Re: bank electronic infrastructure and public-key cryptography

"christo" <openthebaydoors@hotmail.com> writes:
> Hi, can anyone fill me in on a little naivette on my part:
> when a bank uses public key cryptography, is the public key the same
> for everyone? I heard of a bank that posts their public-key on their
> web site. It seems strange that one number can be factored into two
> different prime keys for each account holder. Can anyone please fill me
> in on how the banks use this encryption technique, and how other
> cyphers are used in tandem?

If you mean for online banking (where you use a web browser and a
little padlock icon appears in the corner), then yes, there's one
public key that's specific to the bank. When a browser connects to
it, the browser generates a random secret string (call this K) and it
sends K to the bank, encrypted under the bank's public key. The bank
(and only the bank) can now use the bank's private key to decrypt K,
so the bank and the browser now share a secret (that is, K). They now
use K to generate keys for some conventional ciphers like RC4,
SHA1-HMAC, AES, and so forth.

The exact protocol is somewhat complicated and is called SSL (Secure
Socket Layer) in older versions or TLS (Transport Layer Security) in
newer versions. TLS is a slightly updated version of SSL but they are
very similar, and we often use the old term SSL even when the site is
running TLS. The TLS specification is at:

   http://www.ietf.org/rfc/rfc2246.txt
Received on Fri Dec 23 20:11:09 2005