0

Let's say A and B are two people that want to exchange a message yada yada...

I want to build something that would allow A to send an encrypted message to B; with B able to decode the message but not being able to encode another valid message.

Kind of the opposite of how assymetrical schemes work.

Does a construction like that exists?

Ale Morales
  • 2,728
  • 4
  • 29
  • 42

1 Answers1

1

NOTE: I'm making some simplifications here, and that's dangerous in cryptography. What I'm saying about RSA is correct, but you really must do some study before you use any cryptographic system, and especially before designing any novel way of using one. Very small misuses can lead to completely insecure systems. As @almosnow notes, using ElGamal this way would be broken. As @CodesInChaos notes, signatures are not exactly "encrypting with the private key" (that's their heart, but there are other important pieces). RSA is very likely the right tool for this specific job but you must use it correctly, and unfortunately I don't know any short "here's what you need to know to implement it correctly" short of the Stanford Crypto Course, which is quite good, but neither short nor easy.

That's exactly how RSA works.

  • A has a key that can encrypt messages. We call it the private key
  • B (and possibly everyone else) has a key that can decrypt messages encrypted with A. We call it the public key.

It is true that the key B has can be used to generate a message that can only be decrypted by A, but for a given protocol it should be easy to declare that "not a message" if that's what you need. B cannot encrypt a message that B can decrypt in any case, and since only A has the private key, this should be exactly what you described.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • I'm pretty sure that the public key encrypts and the private key decrypts. Also, I think that the public key could be inferred from the private key, so sharing the private and keeping the public would not solve my problem :c – Ale Morales Sep 24 '13 at 03:50
  • 1
    "public" and "private" are just names we assign them. Either can encrypt and either can decrypt. One cannot be inferred from the other. – Rob Napier Sep 24 '13 at 03:51
  • Specifically, when we use the public key to encrypt, we call it "signing." Only the private key can decrypt it, and we call that "verifying." – Rob Napier Sep 24 '13 at 03:52
  • @RobNapier: That is not true of all asymmetric schemes. I believe you're thinking of RSA specifically, which has some structure that is not necessarily shared by other asymmetric schemes (e.g., ElGamal). – Reid Sep 24 '13 at 03:53
  • @Reid, what do you mean? ElGamal also creates the same kind of relationship. Do you mean DH perhaps? – Rob Napier Sep 24 '13 at 03:56
  • @RobNapier So basically, for a pair of assymetrical keys A and B, what A encrypts can only be decrypted with B and what B encrypts can only be decrypted with A? – Ale Morales Sep 24 '13 at 03:58
  • 1
    @RobNapier: I was referring to your first comment, not the second. In ElGamal, one doesn't directly "encrypt" (implying confidentiality) using the private key. Also, given the private key, one can trivially reconstruct the public key, i.e. one can indeed be inferred from the other. – Reid Sep 24 '13 at 03:59
  • @almosnow Correct (for RSA; my original statement was too broad.) – Rob Napier Sep 24 '13 at 04:04
  • @RobNapier Got it! Thanks, I'll use RSA for this particular problem. – Ale Morales Sep 24 '13 at 04:05
  • 1
    Don't call signatures "encrypt with private key". Signing is different from encrypting, in particular it uses hashing and a specialized padding mode. – CodesInChaos Sep 24 '13 at 08:23
  • @CodesInChaos; it is true that we use various specific hashing schemes in signing, but the final, critical step is that you can encrypt with the private key. For a small message, I could just encrypt the whole thing with the private key and send it alongside the message as a signature. We don't generally do it that way because messages are larger than hashes, but it would be a valid signature. – Rob Napier Sep 24 '13 at 12:09
  • Added some commentary; almosnow and CodesInChaos' comments suggest that I may be oversimplifying in a way that may confuse likely readers. I'm open to a better-worded answer. – Rob Napier Sep 24 '13 at 12:33