Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PKI private/public keys

Suppose two users A and B.

If B send info encrypted with A's public key, only A can decrypt the info because he is the only one with it's private key. But if A send info encrypted with it's own private key, anyone with A's public key can decrypt the info, right? isn't this a security issue?

Regards,

JPL

4 REPLIES

Re: PKI private/public keys

It is highly recommended that each peer have their own public keys. Don't use the same key between 2 different peers. Keys are the most important part of security, guard them with your life :)! You can have the most advanced encryption algo in the world, but if you have the key ..... And that's really what you want, people you trust the key with should be able to decrypt your packets. Just guard the key and use different ones with different peers, and change them every so often.

Steve

New Member

Re: PKI private/public keys

What you are telling me is that if A wants to communicate with B he should use B's public key and for B->A, B should use A's public key. So each user must have a public key for each partner he wants to communicate with?

Regards,

JPL

Re: PKI private/public keys

Sorry if my writting is unclear. What I meant was - In ipsec there are 3 keys - public (shared with the peer, used to verify a signature), private (secret and never shared, used to sign a message) and secret (shared key used to encrypt data using an algorithm). The public key is derived from the private key.

Each peer combines its own private key with the peers public key to calculate the shared secret number. The secret number is converted into a shared secret key. This key never crosses the line (ie never exchanged). The shared secret key is input to the algorithm (eg 3DES). Then cleartext data is fed into the algorithm in fixed-length blocks and is converted to cyphertext and sent using ESP.

eg. A sends a message to B with B's shared/public key (b1). C sends a message to B with B's shared/public key (b2). b1 doesn't equal b2. B decrypts both with his private keys (one for each peer). B sending to A can't be read by C as they use different public/private key's. For each of B's peers (A & C) should have different private keys, which will generate different public/shared keys.

Steve

New Member

Re: PKI private/public keys

Thank you for your reply.

As I can see from your writting, each user should have one private key for each communication partner. Each of these keys "have" associated public keys.

So, the "public key" can be public not for public use (more than 1 user) but for one-one communication with the advantage of key exchange without security risks.

Thanks,

JPL

102
Views
0
Helpful
4
Replies