-1

In Public key infrastructure, the MD5 of a piece of data is encrypted with the private key of a sender and this encrypted MD5 – along with the data – is again encrypted using an algorithm like AES or 3DES.

Here, the private key of a sender is used to encrypt with AES… is that correct?

This is a rough implementation of what I think I’ve understood:

  • DATA
    = text which should be send through PKI hash = MD5(DATA)
  • encrypthash = RSAENCRYPT(privatekey,hash)
    = hash encrypted using private key of sender
  • cipher= AES(KEY,DATA+hash)
    = param 1 is the key to encrypt, and param 2 is the DATA and hash which have been concatenated
  • encryptkey = RSAENCRYPT(privatekey,KEY)
    = AES key, encrypted with private key of sender
  • masterKEY = RSAENCRYPT(publickey,KEY)
    = encryptkey, encrypted with public key of receiver

Is this correct, or am I missing something important?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
RecklessSergio
  • 121
  • 2

1 Answers1

2

It is not correct. Actually, your usage of RSA is entirely wrong.

In a public key scheme, there are 2 keys, one for encryption and one for decryption. If you use the private key to encrypt.... the public key would be used to decrypt. That means everyone can decrypt, as the public key is public.

If you use a public key scheme and the private key to create something, this can only be a signature. And in that case, you would have to use some kind of sign function instead of encrypt; they are not equal.

If we ignore the wrong RSA encryptions, there isn't much left:

  • You hash the data with MD5
  • you encrypt data+key with AES under key KEY.
  • you transmit KEY with RSA and the receivers public key (this is how RSA encryption is used).

However... this is just a simple "send encrypted message" algorithm: encrypt with symmetric cipher and random key, encrypt key with public key scheme and receivers public key. The MD5 hash value does not serve any purpose at all: It is not checked, it doesn't help authenticate the sender, it doesn't achieve message integrity.

But even if we assume, you wanted to sign with RSA instead of encrypting.... I still don't understand what you are trying to achieve here.

tylo
  • 12,864
  • 26
  • 40