38

Maybe this question sounds obvious, but I wonder how dangerous might be publishing a public key for an asymmetric encryption system?

I know public keys are meant for encrypting messages by anyone who's meant to do so, that's why we can even download a public cert of the most common CAs from web browsers.

But is it secure if I publish my public key on a webserver so anyone can download it? What risks am I facing doing this?

Thanks.

nKn
  • 669
  • 2
  • 8
  • 14
  • Simply publishing your public key on a webserver might not be that great of an idea. At least make sure the connection to your server is authenticated/encrypted or even better: Try to get your public key signed by as much people as possible. – Karol Babioch Mar 28 '14 at 13:58
  • Perhaps think of the analogy of publishing your name and street address in public directories, but only your family has the actual key to the front door. – Michael Durrant Mar 30 '14 at 14:10
  • @MichaelDurrant: what about *back door*, though? :) – Sergio Tulentsev Apr 23 '15 at 13:47

7 Answers7

60

None, that's why it is called a public key. It can not be used to access anything encrypted for you without solving math problems that are currently prohibitively difficult to solve. It is possible that in the future it may be possible to solve these problems and that would cause the public key to allow messages to be decoded, but there is no current known threat.

The flip side is that if you do not share your public key, then your private key doesn't do you any good. The only reason to use asymmetric cryptography over symmetric is if you need to let someone have your public key. Otherwise, if you are just doing stuff for yourself, symmetric is far faster and more secure.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • 1
    Just adding that because symmetric cryptography is way faster, asymmetric crypto is usually used for key exchange (where the size of the information is relatively small). Then, having the key, we use symmetric crypto. – nikolas asteri Apr 07 '14 at 19:15
  • 1
    @nikolasasteri - while an accurate statement, I'm not sure I see the relevance here. This question wasn't asking anything about how to encrypt data using asymmetric keys, just if it was safe to share the public key. – AJ Henderson Apr 07 '14 at 20:03
  • I just thought it was a good fit for your last sentence, sorry. – nikolas asteri Apr 09 '14 at 21:37
19

Just to expand on a couple bits of info alluded to above, there are basically two risks to consider, neither of them relating to the algorithms (those are safe).

First, is incidental data leakage. Do you run slaterockandgravel.com as Mr. Slate but have your key signed fflintstone@slaterockandgravel.com? Did Betty sign your key and you don't want the world to know about that? These are unlikely cases, but consider them.

Second, perhaps more, is guard against somebody man-in-the-middle'ing your website, and presenting your friend with a fake key for you, which they plan to use to intercept his communications to you. Again unlikely, but two things you can do to avoid the problem: a) put it up under TLS -or- b) (better) upload your key to a public keyserver (sks or similar) and only put the key ID on your website (you can even provide a web link to the sks webservers with a lookup for your key id). People have already figured out key distribution, so leverage their work.

For most of these things, it probably won't be you who gets attacked this way, but it will be somebody, so each of us should act as if it will be us, and then we have a safer community.

Bill McGonigle
  • 509
  • 3
  • 8
  • Well, some of the algorithms conceivably might not be safe. But if they're unsafe then one can reasonably assume that the break will work given only a message, so keeping the public key secret from the attacker wouldn't help :-) – Steve Jessop Mar 30 '14 at 23:26
  • "Did Betty sign your key" - interesting... As of course that is a small but still significant piece of information that may assist in social engineering attacks. – Richard Green Mar 31 '14 at 15:45
9

But, you have to publish your public key in order for people to encrypt messages that are intended for you. That is why you must publish your public key and have it signed by people you know (preferably personally).

For more information: Web of Trust and Key signing Parties

6

The risks are of trust. Non-intuitively, if you don't publish your key, it's easy for someone to publish their own key and claim it's yours. A public key should be very public.

Your best defense is to ensure your key is properly signed.

John Deters
  • 33,897
  • 3
  • 58
  • 112
4

The only risk to publishing your public key if your public key is signed by other people and you do not wish to reveal who signed your key (since that can be used to figure out who you have made connections with, casually or intimately).

Kevin Li
  • 601
  • 4
  • 6
1

Generally speaking, in encryption there are two types of information: secret information and public information.

Keeping secret information secret is like putting it in the big vault with a big door in a big bank like you see in the movies.

Keeping public information secret is like putting a sign on the door that says "don't steal my stuff".

Better to assume that public information is known to the world and not waste too much effort protecting it. As stated in another answer, it can make sense to put basic authentication safeguards in place. If only certain people should be able to send you messages, then putting up some system whereby only those people should have access to your public key makes sense, if only to reduce the possibility that you'll receive bogus messages that you'll have to discard... you'll still have to handle recognizing and discarding bogus messages, but you'll reduce the potential for traffic.

Jason
  • 1,907
  • 2
  • 10
  • 15
1

Yes, theoretically speaking, asymmetric cryptoalogorithms require the public key to be made public. However, depending on the algorithm in use, and the strength of the algorithm (no. of bits used, etc) some of these public keys can be broken to yield the private key. For example, if RSA cryptosystem is being used, it is generally advised to use atleast 1024 bit keys. Any less and your cryptosystem may be compromised. Even so, it is advised to use 2048 bit keys, since even the 1024 bit keys could be solved with upcoming powerful computers (http://www.emc.com/emc-plus/rsa-labs/historical/has-the-rsa-algorithm-been-compromised.htm). Hence, I wouldn't be too worried about it unless your application is for high security purposes like banks, military etc.

nitarshs
  • 21
  • 2
  • Where is there a factored 1024 key. Last I heard 768 was the last size factored. Link for proof http://eprint.iacr.org/2010/006.pdf – exussum Mar 29 '14 at 21:57
  • Yes, my apologies. I intended to say 1024 keys *can* be solved pretty soon with upcoming powerful computers. http://www.emc.com/emc-plus/rsa-labs/historical/has-the-rsa-algorithm-been-compromised.htm – nitarshs Mar 31 '14 at 11:36