and encrypt the hash with my private key (this process is also known as signing).

Actually, this process should only be known as signing. Calling it “encrypting with my private key” is very misleading: that's not the way it actually works. There is one popular type of keys (RSA) which can be used for both signature and encryption, but even with RSA, the signature and decryption mechanisms are different.

To verify that the message is coming from me, the vendor will use my public key to decrypt the Hash and compare it with the unencrypted hash. If they match, the vendor can be confident that it came from me.

That's not quite correct. Many signature algorithms are not deterministic. Verifying a signature is not done by reversing the signature process, but by making some slightly different calculations involving the signature, the message and the key.

So how come my private key is used to encrypt the message..and how can public key decrypt the message? I thought Asymmetric keys doesn't allow that..! i.e Public Key always encrypts and private key always decrypts. Any explanations will be greatly appreciated..!

The private key is used to sign the message, not to encrypt it. The public key is used to verify the signed message, not to decrypt it.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
1

The difference between symmetric and asymmetric encryption is only the existence of private and public keys.

Nevertheless in the common algorithms you can use the private key to encrypt messages which can be decrypted with the public key and you can also decrypt messages which are encrypted with the public key. So it is possible in both directions.

blacklwhite
  • 1,888
  • 1
  • 12
  • 17
  • 1
    Yes, this is how Root Certificates also work. The browser validates certificate submitted by the server against the root certificate installed in the browser. The Root CA public key is used to decrypt the 'encrypted' public key in the cert. But is it correct to say that private key encryption should only used for signing etc and actual business data should always be encrypted using vendor's public key. – Iftikhar Ali Jan 29 '12 at 01:56
  • Well, the Root Certificates are based on the concept of RSA-Cryptography (http://en.wikipedia.org/wiki/RSA_(algorithm)) which I mentioned in my answer. But you can also use business data for encryption with your private key. Usually it is so as you described. But you can theoretically de- and encrypt anything with the keys. – blacklwhite Jan 29 '12 at 02:08
  • This is not true. Even with RSA, signature and decryption are different operations. Part of the process is the same (the modular exponentiation), but the rest of the process (padding) is different. – Gilles 'SO- stop being evil' Mar 19 '19 at 01:29