End to End encryption email web application

hello all Hope this thread is within the scopes of the forum. if not feel free to say so :D

For my final year project I would like to try and set an end-to-end secure email web application (regardless of language DB or server).

I was going through encryptions and such and got stuck at public-key encryption. Quoting from HowStuffWorks

The sending computer encrypts the document with a symmetric key, then encrypts the symmetric key with the public key of the receiving computer. The receiving computer uses its private key to decode the symmetric key. It then uses the symmetric key to decode the document.

So the text gets encrypted using a symmetric key and the symmetric key is encrypted using the public key of the receiving comp? but then the receiving comp uses its private key to decode the symmetric key? why not use its own public key ? I dont understand it and i am getting lost.

Furthermore although i didnt fully understand public-key encryption and services that use it like PGP i read on about digital certificates but again i dont understand how reliable that is, wouldnt it be better to continue using the authentication that the user used/passed in order to log in to his account?

In addition to all the above I was wondering if there are any good steps that can be used in order to prove the security of the system.

This is my first contact with encryption methods and such so please be a little patient with my ignorance.

Thank you even for reading!

P.S

• Is there any better way known rather than public-key encryption? been wondering how good that is with the recent events and publications about NSA computer processing power.

In a rush so I can't give a super detailed answer but here's a quick overview:

You more or less have the right idea. When you first make a connection over SSL to a website, they will send you their public key, what ciphers they support, and some additional info. Next, you decide whether or not you trust the key. If it's signed by a company like Verisign, you can decrypt the validation information that is sent along with the key (look up key signing).

If you don't trust the server, the connection is immediately terminated, otherwise you can choose a new encryption method to encrypt the data (generally aes) and send the server a symmetric key to encrypt/decrypt the data. The only reason we use an encryption method like AES over RSA is because AES is much faster. From this point data, is sent back and forth using the agreed encryption method with the agreed key.

so if i understood correctly, you explained a bit about the SSL connection with the web application/service and the certificates, but didnt mention anything about how the public-key would work on an encrypted email sent to another user?

Dont get me wrong , I am just trying to understand because I think I asked a bit too many information in one go.

Thanks for the info tho much appreciated!

The public key is just what it says it is man, it's public, anyone can search for it using your email address, and add it to their own key management software.

The public key is used to encrypt the email you send to the person you got it from, they use the private key to decrypt it.

You should also have generated a revocation certificate, so that if the private key is ever compromised you can invalidate your public key.

if you encrypt with the public key why does the other person need the private key to decrypt it?

Because the key pair are mathematically related, whatever is encrypted with a public key can only be decrypted by its corresponding private key.

Even if someone else gains access to the encrypted data, it will remain confidential as they should not have access to the private key.

Without the private key, no one can decrypt the encrypted data.