Login/Register
How works Public-key cryptography on Github?
Asked Answered
Solved gitcryptographygithubpublic-key
D

3

8

In Public-key cryptography is generated a pair of key, one private and one public, the public I put in the Github.

The Private-key decrypts the data and the Public-key encrypts the data. This means when I sent data to github this data is not encrypted because only Private-key decrypts the data?

Update:

Thanks guys, i'm understanding now.

I'm was thinking my data is encypted with that way in github when I send push/pulls. This case is used for login/verification/signing. That's all completely different from the encrypted transmission stream that the SSH connection sets up to send my datas.

Thanks everyone for your responses...

Decreasing answered 5/5, 2011 at 14:0 Comment(0)
O
10

Not wrong at all, but wrong. (a) The private key decrypts the data encrypted by the public key and (b) the public key decrypts the data encrypted by the private key.

(a): Everybody can encrypt something, but only the owner of the private key can decrypt it.

(b): The owner "encrypt" something with his private key and everybody can decrypt it, what ensures, the it were really the owner, that encrypts the data and not somebody else.

git(hub) makes use of the second scenario: If you push something, it its signed with your private key. The receiver now validates the signature againts the public key it knows from you. If its match, everything is fine.

Update: A (maybe too) simplified description on what happens (when using github with ssh)

  • Github sends you something random, that is encrypted with his _private_ key (Maybe its not that random, I dont know, but doesnt matter here)
  • You receive it and decrypt it with his _public_ key. If this is possible, you are sure, that you are really talking to the official github server
  • Then you send the same random stuff encrypted with your _private_ key to the github-server
  • He tries to encrypt it with your _public_ key. If this is possible and its the random stuff he has sent you before, he knows for sure, that you are you.
  • Then you send you stuff encrypted with his _public_ key. Now only the github server can decrypt. Also he will answer with messages/data encrypted with your _public_ key, because only you can decrypt it.

Even if its not completely correct, it should describe the idea.

Oozy answered 5/5, 2011 at 14:2 Comment(12)
So my Public-key is not public to everyone? The public-key have to be secret to my receivers? Because if I have a Public-Key I can decrypts the data.Decreasing
No, your public key can be public to everyone (even if its up to you, if you make it public, or not ;)). The private key is the one you keep secret. If you have a public key, you can decrypt the data, that is encrypted by the private key. This means, if you are able to decrypt the data with the public key you receive from Bob, you can really sure, that Bob encrypt it. This is more a verification, than an encryption. If Bob want to send you a secret message, he should use YOUR public key to encrypt it.Oozy
This depends on the used protocol. With SSH or HTTPS its encrypted at all. If you use the git-protocol .. I dont know :X But as far as I know its not encrypted (to avoid overhead). With github you will usually use the ssh-protocol.Oozy
If I steal the Public-key of Bob and put it in a place to everyone see, my security is falling?Decreasing
No, that just means, that now (if Bob didnt publish his key hisself earlier) everybody can send Bob encrypted messages, that only he can decrypt. Its always: The sender encrypts something with the public key of the receiver and only the receiver is able to decrypt it, because he has the private key. The other thing is, that you can verify ones identity, if he sends you something encrypted with his private key, because only his public key can decrypt it.Oozy
So what I mean, If I steal the Public-Key from Bob(sender), I'll can get the encrypted message from receptor and decrypts that. What i mean is if someone steal my(receiver) public key from Github(sender), and that someone get my encrypted data in someway, that someone will can decrypts my data. am I right?Decreasing
No... Encryption: The sender encrypts something with the receivers public key. Only the receiver can read the message, because only he has the key (the private one), to decrypt the message. Signature: The sender encrypts something with his private key. The receivers knows for sure, that the sender is the one, that he told the receiver to be, because only he can encrypt the message (with his private key), that only his public key can decrypt it. At all: The "public key" is called "public key", because there is nothing wrong with publishing it somewhere.Oozy
@Acaz: In fact, you want your public key to be as public as possible, since the main issue with public-key cryptography is confirming that a public belongs to who you think it does. Otherwise I might encrypt something with what i think is your public key, while it is in fact Dr. Evil's pubic key and now only he can read it. This is where certificates come into the picture, but that's a whole other story.Devora
I don't understand, IF SOMEONE I DON'T LIKE(a thief) get my(i've private-key) public-key from github. That thief will be able to decrypt some my encrypted data. Because he had my public-key, according of that the public-key not can be public at all, because is not someone will can decrypt my data. I'm wrong again?Decreasing
I re-read, reread again and i think i'm understand. The public key don't decrypt data. The public key only send encrypted data. To someone with my public key decrypted my data, his will have your private key and send your public key to me, is a pair of keys for each. Is that?Decreasing
@Acaz: It actually works both ways. If someone encrypts something with the public key, it can only be decrypted with the private key. This is used for sending messages and such. Likewise, if you encrypt something with the private key, anyone who has the public key can verify that it was you who encrypted it. So this is used for validating identity through signatures, etc.Devora
If you've encrypted something with your private key, you didn't do that because you want to protect its contents. It's more accurate to say you signed that content with your private key. Anyone with a copy of your PUBLIC key can use that to confirm it came from you. That's the whole point of encrypting (but really think "signing") a message with your private key. That's all completely different from the encrypted transmission stream that the SSH connection sets up.Unmerciful
D
2

A gross simplification is that when you try to push something, GitHub will send you a challenge by encrypting some random stuff with your public key and seeing if you can decrypt it or not, which you will only be able to do if you have the private key.

Devora answered 5/5, 2011 at 14:6 Comment(1)
And it's not Github doing that per se, that's the encryption handshake that's part of setting up the SSH connection that your local git is going to use to communicate with github.Unmerciful
R
0

Data encrypted with a private key can be decrypted using the public key (and vice versa)

PKI is based upon two keys (public and private) Data can be securely encrypted using either the public or private keys Data can only be decrypted when using the opposite key to that which encrypted the data

Note: A public key can be generated from a private key (not the other way around) source: https://github.com/topics/public-private-key

Rapturous answered 24/6, 2021 at 21:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.