tags:

views:

55

answers:

3
+1  Q: 

Is there a way to alter a public key in a way that the decryption can still be done with the private key after some alteration?

In an asymetric encryption scheme, I was wondering if it's possible to achieve the following:

  1. Bob sends to Alice his public key
  2. Alice alters Bob's public key and encrypt some document with it
  3. Alice sends the encrypted document to Bob
  4. Bob retrieve the document but can't decrypt it with his private key
  5. Later, Alice sends some additional information (probably related to the method she used to alter Bob's public key) to Bob
  6. Bob uses this additional information to modify his private key and successfully decrypt the document

Anyone?

I am assuming RSA for the keys generation, encryption and decryption but if it's easier to do with another scheme feel free to comment.

A: 

Hmm, interesting.

You're referring to RSA, I assume?

FYI, RSA isn't actually used to encrypt documents. It's used to exchange keys (keys for a symmetric algorithm, like AES).

So what you're really talking about is an approach that changes the keys.

Technically (mathmatically) if you put a different number in, you'll get a different number out. So that's not an issue; changing the public key in some fashion will (assuming you convince your RSA implementation to use it, or prepare an appropriately different number) result in a different symmetric key, thus an undecryptable document by Bob (because he'll expect a different key).

Really, though, I'm not so sure you care about this. It's a fairly useless thing to do. Perhaps, however, you're actually interested in Key Splitting (or "Secret Sharing" as wikipedia seems to call it).

HTH. I'm by no means an expert.

Noon Silk  2010-03-02 08:09:18
What I am looking for is a way to unlock the encryption by exchanging some third information on top of an existing asymetric encryption.Thanks for the link to Key Splitting. I will look into it.
Kenji Baheux  2010-03-02 08:15:16
@Kenji: Yes, then Key Splitting is what you want. This will allow you to safely distribute the key between two people, and ensure it can only be used when they collaborate (i.e., join the key).
Noon Silk  2010-03-02 08:16:22
The wikipedia introduction starts with "in a secret sharing scheme there is one dealer and n players" but I supposed that n >= 2 so I am not yet sure Key Spltting is useful for my scenario (Alice is the dealer and Bob is the player). Still need to think about it.
Kenji Baheux  2010-03-02 08:20:18
@Kenji: So you want to send 'part' of the key, and then send another part 'later'? I mean, (obviously) this is technically the same as just sending the *entire* key later. You can split it between Alice and Bob (Alice is the "dealer" *and* a player) but it's a little weird, IMHO. Unless you're trying to prevent some sort of in-transit attack on your key, but sending it in two parts (in which case, it's appropriate).
Noon Silk  2010-03-02 08:23:23
The 'unlocking' of the encryption (hence the transmission of some third information) should only occurs when some condition is met between Alice and Bob (like a proposal of marriage :-D ).
Kenji Baheux  2010-03-02 08:31:52
@Kenji: Then just don't send the key until that stage. It's useless to Bob anyway. It's also the most simplistic implementation (hence, less prone to error, hence more secure).
Noon Silk  2010-03-02 08:34:36
key splitting is not needed and is unnecessarily complicated. Just use RSA and don't send the encrypted key until you are ready for the other side to decrypt.
GregS  2010-03-02 23:46:04
@GregS: Yes, I guess that I am just trying to split hair.
Kenji Baheux  2010-03-03 00:30:26
+1  A: 

As silky implies in his answer, the way in which RSA is usually used to encrypt a document is in combination with a symmetric algorithm, like AES. A secure random key is generated for the AES algorithm, the documented is encrypted with that AES key, and the AES key is encrypted with the recipient's public key. Both parts are supplied to the recipient.

You can adapt this to your situation simply by sending only the document encrypted with the AES key in the first step, and withholding the AES key encrypted with the recipient's public key until the second step. The first part will be on the order of the original file size, and the second part will be a small, constant size (on the order of the RSA key size).

caf  2010-03-02 08:39:53
According to http://www.di-mgt.com.au/rsa_alg.html the scope of RSA covers keys generation, encryption and decryption.
Kenji Baheux  2010-03-02 08:52:42
@Kenji: RSA is known to be insecure for "large" data sizes. As caf says, it's best to encrypt data that is very small (i.e. a typical key for AES).
Noon Silk  2010-03-02 08:58:33
Kenji: Note in that page you have linked to, under the section *Encryption using PKCS#1v1.5*, the data to be encrypted `D` is described as "typically a session key". A session key is a key for a symmetric algorithm used to encrypt the actual data of interest.
caf  2010-03-02 09:16:15
Thanks for the explanation.
Kenji Baheux  2010-03-03 00:31:27
+2  A: 

(I assume you talk about RSA.)

Yes it is possible, but not 100%.

The public key is a part of the private key. It contains the modulus and the exponent of the key.

You can completely forget changing the modulus, because you would have to generate a new rsa keypair, which is the same problem as the one we are trying to solve.

But it is possible to change the exponent. You can select any (prime) number between 1 and your exponent as the new exponent and hope that it is coprime with the totient. Without knowing the totient it's impossible to select always a correct exponent. To find out the totient you would have to know the prime factors of the key, which means that you would have to break the key (have fun!).

So, it's actually impossible to have a 100% percent working method to do that, at least not while knowing only the public key.

If you need more information about the theory check http://en.wikipedia.org/wiki/Rsa

George B.  2010-03-02 08:39:58
If say, the modulus is the product of two 512-bit integers then any 513-bit prime will be ok as a new secret "public key". The problem with the scheme is that Bob could generate his public key in such a way that computing discrete logs modulo his modulus is easy for him.
abc  2010-03-02 15:17:53

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords