On Thu, Jul 14, 2022 at 08:01:19PM -0400, rhkramer@gmail.com wrote: [...] > I'll probably start with a post to describe one of the most surprising things > I learned about ssh so far -- to jump ahead and spoil it, it turns out that > public key encryption is not used for the exchange of the real "user" / > payload data, but instead a symmetric (one of a variety, iiuc) encryption > algorithm, with the same encryption key used by both the client and server, > but developed by each independently and never exchanged "over the wire". This is standard for public key cryptography, be it "interactive style" (e.g. SSH, TLS, where both parties exchange message) or "deferred style" (e.g. PGP/GPG, where one party prepares an encrypted message ahead of time for the other to decrypt). See, asymmetrical encryption (e.g. RSA, Elliptic Curve) is far too expensive to use on bulk data, so it typically is used to encrypt a key (generated on the spot), called "session key". The latter is used to symmetrically (e.g. AES) encrypt the bulk data. You use that style typically in the deferred case. Perhaps there's even a security advantage in that, since the session key, as being used for more data gives a potential cryptanalist more material to chew on: then just the session key would be compromised, and you throw that away for the next round. I don't know. > This is done by a process named Diffie_Hellman key exchange, and the Wikipedia > article on that (URL below) explains it quite well, with one example done in > terms of colors of paint (i.e., that people without an extensive background in > math or cryptography can understand). Diffie Hellman is only used in the "interactive" case above, to establish a secure path without having exchanged /any/ keys before; after that, you have to do a key exchange to make sure you are talking to whom you think you are (that's the "authenticity" part of the scheme [1]). You can't use Diffie-Hellman for mails or encrypted files/disks, since the other party has gone to sleep when you find the "message" :-) With D-H you can have confidentiality with some random second party. Just think of that. It makes me dizzy after all that years ;-) But in both cases (interactive, deferred), you agree on a session key for symmetric encryption to carry the brunt. It's so much faster than everything else that it's not even funny, and it is cryptographically much better understood. Cheers [1] Remember that the whole thing has three goals confidentiality - no one else can read in on the message authenticity - you are talking to whom you think you are integriry - nothing has tampered with the message on its way -- tomás
Attachment:
signature.asc
Description: PGP signature