iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🔐

Never Give Out Your Private Key for Public-Key Cryptography (And I'm Not Joking)

に公開
cryptography
idea

I saw this tweet on Twitter

Well, the content itself is clearly a joke, so I was going to laugh and ignore it. However, the ensuing thread is somehow "???", so I'm writing this knowing full well I might be ridiculed for "taking a joke too seriously."

What is Encryption?

First, let's start with the basics. Since there seem to be people in the world who cannot distinguish between "encryption," "coincidence," "steganography," and "codewords," I will define "encryption" for the purpose of this article.

When represented conceptually with mathematical formulas, encryption looks like this. The first equation represents "encryption," and the second represents "decryption."

\begin{aligned} S' &= F(S,K_1) \\ S &= F^{-1}(S',K_2) \end{aligned}

In encryption, a function F is applied to the original data S along with a parameter K_1 to generate new data S'. By the way, the original data S is called "plaintext," and the new data S' is called "ciphertext." A key feature is that the plaintext S cannot be inferred (deciphered) from the ciphertext S'. In decryption, a function F^{-1} is applied to the ciphertext S' along with a parameter K_2 to restore the plaintext S.

The set of functions F and F^{-1} is called an "encryption scheme" or simply an "algorithm," and the parameters K_1 and K_2 are called "keys." In this way, technology that keeps data confidential by combining three elements—data, algorithm, and key—is "encryption."

A well-made cipher is designed so that its strength (resistance to being broken) depends solely on the strength of the key (called the "key length"). In computer systems, algorithms are written as program code and cannot be kept secret. On the other hand, since the key is data independent of the program, the plaintext can be managed securely as long as the key remains unknown.

That should cover the definitions and terminology.

Symmetric-Key and Public-Key Cryptography

An encryption scheme where the keys K_1 and K_2 in the above equations are the same value is called "symmetric-key cryptography." It is also sometimes referred to as "symmetric cryptography" or "secret-key cryptography."

The characteristics of symmetric-key cryptography are as follows:

  • High processing speed for encryption and decryption
  • Data size is almost the same for plaintext and ciphertext
  • Parties exchanging ciphertext must share the key, and it must not be known to third parties (key distribution problem)

On the other hand, an encryption scheme where the keys K_1 and K_2 have different values is called "public-key cryptography." Additionally, the key K_1 used for encryption F is called the "public key," and the key K_2 used for decryption F^{-1} is called the "private key." A key feature is that the private key cannot be inferred from the public key (the reverse is possible).

Other characteristics of public-key cryptography are as follows:

  • The public key can be known to third parties. The private key must not be known to anyone.
  • Processing speed for encryption and decryption is slower compared to symmetric-key cryptography.
  • The ciphertext size becomes huge compared to the plaintext (generally double or more).
  • The key length becomes huge compared to symmetric-key cryptography of the same strength (depending on the algorithm, anywhere from twice to dozens of times larger).

Hybrid Cryptography

As mentioned above, symmetric-key cryptography is a convenient and excellent encryption method, but it has the fatal flaw of the key distribution problem. Conversely, public-key cryptography is poor in efficiency and usability but is highly superior in the single point that it is not necessary to share the private key.

Therefore, in actual data encryption operations, "hybrid cryptography," which combines symmetric-key cryptography and public-key cryptography, is used.

For example, the following diagram shows the steps for encrypting a message (plaintext) using OpenPGP.

Encryption with OpenPGP

The decryption procedure is shown in the diagram below.

Decryption with OpenPGP

As you can see, there is no need to use the sender's key at all.

Some might think, "Wait, then the sender of the ciphertext won't be able to decrypt it," but this is not a problem if you encrypt the session key with the public keys of both the sender and the receiver.

