BLOG

Cryptography with Alice and Bob

Untrusted Communication Channels

This is a story about Alice and Bob.

Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail.

closedletter

Unfortunately, Alice is pretty sure that the postman is reading the mail she sends.

openletter

That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.

Symmetric-Key Encryption

Alice decides to put the message inside a lockbox, then mail the box to Bob. She buys a lockbox and two identical keys to open it. But then she realizes she can’t send the key to open the box to Bob via mail, as the mailman might open that package and take a copy of the key.

Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It’s inconvenient, but she only has to do it once.

lockstore

After Alice gets home she uses her key to lock her message into the lockbox.

shared1Then she sends the lockbox to Bob. The mailman could look at the outside, or even throw the box away so Bob doesn’t get the message – but there’s no way he can read the message, as he has no way of opening the lockbox.

shared2

Bob can use his identical key to unlock the lockbox and read the message.

shared3

This works well, and now that Alice and Bob have identical keys Bob can use the same method to securely reply.

Meeting at a bar to exchange keys is inconvenient, though. It gets even more inconvenient when Alice and Bob are on opposite sides of an ocean.

Public-Key Encryption

This time, Alice and Bob don’t ever need to meet. First Bob buys a padlock and matching key.

public1

Then Bob mails the (unlocked) padlock to Alice, keeping the key safe.

public2

Alice buys a simple lockbox that closes with a padlock, and puts her message in it.

public3

Then she locks it with Bob’s padlock, and mails it to Bob.

public4

She knows that the mailman can’t read the message, as he has no way of opening the padlock. When Bob receives the lockbox he can open it with his key, and read the message.

public5

This only works to send messages in one direction, but Alice could buy a blue padlock and key and mail the padlock to Bob so that he can reply.

Or, instead of sending a message in the padlock-secured lockbox, Alice could send Bob one of a pair of identical keys.

publichared

Then Alice and Bob can send messages back and forth in their symmetric-key lockbox, as they did in the first example.

shared2

This is how real world public-key encryption is often done.

  • Bob generates a key pair, consisting of his public key (red padlock) and private key (red key).
  • Bob then publishes his public key, and Alice fetches it (Bob mails his padlock to Alice).
  • Alice then generates a temporary symmetric key (the pair of orange keys) and uses Bob’s public key (red padlock) to securely send it to Bob.
  • Bob then uses his private key (red key) to unlock his copy of the symmetric key (orange key).
  • Bob and Alice can then use those symmetric keys to securely send messages back and forth.

Each time you click on an SSL link or connect to your mailserver this story plays out. Your browser or mail client plays the part of Alice and the server you’re connecting to plays Bob.

8 comments

  1. Terry Zink says

    Good post, Steve.

    Could you do a follow up how key identification (certificates) work? What I mean is that there’s always the concern of “How do I know that the key I am getting really belongs to the person I want to securely communicate with?”

    I always find that part hard to wrap my head around.

  2. steve says

    Working on an article about signatures right now, Terry. Padlock, polaroids and maybe transparent boxes. Finding a real-world metaphor for hash functions is the tricky bit.

    But Alice will be able to prove her authorship, in a non-repudiable way, today or tomorrow.

  3. Barb says

    Could you explain how Bob who works for a bank could steal money from Alice by sending a message to the bank supposedly from her telling the bank to transfer money to Bobs account using 3des?

  4. Sissi says

    I love your real-world metaphor sample for public -key encryption 🙂

  5. Luna says

    If Alice is using RSA and has pk,sk. How can she exchange a symmetric key with Bob?

  6. Gordana says

    Thank you for enlightening me. A beautiful and easy-to-understand comparison with a real life.

  7. Chipped Credit Cards: Why chip cards are safer than magnetic stripes on debit/credit cards | NICERC - An Academic Division of the Cyber Innovation Center. says

    […] to the Wise Blog. “Cryptography with Alice and Bob.” Word to the Wise, 17 Sep. 2014, https://wordtothewise.com/2014/09/cryptography-alice-bob/. Accessed 21 Oct. […]

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives