14

How to exchange RSA public keys safely between two parties via internet?

AviD
  • 72,708
  • 22
  • 137
  • 218
Predator
  • 961
  • 1
  • 8
  • 10
  • use certificates from a trusted third party. –  Jun 11 '11 at 09:01
  • @Mat: If we don't rely on 'trust' of third party, then how? – Predator Jun 11 '11 at 09:04
  • face to face exchange - the only option if you don't have a trusted intermediary. (I'm assuming you want to guarantee the identity/authenticity of the public key) –  Jun 11 '11 at 09:06
  • @Mat: Yup, I want to guarantee the identity/authenticity of the public key. But I want to explore any internet options just to accomplish that. Any ideas? – Predator Jun 11 '11 at 09:09
  • 1
    If you don't trust the communication medium, then it's impossible to setup secure communication between two parties via only that medium. Like Mat said. And even that only works if you trust that someone else won't impersonate you at the meeting. You need at the least some prior shared secret information to verify identity. –  Jun 11 '11 at 09:20
  • In a perfect world, a public key is just that, public..... – Ormis Jun 13 '11 at 15:25

3 Answers3

9

Get yourself a trusted key. Two easiest options are an SSL certificate ($50..$100) and a GPG key (free).

Encrypt or sign the data you send with that key. With SSL, you can just serve your data via https, but can also just sign it. With GPG, you have to build enough trust for your key, so that the receiving end is sure it's you and not an impostor.

Another option is to create a public key to your SSH server, publish it and let people just SCP your data from there. Send them fingerprints of your SSH key via snail mail or tell verbally by Skype / phone. An impostor would have to fake your key, your server on a known domain name, and your phone / Skype / SIP contact; this should be sufficiently hard to thwart such attempts.

9000
  • 214
  • 1
  • 4
  • 4
    +1. There are really only two options: Have a trusted third party act as "introducer" (this is the SSL/CA model, and also the PGP "web of trust" model), or find some out-of-band way to communicate the key or its fingerprint. –  Jun 11 '11 at 21:18
  • @gens: @nemo's simple description is right. If you're going to talk to them out-of-band, a fingerprint will work to validate any kind of key or other data and you don't need to use SSH. The idea of publishing your data by giving people keys to scp the data from your machine is silly and scary. Note - if you choose SSL, how do you plan to securely communicate which site they should go to or what they should look for there? – nealmcb Jun 13 '11 at 03:53
  • @nealmcb: I still exploring the options available. But SSL definitely a no no because I can't trust the 'trust' of third party. – Predator Jun 13 '11 at 04:10
9

There are a few easy options.

  1. Put the key or other data anywhere on the Internet, calculate a fingerprint for it via SHA-256 or some other decent hash, and communicate the fingerprint out-of-band with the other party: via a phone call, SMS, or perhaps email if you aren't too worried about someone else intercepting an email.

  2. Get a third party that both of you trust to vouch for the key or other data. They could do this via a PGP signature on the key (the classic web-of-trust), or a CA signature on the key in an X.509 cert, or perhaps by providing a fingerprint for the key on an SSL site. If you go the CA route, note that deployed browsers implicitly trust hundreds of CAs and it is difficult to know or specify just which one both of you are putting your real trust in. If you need high security, see this for more discussion: How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?".

Of course your preference will depend on just what kind of key it is, who you're sending it to, how you intend to use it, what your threats look like, what you're using it to protect, etc.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
1

Email, pm on a forum, really any way you want. The idea is that anyone can know the public key and it doesn't matter.

edit: Note that this assumes you just want them to be able to send encrypted messages to you, which other people can't read. If you want to guarantee the sender, than rather than trying to keep the public key private (which defeats the purpose, and you may as well not use RSA), get them to sign the message using e.g. their own RSA key.

Or failing that, encrypt the key using something like their RSA public key, so they can decrypt it.

  • @Sysyphus: We can't guarantee the identity/authenticity of the public key via email or pm. Any other ideas? – Predator Jun 11 '11 at 09:10
  • @Gens Ah, I see. You want to guarantee that the key the second party receives is your key, rather than a third party's key which they can use for something like a man in the middle attack? –  Jun 11 '11 at 09:12
  • @Sysyphus: Exactly. Any ideas? – Predator Jun 11 '11 at 09:16
  • 1
    Answer is no good due man-in-the-middle attacks. –  Jun 11 '11 at 21:16