From the article:
>Basically, you place a reflective dot on your forehead or, for laptop users, a plastic ring on your finger.
I know it's a stretch, but I just have to add:
Rev.13:16: And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
17: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
Adds a whole new dimension to one-click shopping, eh?
Since nobody seems to understand what I mean about digital signatures, please read about them here or read this excerpt:
To summarize, in public key cryptosystems, a sender can use his/her private key as his/her digital signature. Since it is only known by him/her a
forgery of the signature is not possible with todays algorithms. At the other side of the communication link, the receiver can confirm the authorship
of the message by using the public key of the claimed sender; so the public key provides an accurate authentication for the receiver. On the other
hand, by crypting the message also with the receivers public key a sender, the sender prevents the intruders to obtain the message in the plain
form. Although the intruders can know the public key of the sender, they still need the private key of the receiver to decrypt the overheared
message. Hence, as long as the the private key is private to the receiver the overheared messages do not contain any meaning for the intruders.
No, I meant exactly what I said with regard to public & private keys. One important property of most of public-key cryptography is the following:
E(D(M))=D(E(M))=M
that is, that decryption and encryption are inverse operations.
Signatures, at least in RSA, rely on this fact. When I encrypt something using my private key, anybody in the world can decrypt it if they have my public key. This allows anybody to verify that the original message actually came from me, because only I could have initially encrypted it (since only I have my private key).
My original question still stands: if Joe Random Hacker distributes a hacked version of Jill's public key, can he then appear to send messages as Bob to Jill?
What are the implications of this vulnerability for digital signatures?
The standard thing to do when Bob is "signing" a message is for Bob to encrypt it with his private key. Then when Jill gets the message, she decrypts it using Bob's public key, and therefore knows it's from him.
Now, if Jill is using a hypothetical hacked up version of Bob's public key, does this mean that Joe Random Hacker can send messages that appear to come from Bob, since the public key is associated both with Bob and the Joe's bogus "ADK"?
That's being unfair. I liked the free domain policy, and will probably end up being good for.cx in the end, but if they don't want to give their domains away, that's their right.
FYI, this policy change came about because the original.cx registrar, niccx.com, recently had their monopoly removed, and a bunch of conditions forced upon them.
Here's a snippet from an email they sent out recently to.cx domain holders:
The main reasons for this are as follows:
We at NICCX.COM have finally decided not to become a registrar in the new shared registry system that is currently being developed by Dot CX.
- Most of you have told us they wouldn't accept to pay any more money
for their cx domain. A substantial increase of registry fees would
be inevitable if we were to participate in the shared registry.
- We have always tried to be 'the registrar with a difference'.
The terms and conditions for registrars in the new registry system
wouldn't leave us too many options on how we handle registrations.
For instance we wouldn't be able to offer 'test registrations'
(ie. you register and set up your domains first, and pay only
after it's all working), or free/discounted domains for certain
groups (open source developers, CX residents, etc) anymore.
Slashdot Mirror
>Basically, you place a reflective dot on your forehead or, for laptop users, a plastic ring on your finger.
I know it's a stretch, but I just have to add:
Rev.13:16: And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
17: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
Adds a whole new dimension to one-click shopping, eh?
Since nobody seems to understand what I mean about digital signatures, please read about them here or read this excerpt:
To summarize, in public key cryptosystems, a sender can use his/her private key as his/her digital signature. Since it is only known by him/her a forgery of the signature is not possible with todays algorithms. At the other side of the communication link, the receiver can confirm the authorship of the message by using the public key of the claimed sender; so the public key provides an accurate authentication for the receiver. On the other hand, by crypting the message also with the receivers public key a sender, the sender prevents the intruders to obtain the message in the plain form. Although the intruders can know the public key of the sender, they still need the private key of the receiver to decrypt the overheared message. Hence, as long as the the private key is private to the receiver the overheared messages do not contain any meaning for the intruders.Steve
--
Stephen Forrest
4N PM/CS, University of Waterloo
No, I meant exactly what I said with regard to public & private keys. One important property of most of public-key cryptography is the following:
E(D(M))=D(E(M))=M
that is, that decryption and encryption are inverse operations.
Signatures, at least in RSA, rely on this fact. When I encrypt something using my private key, anybody in the world can decrypt it if they have my public key. This allows anybody to verify that the original message actually came from me, because only I could have initially encrypted it (since only I have my private key).
My original question still stands: if Joe Random Hacker distributes a hacked version of Jill's public key, can he then appear to send messages as Bob to Jill?
What are the implications of this vulnerability for digital signatures?
The standard thing to do when Bob is "signing" a message is for Bob to encrypt it with his private key. Then when Jill gets the message, she decrypts it using Bob's public key, and therefore knows it's from him.
Now, if Jill is using a hypothetical hacked up version of Bob's public key, does this mean that Joe Random Hacker can send messages that appear to come from Bob, since the public key is associated both with Bob and the Joe's bogus "ADK"?
I agree this is a problem, but it doesn't render PGP useless.
Just make sure, when you get someone's public key, that it comes from an "authentic" source.
It's a good try, though.
Steve
FYI, this policy change came about because the original .cx registrar, niccx.com, recently had their monopoly removed, and a bunch of conditions forced upon them.
Here's a snippet from an email they sent out recently to .cx domain holders:
The main reasons for this are as follows:
We at NICCX.COM have finally decided not to become a registrar in the new shared registry system that is currently being developed by Dot CX.
- Most of you have told us they wouldn't accept to pay any more money for their cx domain. A substantial increase of registry fees would be inevitable if we were to participate in the shared registry.
- We have always tried to be 'the registrar with a difference'. The terms and conditions for registrars in the new registry system wouldn't leave us too many options on how we handle registrations. For instance we wouldn't be able to offer 'test registrations' (ie. you register and set up your domains first, and pay only after it's all working), or free/discounted domains for certain groups (open source developers, CX residents, etc) anymore.