You are designing a mobile chat application. You want to ensure people cannot spoof chat messages, by providing a message were sent by a specific user. What should you do?
A.
Tag messages client side with the originating user identifier and the destination user.
B.
Encrypt the message client side using block-based encryption with a shared key.
C.
Use public key infrastructure (PKI) to encrypt the message client side using the originating user's private key.
D.
Use a trusted certificate authority to enable SSL connectivity between the client application and the server.
I am not sure about this one. D works if SSL client authentication is enabled.
C works as well if client encrypts message with private key and server decrypt with public key.
I prefer C.
Encrypting each block and tagging each message at the client side is an overhead on the application. Best method which has been adopted since years is contacting SSL provider and use public certificate to encrypt the traffic between client and server.
D is correct
If you use the server's public certificate to encrypt your data you only ensure the right server is the only one to read you.
But anyone can use the same encryption key as you did and pretend to be you. Hence it does not solve our authentication problematic
SSL doesn't use server's public key to encrypt data. This is definitely wrong. Please read SSL specs. SSL uses a separate session key for message encryption. This session key is temporary and will be rotated for every single session.
1. Digital Signatures and Non-Repudiation: PKI provides the foundation for digital signatures. When a user sends a message, it's encrypted with their private key. The recipient can then use the sender's public key to decrypt it. This ensures:
- Authenticity: The message truly originated from the claimed sender.
- Non-repudiation: The sender cannot deny sending the message.
- Integrity: The message hasn't been tampered with in transit.
2. How it prevents spoofing: Since only the sender has access to their private key, no one else can create a message that would decrypt correctly with their public key. This effectively prevents spoofing.
The "C" answer is either messed up on purpose, or somebody dumped it wrong.
When you use PKI (Public Key Infrastructure), you encrypt using a _public_ key of the recipient, and the recipient decrypts using their _private_ key. Sample reference that this is correct: https://www.keyfactor.com/education-center/what-is-pki/
On the contrary, when a messages is _digitally signed_, the originator is using their _private_ key to sign the message, and the recipient is verifying it using _public key_ of the _originator_.
I still don't know which answer would I choose on the actual exam.
Option A is not secure because anyone who intercepts the message could modify the user identifiers. Option B does not provide a way to verify the sender’s identity. Option D is important for securing the connection between the client and server, but it does not prevent message spoofing by itself.
Hence C.
Answer : D
Let me clarify , what PKI is saying i think first the answer is D , reason , Just understand what it says , i.e. option c - Using PKI to encrypt messages using the originating user's private key, now couple people are saying that it is good and then the server will decrypt the msg using public key, but can't you see anyone in the whole world will be able to see the messages as public key is available publicly. ideally what should have been the solution, Using the public key of receiver the messages should have been encrypted then the receiver would have decrypted using his private key, which absolutely makes sense, Talking about ssl i think its one of the widely used secure tech for communication between client and server
Option C - Use public key infrastructure (PKI) to encrypt the message client-side using the originating user's private key: Using PKI to encrypt messages using the originating user's private key provides end-to-end encryption, which means only the intended recipient can decrypt the message. This option also ensures that the message's authenticity is protected. If a malicious user changes the sender's name, the recipient will not be able to decrypt the message since it was not encrypted using the correct private key. This option is a strong method for securing chat messages.
As question is about ensuring a specific user sent a message, answer could not be D, which would ensure secure message transmission, but not message origin (which can only be done by using asymmetric key)
To prevent message spoofing, it is important to ensure that messages cannot be altered or forged by anyone other than the originating user. One way to accomplish this is by using public key infrastructure (PKI) to encrypt messages using the originating user's private key.
To ensure that chat messages cannot be spoofed and that the messages are truly sent by a specific user, the best option would be to use public key infrastructure (PKI) to encrypt the message client side using the originating user's private key. This would allow the recipient to verify the authenticity of the message by using the originating user's public key to decrypt the message.
Option A, tagging the message with the originating user identifier and the destination user, would not ensure the authenticity of the message, as it could potentially be forged by an attacker.
Option B, encrypting the message using block-based encryption with a shared key, would also not ensure the authenticity of the message, as the shared key could potentially be compromised by an attacker.
Option D, using a trusted certificate authority to enable SSL connectivity between the client application and the server, would help to secure the communication channel between the client and the server, but it would not necessarily ensure the authenticity of the chat messages themselves.
Overall, using PKI and the originating user's private key to encrypt the message would be the most effective way to ensure the authenticity of the chat messages in your mobile chat application.
C is the answer, The requirement is the integrity of messages sent in CIA security (Confidentiality, Integrity, and Availability). For Confidentiality, using PublicKey of receiver, for Integrity, using PrivateKey of sender. D works in case of SSL client authentication.
PKI uses X.509 certificates and Public Keys, where the key is used for end-to-end encrypted communication, so that both parties can trust each other and test their authenticity. PKI is mostly used in TLS/SSL to secure connections between the user and the server, while the user tests the server’s authenticity to make sure it’s not spoofed
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
KouShikyou
Highly Voted 5 years, 1 month agoJoeShmoe
5 years agoasfar
4 years, 10 months agoTobbe
Highly Voted 3 years, 9 months agoMeyucho
2 years, 10 months agoAlekshar
3 years, 9 months agoTobbe
3 years, 8 months agostefanop
12 months agolynx256
3 years, 7 months agoPeppaPig
3 years, 3 months agoEkramy_Elnaggar
Most Recent 5 days, 2 hours agoChojrak
5 months, 3 weeks agoyas_cloud
9 months, 3 weeks ago02fc23a
1 year ago_kartik_raj
1 year agoArtistS
1 year agostefanop
12 months agoAdityaGupta
1 year, 1 month agopatricklin1105
1 year, 4 months agostefanop
12 months agoBigfootPanda
1 year, 4 months agostefanop
12 months agooriori123123
1 year, 5 months agoionescuandrei
1 year, 7 months agoJC0926
1 year, 8 months agoomermahgoub
1 year, 11 months agoomermahgoub
1 year, 11 months agoFateSpringfield
1 year, 11 months agomegumin
2 years agoAjayPandit
2 years ago