16

I have a theoretical question. There is a public key-system. Person1 wants to privately send a message to person2. From my understanding, person1 is supposed to encrypt their message with public key. What happens if person1 would use their private key for encryption instead? Is the message still private or it can be read by others?

Regards, Filipe

Filipe
  • 161
  • 1
  • 1
  • 3
  • 2
    Please do more research. This is covered on Crypto.SE, see, e.g., http://crypto.stackexchange.com/q/15997/351 and http://crypto.stackexchange.com/a/4042/351 and http://crypto.stackexchange.com/q/679/351. The short answer is: you're confused. You *sign* a message using the private key (not encrypt under the private key). Signing might superficially look similar to "encrypt with the private key", but there are critical differences. So, erase the entire idea of "encrypt with the private key" from your brain, as it will only lead you astray. – D.W. Feb 16 '15 at 21:16
  • 2
    Encryption is done with public key only, since the key is public, and only the holder of private key can decrypt it. If message is encrypted with private key, then everyone can decrypt it, since the public key is public. The point of encryption is that only the authorized recipient is to get the message, otherwise there's no point encrypting the message; save the time & computing resources, and just display the message to the public! – Zimba Jun 21 '21 at 15:18

4 Answers4

17

For encryption, person 1 encrypts their message with person 2's public key, not with their own public key. Then only person 2 can decrypt it, since only person 2 has the matching private key.

Encryption with the private key is used to prove authenticity. If person 1 encrypts a message with their own private key then person 2 can decrypt it with person 1's public key, which proves that person 1 originated the message since it could only have been encrypted with their private key.

All of which assumes that you have a secure and verifiable way for persons 1 & 2 to exchange public keys, which is always the difficult bit.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35
  • 6
    "Encryption with the private key is used to prove authenticity" I think you mean digital signature. You'd SIGN the message with your private key, and anyone can use your public key to verify you personally created the message. – Andy Feb 16 '15 at 15:20
  • 2
    Means the same thing. You sign a cleartext by encrypting it with your private key, and distributing the encrypted chunk as a signature. – Sobrique Feb 16 '15 at 16:01
  • 3
    @Sobrique in RSA this is (approximately) the case, since the algorithm is symmetrical apart from the key generation. In other algorithms (like ECDSA) public keys and private keys are completely different things, and it's impossible to encrypt with a private key. – user253751 Feb 16 '15 at 18:36
  • 5
    @Sobrique No. The algorithms for RSA are somewhat similar, but even there they have different padding systems (they are in fact separate algorithms, just using the same core operation). With other systems, you simply cannot encrypt with a private key at all. "Signing is encrypting with your private key" is an oversimplification of a single pair of public-key systems that leads only to confusion about how signatures actually work. – cpast Feb 16 '15 at 18:49
  • 2
    It does *not* mean the same thing. Digital signatures are not encrypting with the private key (even though there is some resemblance in RSA). This is a common misperception among many beginners that causes much confusion for them down the road. – D.W. Feb 16 '15 at 19:34
  • 1
    @Sobrique Also, it doesn't mean the same thing. Encryption is for protecting the contents of a message, signing is for verifying the identity of the sender of a message. They are both different tasks and each can be done without the other, or you can do both. Others pointed out while technically they are not the same thing, but it should be made clear that semantically they are not the same thing either. – Andy Feb 16 '15 at 20:13
  • How would you encrypt a message, such that only you and the recipient can read it, AND that the sender knows it's from you? – moonman239 Dec 13 '21 at 20:06
  • @moonman239 The sender always knows who it’s from, because it’s from _them_. – Mike Scott Dec 14 '21 at 07:19
7

If you encrypt a message with your private key, it can be read (decrypted) by anyone who has your public key. Since the public key is intended to be - of course - public, the message is no longer private. The message can be now considered signed, because with verified public key anyone can be sure that the message is authentic.

pkalinow
  • 171
  • 3
  • 2
    This is the case in RSA, but in many cryptosystems the public and private key are completely different types of things and can't be interchanged. – Max Feb 16 '15 at 20:34
  • 2
    @Max Interesting. Could you provide an example? – pkalinow Feb 27 '15 at 13:32
7

The bit about public/private keys being for encryption/signing respectively is not a general fact of public-key encryption: it's specific to RSA, where public and private keys have (at least in the textbook) the same form. Switch to Diffie-Hellman and/or ECC based systems and the two kinds of key look completely different, so you cannot encrypt with a private key.

The short answer to your question is that if Person1 has the private key of Person2 then something has gone badly wrong already, and most likely no-one will get any security at all. This kind of thing happens all the time (I think github has a special error message for people who paste a private key in the field where a SSH public key is expected to setup SSH keyed authentication).

The full answer: if Person1 uses their own private key, if they're doing textbook RSA then anyone with Person1's public key can recover the message. And public keys are, well, supposed to be public. In the real world, RSA keys and other data structures are a few steps removed from the textbook - and a sensible crypto library should not offer the option to encrypt with a private key in the first place. You would also typically have separate subkeys for encryption and signing, which again would be stored in different formats (it's a very bad idea to use the same key for both, even if you could in theory).

In textbook RSA, you have a public modulus N, a public exponent e and a private exponent d. In encryption mode, you compute a ciphertext c from a message m as c = m^e (mod N); to decrypt you compute m = c^d (mod N). To sign m, you publish s = H(m)^d (mod N) and to verify a signature s on m you check that H(m) = s^e (mod N). So the public and secret operations are interchangeable. In fact it doesn't matter which one you call e and which one you call d, the two are interchangeable : x^e^d (mod N) = x^d^e (mod N) = x (mod N) for all 0 < x < N. (Well, almost all - as long as you don't hit a factor of N. In which case you're toast anyway.)

0

The public and the private key are mathematically related, so whatever is encrypted with the private key can only be decrypted with the public key and vice versa.

So both keys can be used to either encrypt or decrypt a message, and the other key to do the opposite.

BadSkillz
  • 4,444
  • 25
  • 29
  • 1
    With a caveat - public key is derived _from_ private key. So if I have the private key, I can do both. – Sobrique Feb 16 '15 at 15:53