# Thread: Asymmetric encryption - e.g. https:

1. By asymmetric encryption, I mean any encryption method which uses both private and public encryption keys.
Simply from curiosity, I have often wondered how https: (perhaps, the most common form of asymmetric encryption) works. For example, if Bank.com uses https: encryption, is the web page that it sends to your computer encrypted or not? If it is, then presumably it is encrypted by the private key used by Bank.com and decrypted using the public key which would be on your computer. I can't see any reason why it should be encrypted - but I don't know.
However, there appears to be some confusion as to whether or not public keys allow decryption.
For example, I have found the following two statements relating to asymmetric encryption.
From Wisegeek:
"This software uses two keys, known as a key pair. One is the public key, and can be freely shared or given to anyone because its only job is to encrypt."
Message - public keys don't decrypt.
From Microsoft:
" Any message that is encrypted by using the private key can only be decrypted by using the matching public key."
Message - public keys do decrypt!
So, to add to the first question, can public keys decrypt, or can't they?

2.

3. Please ignore - I will have to figure out how to break that up into readable paragraphs. Apologies.

4. Asymmetric key encryption (also called public key encryption) is accomplished by having the functions f(x) and g(x) such that:
- f(g(x)) = x [So you encrypt with one and decrypt with the other]
- given f (or g) it is very difficult to compute g (or f) [So it's computationally hard to break]

You then hand out the function g freely. Then anyone that wants to send you a message can encrypt it, give you g(message) and you can then use f to get the message back. Anyone else that looks a g(message) won't be able to read it.

Now, if g(f(x)) also equals x then either function can encrypt or decrypt (but you still don't want to give out f). In that case you can use the same set of keys to digitally sign something. To do that, you encrypt your message with your private key, f(message). Since anyone can get your public key, anyone can decrypt the message, but since only your public key can do that, only you could have encrypted it in the first place. If g(f(x)) isn't x, you'll need a second set of keys to do this (and then give out f' instead of g').

For RSA encryption, the most common public-key system right now, the functions are simply raising the (numerical) message to large powers. By carefully choosing the powers you can make f and g work like you want. And in this case g(f(x)) also works, so yes, you can encrypt with your public or private key depending on what you want to do.

5. Getting back to https: - if I am using an online banking site, I would expect that the web page that I type into would be encrypted using the public key before being sent back to the bank. However, when the web page is in transit from the bank's server to my browser, will it be encrypted then? This is the thing that puzzles me. If it is encrypted, then the public key would have to be used for decryption - contrary to what is implied by the Wisegeek comment above.

6. Originally Posted by JonG
contrary to what is implied by the Wisegeek comment above.
Wow, that member spent the time to enter a response and that's how you treat him?

7. Originally Posted by Chucknorium
Originally Posted by JonG
contrary to what is implied by the Wisegeek comment above.
Wow, that member spent the time to enter a response and that's how you treat him?
Sorry _ I don't understand what you are saying. "Wisegeek" is a website, not a member. I referred to it my original post. Please look here: wiseGEEK: clear answers for common questions

8. Originally Posted by JonG
Originally Posted by Chucknorium
Originally Posted by JonG
contrary to what is implied by the Wisegeek comment above.
Wow, that member spent the time to enter a response and that's how you treat him?
Sorry _ I don't understand what you are saying. "Wisegeek" is a website, not a member. I referred to it my original post.
My fault then. I thought you were deriding the poster MagiMaster. Just forget what I posted. Sorry.

I wish I could help with your questions. It's an interesting subject though.

9. I dunno, Wise Geek doesn't sound like a terrible thing to be called, to me, but anyway.

As I mentioned, RSA encryption in particular can encrypt or decrypt with either key depending on what you want to do. For an asymmetric key system where that wasn't possible, you'd just have to double the number of keys you keep (one private encrypt, one private decrypt, one public encrypt, one public decrypt).

For secure communications, both parties have their own private and public keys. So you encrypt your message to the bank with your private key and their public key and then they decrypt it with your public key and their private key. So no one else can read or spoof the messages. Of course, RSA encryption is pretty slow, so what often happens is that you use it to securely exchange details for a faster symmetric key system.

10. An extra note - Asymmetrical encryption is usually used to pass the secret key for a symmetric cipher (like CBC-MAC) and then that cipher is used for communication. Its all a question of performance, asymmetric encryption tends to be really really slow.

11. Originally Posted by MagiMaster
For secure communications, both parties have their own private and public keys. So you encrypt your message to the bank with your private key and their public key and then they decrypt it with your public key and their private key. So no one else can read or spoof the messages. Of course, RSA encryption is pretty slow, so what often happens is that you use it to securely exchange details for a faster symmetric key system.
That sounds reasonable, but it is the first time I have seen that put forward as an explanation, and I have looked around on the internet.

12. Originally Posted by JonG
That sounds reasonable, but it is the first time I have seen that put forward as an explanation, and I have looked around on the internet.
The use of symmetric encryption for the actual message flow or the use of two key pairs for communication in asymmetric encryption? The first is part of the SSL/TLS standard that HTTPs is built on. The second is part of the standard protocol, its what makes the system asymmetrical

13. Originally Posted by river_rat
The use of symmetric encryption for the actual message flow or the use of two key pairs for communication in asymmetric encryption? The first is part of the SSL/TLS standard that HTTPs is built on. The second is part of the standard protocol, its what makes the system asymmetrical
I was actually referring to two asymmetric key pairs. However, I understand little about these matters and I am looking at them simply from curiosity. (Please be aware that my understanding of encryption appears to be some way below yours. )

 Bookmarks
##### Bookmarks
 Posting Permissions
 You may not post new threads You may not post replies You may not post attachments You may not edit your posts   BB code is On Smilies are On [IMG] code is On [VIDEO] code is On HTML code is Off Trackbacks are Off Pingbacks are Off Refbacks are On Terms of Use Agreement