RSA Key Information and Usage

From BitWise DocuWiki

Table of contents

What are RSA keys and how does BitWise use them?

RSA keys refer to a key pair, called the public key and the private key. As the names imply, the private key is kept private, and the public key is made available to the public. A message encrypted with the public key can only be decrypted using the private key, and a message encrypted with the private key can only be decrypted using the public key. Key pairs are based heavily in mathematics, especially in the field of prime numbers. For more information about the theory of RSA and key pair encryption, see the Wikipedia: Public-key cryptography entry.

BitWise uses RSA keys to exchange the Blowfish key that is actually used to encrypt your messages, files, whiteboards, etc. For more information about the specific encryption methods used by BitWise, please see our encryption whitepaper (http://www.bitwiseim.com/whitepapers/encryption.txt). Using BitWise Personal, the RSA keys are randomly generated. BitWise Plus and Professional users can use their own keys, which is what this page is about. For more information about BitWise Plus, including all features and upgrade information, see the Encryption Keys Features (http://www.bitwiseim.com/features.php?f=Keys) page.

Why do I have to store my contacts' public keys?

You must store your contacts' public keys to be sure in the future that you are talking to the same person. If a person's public key changes, it may be a sign that their password was stolen and another person is using their account. If you do not store their public key, you will not be alerted to any possible identity breaches.

How do I get my own keypair to use with BitWise?

You must be a BitWise Plus or Professional user to use your own keypair.

To generate or load an RSA keypair, use the Encryption preferences. You can have BitWise generate a keypair, or you can load from files a keypair that you have generated with another program (see Generating RSA keys). The public key is always stored in the registry, since it does not need to be kept secure.

You can store your private key in three ways:

  • Preferences: The private key is stored with your preferences. This option is reasonably safe for computers in private places, such as at home, where others do not have access to the computer.
  • File: The private key is stored in a file, and the file name is stored in the preferences. The file can be located anywhere, even on a removable thumbdrive that you carry with you, for example.
  • Prompt: Each time you log in to BitWise, you will be prompted to load or paste your private key. This is the most secure option, but also the least convenient.

Receiving a public key for the first time

When you receive a key for the first time from a contact, you will see a window that looks like this:

If you have not specified a folder for storing your contacts' public keys, the dialog will include a browse button.

This alert can be disabled from the Encryption preferences, although it will be shown the first time you receive a key and don't have a key store folder specified.

Public key matches stored key

After you have first stored a contact's public key, each time a new connection is stared (e.g. a new conversation, a file transfer), the contact will send the public key again, allowing you to compare it to the key you have stored. If the keys match, you are not alerted, but if you click on the padlock in the conversation window, you will see a window that looks like this:

The checkmark on the padlock icon lets you know that the key matched.

Public key not received

If you connect to a contact and do not receive a public key, but you have received a public key in the past, you will see a dialog that looks like this:

This alert cautions you that the identity of the contact could not be confirmed by matching the public keys. There are several possibilities:

  • The contact lost his or her keypair.
  • The contact has logged in from a location other than their usual location and forgot to take their keypair.
  • Someone has stolen your contact's name and password and therefore is not able to present the correct key.

You should be cautious and use an alternate method to verify the user's identity (such as asking a question that only he/she knows the answer).

This alert can be disabled from the Encryption preferences.

Pubilc key doesn't match stored key

If you connect to a contact and receive a different public key than you have stored, you will see a dialog that looks like this:

This alert cautions you that the identity of the contact could not be confirmed by matching the public keys. There are several possibilities:

  • The contact lost his or her keypair and generated a new one.
  • The contact has logged in from a location other than their usual location and made a new keypair.
  • Someone has stolen your contact's name and password and therefore is not able to present the correct key.

You should be cautious and use an alternate method to verify the user's identity (such as asking a question that only he/she knows the answer). If you are confident that you are indeed talking to your contact and not an imposter, you can click Update Stored Key and update your stored key with the new key presented by your contact.

This alert can be disabled from the Encryption preferences.