Noticed that some services for authentication use the approach of giving users 2 keys instead of one: public key and secret. Can't understand why this is necessary if the requests still are under the hood and signed using the token which is generated from the previous two keys. Why not throw the extra step of generating the token, it immediately generates it on the dashboard and use? Or am I missing something?

asked March 19th 20 at 09:06

2 answers

answered on

Solution

To answer this question it is necessary to understand what is asymmetric encryption.

A brief explanation. Asymmetric encryption is used for secure data transmission in an obviously unsafe environment. Using symmetric encryption algorithms, both parties must agree in advance about what key to use, which is potentially unsafe because the key can be intercepted and perform an attack of type MITM or listening, or forging packets.

Commonly used Diffie-Helman as the most simple. Important! In its pure form, the implementation of this algorithm is vulnerable to several types of attacks so often used modified versions of it.

**It works like this.**

A brief explanation. Asymmetric encryption is used for secure data transmission in an obviously unsafe environment. Using symmetric encryption algorithms, both parties must agree in advance about what key to use, which is potentially unsafe because the key can be intercepted and perform an attack of type MITM or listening, or forging packets.

Commonly used Diffie-Helman as the most simple. Important! In its pure form, the implementation of this algorithm is vulnerable to several types of attacks so often used modified versions of it.

Alice and Bob want to exchange messages.

1 step. They publicly agree on using a specific formula to calculate the correctness of their keys. For this example, - a^x (mod b), where A public key using a formula and b is a public key of the opponent, and x is the secret key.

Step 2. Each thinks up a secret number. For Alice, for example, 3 and Bob - 6. This number is not transmitted anywhere but is computed the execution result of the original formula. A^3(mod B), and the result (for Alice and Z - for Bob - U).

Step 3. They exchange the results and evaluates the formula, by substituting the number of the resulting value of the opponent. For Alice this will be Z^3(mod B). And the result of this action the key (it will be the same for both) will be the key signature for the exchange of further messages.

1 step. They publicly agree on using a specific formula to calculate the correctness of their keys. For this example, - a^x (mod b), where A public key using a formula and b is a public key of the opponent, and x is the secret key.

Step 2. Each thinks up a secret number. For Alice, for example, 3 and Bob - 6. This number is not transmitted anywhere but is computed the execution result of the original formula. A^3(mod B), and the result (for Alice and Z - for Bob - U).

Step 3. They exchange the results and evaluates the formula, by substituting the number of the resulting value of the opponent. For Alice this will be Z^3(mod B). And the result of this action the key (it will be the same for both) will be the key signature for the exchange of further messages.

answered on March 19th 20 at 09:10

Read about the asymmetric encryption

In short, using the public key the message is encrypted. And using a secret stands for. Asymmetric encryption solves the problem of the transmission of the key, when it is necessary to pass so that no one could steal

In short, using the public key the message is encrypted. And using a secret stands for. Asymmetric encryption solves the problem of the transmission of the key, when it is necessary to pass so that no one could steal

Find more questions by tags Patterns of designingAPI