RE: Opening PKI encrypted with Public Key outside your Escrow Authority.

From: Benson, Sean M (BensonS@state.gov)
Date: Mon Mar 06 2006 - 14:54:25 EST


Thanks Adrian,

That's one in agreement so far.

I know that AT$T used to have a system that would open at the KEC, and
then insert a bit encryption, reencrypt and then forward to the user. On
the way out it would unencrypt with it's key and re-encrypt with the
outside user's key and then fire it off to the user. AT&T Crypto Backup
I think it was called.

But for standard X.509 I think you and I are right.

sbenson

 

-----Original Message-----
From: Adrian Floarea [mailto:adrian.floarea@uti.ro]
Sent: Monday, March 06, 2006 1:37 PM
To: Benson, Sean M; pen-test@securityfocus.com
Subject: RE: Opening PKI encrypted with Public Key outside your Escrow
Authority.

Hi Sean,

I'm not sure if I understand very well your case (), but I have some
remarks. If I understand well the hypothesis are:

1. Acme company has a PK infrastructure with escrowed private key 2.
User Beta has a PK infrastructure

In this circumstances, the answer for your question is simple:

No, you cannot decrypt the message. After you encrypt the message, only
a person which has a private key (in this case User Beta) can decrypt
the message. You, theoretically, don't have access to this key so you
cannot decrypt the message.

Regards,

Adrian Floarea, CISA
Information Security Department
IT&C Division, UTI Systems SA
Bucharest, Romania
Email: adrian.floarea@uti.ro

-----Original Message-----
From: Benson, Sean M [mailto:BensonS@state.gov]
Sent: Monday, March 06, 2006 7:59 PM
To: pen-test@securityfocus.com
Subject: Opening PKI encrypted with Public Key outside your Escrow
Authority.

I have a Question maybe someone can explain to me.

Say company Acme has a PKI structure.
Company/User Beta also has PKI or is using PKI software

It allows S/MIME and Proprietary Keys to be imported into and AcmeUser's
keyrings/address books.

If User@Acme.com uses the key from AnotherUser@Acme.com I as the Key
Escrow CA can open/un-encrypt/read the mail using the Escrowed Private
keys.

But If User@Acme.com uses the Public Key from User@Beta.com to encrypt.
Can I open this message using only the Keys I have Escrowed?

Ie.. Only AcmeUser's Public/private pair?

Or is it encrypted with the Public key of UserBeta and I am SOL?

It's a discussion and I think I'm right but I'm having a hard time
trackling down facts online about this.

Which makes me think either it's so easy to open it that's it's just a
given.
or It's impossible and so blatant that it's a given.
or I'm an ass who skipped some whitepapers I should have read.

 
btw: I believe your SOL without that other key as it's encrypted with
it. Am I right?
Sbenson

DRM:
"In other words, embarrass and shackle the progress of improvements of
tomorrow by recording and registering as law the prejudices and errors
of today". - Isambard Kingdom Brunel

------------------------------------------------------------------------

----
--
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across
distributed enterprise networks. StealthWatch, the veteran Network
Behavior Analysis
(NBA) and Response solution, leverages Cisco NetFlow to provide
scalable, internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and
Response Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------
----
--
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:37 EDT