Fundamental of Public key and Private key in IT Security

Question

John and Peter have each generated a public and private key pair. However, they do not know each others’ keys yet. Now they are trying to exchange a message M over a network.

a) What is the procedure to exchange the message confidentially, b) What can be done to mitigate the risk if active attacks are possible?

Answer 1

The basic idea is simple:

1. John and Peter both publicize their public keys and broadcast to the world, "use my public key to encrypt messages you send me, so only I can read them"

2. John uses Peter's public key to send Peter an encrypted message, which only Peter can decrypt. Similarly, Peter uses John's public key to encrypt the response, so only John can read it.

This is all assuming no shady business is going on. If there are active attackers, some extra precautions are needed.

How do you know whether the person publishing Peter's public key is actually Peter? They could simply be claiming to be Peter and publishing their own public key. The solution to this is to have trusted certificate authorities verify the identity of entities publishing public keys so that consumers of those keys can consult the certificate authority to get confidence that the public key is being provided by the same entity as is being claimed.

How do you know whether the encrypted message you received from John is actually from John and not somebody else who read your public key and wants to impersonate John? For this, you can either require a communication handshake to succeed (so that Peter replies to John using John's public key, and John must successfully response to confirm his identity), or you can require that John digitally sign the message sent to Peter. Signing consists of John encrypting part of the message with his own private key and Peter subsequently decrypting using John's public key. The decryption with John's public key can be verified to have worked somehow by Peter (perhaps it can be checked against a hash of the message contents or a know fixed value or something) and since only John knows the private key for John's public key, Peter can have confidence that only John could have sent the message.