Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 32
Guests Online: 25
Members Online: 7

Registered Members: 82895
Newest Member: kevy90
Latest Articles
View Thread

HellBound Hackers | Computer General | Cryptography

Author

End to End encryption email web application

drakoumel
Member

Your avatar

Posts: 3
Location:
Joined: 12.09.13
Rank:
Apprentice
Posted on 12-09-13 16:50
hello all
Hope this thread is within the scopes of the forum. if not feel free to say so Grin

For my final year project I would like to try and set an end-to-end secure email web application (regardless of language DB or server).

I was going through encryptions and such and got stuck at public-key encryption.
Quoting from HowStuffWorks

The sending computer encrypts the document with a symmetric key, then encrypts the symmetric key with the public key of the receiving computer. The receiving computer uses its private key to decode the symmetric key. It then uses the symmetric key to decode the document.



So the text gets encrypted using a symmetric key and the symmetric key is encrypted using the public key of the receiving comp? but then the receiving comp uses its private key to decode the symmetric key? why not use its own public key ? I dont understand it and i am getting lost.

Furthermore although i didnt fully understand public-key encryption and services that use it like PGP i read on about digital certificates but again i dont understand how reliable that is, wouldnt it be better to continue using the authentication that the user used/passed in order to log in to his account?

In addition to all the above I was wondering if there are any good steps that can be used in order to prove the security of the system.

This is my first contact with encryption methods and such so please be a little patient with my ignorance.

Thank you even for reading!

P.S
* Is there any better way known rather than public-key encryption? been wondering how good that is with the recent events and publications about NSA computer processing power.
Author

RE: End to End encryption email web application

lolly
Member



Posts: 24
Location:
Joined: 02.08.12
Rank:
Wiseman
Warn Level: 30
Posted on 12-09-13 19:00
In a rush so I can't give a super detailed answer but here's a quick overview:

You more or less have the right idea. When you first make a connection over SSL to a website, they will send you their public key, what ciphers they support, and some additional info. Next, you decide whether or not you trust the key. If it's signed by a company like Verisign, you can decrypt the validation information that is sent along with the key (look up key signing).

If you don't trust the server, the connection is immediately terminated, otherwise you can choose a new encryption method to encrypt the data (generally aes) and send the server a symmetric key to encrypt/decrypt the data. The only reason we use an encryption method like AES over RSA is because AES is much faster. From this point data, is sent back and forth using the agreed encryption method with the agreed key.
Author

RE: End to End encryption email web application

drakoumel
Member

Your avatar

Posts: 3
Location:
Joined: 12.09.13
Rank:
Apprentice
Posted on 13-09-13 03:34
so if i understood correctly, you explained a bit about the SSL connection with the web application/service and the certificates, but didnt mention anything about how the public-key would work on an encrypted email sent to another user?

Dont get me wrong , I am just trying to understand because I think I asked a bit too many information in one go.

Thanks for the info tho much appreciated!
Author

RE: End to End encryption email web application

rex_mundi
☆ Lucifer ☆



Posts: 1459
Location: Scotland
Joined: 20.02.08
Rank:
God
Posted on 13-09-13 03:57
The public key is just what it says it is man, it's public, anyone can search for it using your email address, and add it to their own key management software.

The public key is used to encrypt the email you send to the person you got it from, they use the private key to decrypt it.

You should also have generated a revocation certificate, so that if the private key is ever compromised you can invalidate your public key.
U N Ⓡⓔⓧ_Ⓜⓤⓝⓓⓘ
Author

RE: End to End encryption email web application

drakoumel
Member

Your avatar

Posts: 3
Location:
Joined: 12.09.13
Rank:
Apprentice
Posted on 13-09-13 12:54
if you encrypt with the public key why does the other person need the private key to decrypt it?

Edited by drakoumel on 13-09-13 12:56
Author

RE: End to End encryption email web application

rex_mundi
☆ Lucifer ☆



Posts: 1459
Location: Scotland
Joined: 20.02.08
Rank:
God
Posted on 14-09-13 04:42
Because the key pair are mathematically related, whatever is encrypted with a public key can only be decrypted by its corresponding private key.

Even if someone else gains access to the encrypted data, it will remain confidential as they should not have access to the private key.

Without the private key, no one can decrypt the encrypted data.

Edited by rex_mundi on 14-09-13 04:44
U N Ⓡⓔⓧ_Ⓜⓤⓝⓓⓘ