3

Alice has a password that she would like to use for decryption. Alice isn't able to store any other information, but she has access to any program/mechanism you choose. How can she create an encryption key for Bob, so Bob will be able to encrypt messages, but won't be able to decrypt them and Alice will be able to decrypt them using password? Following applies:

  • Bob is able to provide Alice any data alongside with the encrypted messages.
  • Communication of Alice and Bob is already secured. Purpose of this isn't to secure the communication.

What have I tried
First I thought about general RSA and password protected ssh keys. But Alice won't be able to remember private key. But she could provide both pub and priv key to Bob. Bob would be using pub key to encrypt message, sending the priv key alongside each message. Alice would use priv key and password to decrypt the message... questionmark? Im not sure if ssh keys can be used this way. Also it doesn't feel like right tool to use.

I'm not trying to reinvent the wheel. I think such a mechanism has been implemented already, I'm just not aware of its existence (or maybe Im aware of the tool, but do not reallize it can be used this way).

Improve this question
4
  • 2
    You say that the communication is already secured and the purpose of this is not to secure the communication. So then what is the goal here? What are your requirements that are not meant by simply sending Bob's unencrypted message over the secure channel?
    – Bergi
    CommentedAug 2, 2023 at 0:47
  • "Bob will be able to encrypt messages, but won't be able to decrypt them" - it sounds like any scheme hinges on the assumption that Bob doesn't simply remember (store) the message content that he sent.
    – Bergi
    CommentedAug 2, 2023 at 0:50
  • @Bergi it is ok for Bob to access his own messages. It is a scheme where you do not trust Bob with the password itself.
    – Entity Black
    CommentedAug 3, 2023 at 7:46
  • But then really you don't need a password for anything at all. Just use the established secure channel.
    – Bergi
    CommentedAug 3, 2023 at 8:43

2 Answers 2

Reset to default
10

One way to do this is to use elliptic curve (EC) cryptography. Alice could start by taking a SHA256 hash of her password, which would result in a 256-bit value which she could use as her private key. Then, she can multiply this value by an EC generator point, to create a public key, which she could give Bob.

Improve this answer
7
  • hash the password, why didn't I think of that? Im clearly out of league, thank you! The rest is also brilliant.
    – Entity Black
    CommentedJul 31, 2023 at 11:51
  • 7
    Instead of a hash, you might want to use a key-derivation function, which helps limit brute-force attacks by making the hashing process more expensive. PBKDF2, bcrypt, scrypt, and Argon2 are some common options. (In this situation, you might need to include the salt as part of the message.)
    – JBYoshi
    CommentedAug 1, 2023 at 2:31
  • RSA can be used for both encryption and signing. I'm only aware of EC for DH secret generation and DSA signing. Are you sure EC can be used for encryption, as requested by the question?
    – Nayuki
    CommentedAug 1, 2023 at 7:11
  • 1
    @Nayuki, Yes, EC can be used with ECIES for asymmetric encryption/decryption of messages. See security.stackexchange.com/questions/201284/… for more info.
    – mti2935
    CommentedAug 1, 2023 at 11:39
  • 3
    OP, To @JBYoshi's point - I would not recommend using this solution in practice, as using just a single round of unsalted SHA256 is a very weak method of deriving a key from a password. If Alice uses a weak password, this can be cracked easily if the attacker knows Alice's public key - the attacker just needs to repeat the steps in my answer above repeatedly, using brute force, until he finds that password that produces Alice's public key. Nowadays, attackers with just a few thousand dollars worth of equipment can do trillions of SHA256 hashes per second.
    – mti2935
    CommentedAug 1, 2023 at 12:02
4

  1. Alice possesses a secret password that only she knows.

  2. Alice optionally hashes her password (e.g. with SHA-256) to distill its entropy or prevent guessing (e.g. PBKDF2).

  3. Alice takes the password or hash and uses it to seed a cryptographically secure random number generator (CSRNG).

  4. Alice uses the CSRNG to deterministically generate an RSA public-private key pair. The result will always be the same given the same password; Alice does not need to store the public or private key.

  5. Alice gives the public key to Bob.

  6. When Bob wants to send a message to Alice, he creates a new AES symmetric encryption key, encrypts the key by RSA using the aforementioned public key, and encrypts the message with the AES key.

  7. Alice uses her secret password to re-create the private key to decrypt the AES symmetric key, and uses that to decrypt the message.

Note:

But she could provide both pub and priv key to Bob.

Bob would be using pub key to encrypt message, sending the priv key alongside each message.

Alice absolutely must not give her private key to Bob! That would let Bob decrypt other people's messages to Alice, and also let any eavesdropper decrypt Bob's messages to Alice.

Improve this answer
3
  • 2
    "Alice absolutely must not give her private key to Bob! That would let Bob decrypt other people's messages to Alice".... not true if the key were password-protected as the OP specified.
    – Sneftel
    CommentedAug 1, 2023 at 10:56
  • How do you "deterministically generate an RSA public-private key pair"? Any particular tool + config you can suggest?
    – Entity Black
    CommentedAug 3, 2023 at 7:42
  • @EntityBlack For example, when java.lang.BigInteger is given two different java.util.Random (RNG) objects that each generates the same sequence of random numbers, you will get the same prime number twice. So the primes or keys generated only depend on the RNG seed.
    – Nayuki
    CommentedAug 4, 2023 at 0:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.