Keys for Different Purposes
And here you thought keys were just used to start encryption and decryption! Not to burst your bubble, but keys are used for many, many different purposes now. This has nothing to do with the algorithm, key length, or passphrase; it’s about what the key is going to be used for. I refer to these as different classes of keys. A lot of this has to do with PKI and, to be honest, most of the time you don’t have to interact with anything to use these keys — the programs or applications use different protocols to make sure the appropriate keys are made and used.
Here’s a quick breakdown of the various classes of keys:
Signing keys — These keys are used to create digital signatures.
Authentication keys — These keys are often used to authenticate computers to computers or users to computers. SSL keys are used to authenticate computers to computers, for example. You’ll also find authentication keys used in PKI systems to authenticate users to systems.
Data encryption — These are the keys you are probably most familiar with because they are used to encrypt files or messages that will be kept for a long time.
Session keys (short-term) — These keys normally used to encrypt a secure channel across the network (or Internet) for a short period of time. These keys are thrown away at the end of the session.
Key encrypting keys — These keys are also known by the acronym, KEK. If your application needs to send a key to the other end, but doesn’t want to send it in the clear, that key is often “wrapped” or encrypted with another key called a KEK.
Root key — This is a master key of sorts used for signing all keys that originate from an authoritative source: a company or a trusted third party such as a Certificate Authority and your own master key can do all of these things – at least it should be able too.
One Key; Two Keys . . .
There are encryption algorithms that only generate one key and others that generate two keys. The keys made by the single-key algorithms are called symmetric keys. That doesn’t mean that each key is shaped the same, or that one side looks the same as the other, it simply means that the same key is used to encrypt data and decrypt data. Both keys are made of the exact same data. Sometimes you’ll see this referred to as a secret key, but I’ll call it a symmetric
key for now just to help keep things straight.
Some encryption algorithms generate two keys, and that’s called asymmetric algorithms with asymmetric keys. What this means is that two keys are generated; one key is kept by the user and the other key is shared with anyone the user wants to have it. The keys are different from one another and don’t seem to have any connection to one another. However, hidden in the keys is some special stuff that indicates they have some mathematic properties in common.
This “special stuff” is not obvious, either. These keys are also known as public/private keys. The public key is one you give to other people. The private key is the one you keep to yourself and never share with anyone. I explain how that works in a minute.
One thing I want you to note is that sometimes people mistakenly call their private key a secret key. As you can see, this creates a lot of confusion because the single key created by a symmetric algorithm is also known as a secret key. I can’t stop people from making incorrect references, otherwise I’d wave my magic wand and make everyone do things right. (Chey for President?) What you can do is question a person’s use of the phrase “secret key” by asking them if they mean a single key, or one of a key pair. If they really mean one of the keys of a key pair, then they really mean “private key.”
So, here’s how you start using public and private keys:
1. The algorithm is told to generate the keys. (If you are using GPG or similar, it will ask for your passphrase at this point.)
2. Your computer stores the two files: a private key and a public key.
3. You can copy or move your private key to a safe place like a SD Card or USB drive.
4. If you want others to have immediate, unlimited access to your public key, you send your public key to a public key server. (There are hundreds of public key servers — a very popular one is www.keyserver.net/en .)
5. If you want to limit who has your public key, you send it to those people in an e-mail message (or similar).
6. Now you’re ready to start encrypting and decrypting messages. You can’t do this with a wave of your hand, though; you need special programs capable of handling encryption and decryption. E-mail programs generally all have this capability. Use Thunderbird with enigmail as your first choice.
These keys are “linked” to each other by some special math operations done by the encryption algorithm. I’m being overly simplistic here, but imagine you have one key and you break it down the middle: One part is your public key and the other part is your private key (see following graph).
How does it all work???
We are not going to get into the maths – there are plenty of PDFs on the maths. So Bob and Alice.
(1) Bob and Alice have created their private and public keys. They have met each they know each and they both e-mail their public keys to each other.
(2) Bob attaches some confidential material to his e-mail and wishes to sign and encrypt it – he selects the file attachment writes a few words to Alice and then encrypts – the e–mail programme will ask who you want to encrypt the message too – you select Alice – before sending it will then ask for your passphrase. Then the software will encrypt and send the email to Alice.
(3) Alice gets Bob’s email. She can not open it without entering her passphrase. No one else can open that message. As Bob signed it any interference a change in bit order will be detected – but lets say no one has tried to tamper with it.
(4) Alice enters her passphrase and can read the message and see the attached documents.
With Enigmail within Thunderbird you can create rules who you want to encrypt to or sign. Always send e-mail as plain txt. Always read emails as plain txt this will save you from malware attacks etc.. All very simple. The rule is you always encrypt to some one else’s public key. Unless of course you encrypt a file for your eyes only.
It’s good practice to attach your public key to e-mails you send to others. But bear in mind gmail and others may not like this – and strip it out. It is also to be noted that public e-mail providers have all got back doors in them by the intelligence agencies.
Social media sites will send a report to the intelligence services if you start sending encrypted mail to people. As stated ALL social media sites are working with the intelligence services.
Here is what encryption can do to a plain text message. You may be a member of a FaceBook group like “Practical Lawful Dissent” and are asking all members to attend a special meeting with the Barons. I’m just going to do a “Hello World in an e-mail.”
“Hello World” or please attend a special meeting at “xx xxxx xxxxxxxx xxxx xxx” on “xx xx xxxx” at “xxxx” would be very easy to read – and for the police and intelligence services you have given them a week to make arrangements to spy on you. Now look at this:
From – Thu Dec 21 11:53:44 2017
To: “email@example.com” <firstname.lastname@example.org>
From: “email@example.com” <firstname.lastname@example.org>
Date: Thu, 21 Dec 2017 11:53:43 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
Content-Description: PGP/MIME version identification
Content-Type: application/octet-stream; name=”encrypted.asc”
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename=”encrypted.asc”
—–BEGIN PGP MESSAGE—–
hQIMA9IbRAX92h7yAQ//WdfxeSfv/NRfVxlzyX9ez14TKNir6iDToXp/6U+T887T KJj26FlTbrpKVOOH7T3qlSs860/RM90pxMLY3PvyNkdzEz5MWKVPGIdUQ5McEp/G a+ABIWeK/lQd93ALUSxE3CiWZreGmycg/Pmt7dAacqIVnZQYcGx ps/jiEPVKDzR SO/5RG0dmwKZdUDIAWqR6HqW8ogCJncIzHTUift9Xsx813WT+vc9A/dhx8EPUAwF
—–END PGP MESSAGE—–
Makes no sense to attempt to read and it makes no sense to try and crack the code.