For example, in GnuPG, an implementation of OpenPGP, you can use multiple public keys to encrypt the message hello, world as shown below:

$ echo hello, world | gpg -ea -r alice -r bob
-----BEGIN PGP MESSAGE-----

hF4DUA0A1lShMzISAQdA2offsY8f1eSp5d7jVc7u9RsXQsFjPSBXcNME4BfcgVIw
P17ibgwnl9QTNpOSUUi3877AKuy4Oblp4QkiPbNQ4mHttq/Eq2pWyWmC2fMh14QW
hF4DGCdC1cDKKBUSAQdA7SPVL/VxyoNvgWxT7Fx9oswgFSg1oJ+q/aVZjyARzF8w
D2fqYjsnfa1CKAo9uwHkIIGPLgOc3VXlH9mMr/jrxQyLDYUOlCXVIqshBhRQsx7l
0kgBrmGKFcFR4MXiNnK8Y6bJxtm3koru1FrPQUPYx8/1tbWGzyqL7b5oHXtsL8tb
wY/NB5Nl6o7oJ51Yo12mflHKx6NOM6r9ruI=
=pFvw
-----END PGP MESSAGE-----

By the way, if you visualize it using my tool gpgpdump:

$ echo hello, world | gpg -ea -r alice -r bob | gpgpdump
Public-Key Encrypted Session Key Packet (tag 1) (94 bytes)
	Version: 3 (current)
	Key ID: 0x500d00d654a13332
	Public-key Algorithm: ECDH public key algorithm (pub 18)
	ECDH EC point (Native point format of the curve follows) (263 bits)
	symmetric key (encoded) (48 bytes)
Public-Key Encrypted Session Key Packet (tag 1) (94 bytes)
	Version: 3 (current)
	Key ID: 0x182742d5c0ca2815
	Public-key Algorithm: ECDH public key algorithm (pub 18)
	ECDH EC point (Native point format of the curve follows) (263 bits)
	symmetric key (encoded) (48 bytes)
Sym. Encrypted Integrity Protected Data Packet (tag 18) (72 bytes)
	Encrypted data (plain text + MDC SHA1(20 bytes); sym alg is specified in pub-key encrypted session key)

You can see that there are multiple encrypted session key packets.

Also, if you write the following in your gpg.conf file:

default-key alice
default-recipient-self

it will always encrypt using alice's key.

[Bonus] What if the authorities say, "Give us your private key!"

GnuPG has an option to extract session keys.

First, if you add --show-session-key to a normal decryption:

$ cat hello.asc | gpg --show-session-key -d
gpg: encrypted with 256-bit ECDH key, ID 182742D5C0CA2815, created 2020-09-25
      "Bob <bob@example.com>"
gpg: encrypted with 256-bit ECDH key, ID 500D00D654A13332, created 2020-09-25
      "Alice <alice@example.com>"
gpg: session key: '9:AF823E9A36B9E4E49A2715DAD055DEE23E4169C0BFE4DAA8A7EC330582F34515'
hello, world

You can extract the session key like '9:AF823...'. If you specify this session key with the --override-session-key option during decryption:

$ cat hello.asc | gpg --override-session-key "9:AF823E9A36B9E4E49A2715DAD055DEE23E4169C0BFE4DAA8A7EC330582F34515" -d
gpg: encrypted with 256-bit ECDH key, ID 182742D5C0CA2815, created 2020-09-25
      "Bob <bob@example.com>"
gpg: encrypted with 256-bit ECDH key, ID 500D00D654A13332, created 2020-09-25
      "Alice <alice@example.com>"
hello, world

You can decrypt without being asked for a passphrase and without the private key.

This function is an option to hand over only the session key so that investigators can decrypt only the specific ciphertext needed for an investigation when they demand the private key.

So, listen

You must never give away the private key of public-key cryptography. This is not a setup for a joke!

References

I recommend reading Hiroshi Yuki's book for more:

https://www.amazon.co.jp/dp/B015643CPE

In particular, since the certification of who a public key belongs to is at the core of public-key cryptography and public-key infrastructure (PKI), please read this book to further your understanding.

Also, this book will be useful regarding "key exchange," which frequently appears in path encryption.

GitHubで編集を提案

Discussion