Hope this thread is within the scopes of the forum. if not feel free to say so
For my final year project I would like to try and set an end-to-end secure email web application (regardless of language DB or server).
I was going through encryptions and such and got stuck at public-key encryption.
Quoting from HowStuffWorks
The sending computer encrypts the document with a symmetric key, then encrypts the symmetric key with the public key of the receiving computer. The receiving computer uses its private key to decode the symmetric key. It then uses the symmetric key to decode the document.
So the text gets encrypted using a symmetric key and the symmetric key is encrypted using the public key of the receiving comp? but then the receiving comp uses its private key to decode the symmetric key? why not use its own public key ? I dont understand it and i am getting lost.
Furthermore although i didnt fully understand public-key encryption and services that use it like PGP i read on about digital certificates but again i dont understand how reliable that is, wouldnt it be better to continue using the authentication that the user used/passed in order to log in to his account?
In addition to all the above I was wondering if there are any good steps that can be used in order to prove the security of the system.
This is my first contact with encryption methods and such so please be a little patient with my ignorance.
Thank you even for reading!
* Is there any better way known rather than public-key encryption? been wondering how good that is with the recent events and publications about NSA computer processing power.
In a rush so I can't give a super detailed answer but here's a quick overview:
You more or less have the right idea. When you first make a connection over SSL to a website, they will send you their public key, what ciphers they support, and some additional info. Next, you decide whether or not you trust the key. If it's signed by a company like Verisign, you can decrypt the validation information that is sent along with the key (look up key signing).
If you don't trust the server, the connection is immediately terminated, otherwise you can choose a new encryption method to encrypt the data (generally aes) and send the server a symmetric key to encrypt/decrypt the data. The only reason we use an encryption method like AES over RSA is because AES is much faster. From this point data, is sent back and forth using the agreed encryption method with the agreed key.
so if i understood correctly, you explained a bit about the SSL connection with the web application/service and the certificates, but didnt mention anything about how the public-key would work on an encrypted email sent to another user?
Dont get me wrong , I am just trying to understand because I think I asked a bit too many information in one go.