Resources

 Public Key Cryptography                                                                         

What is Public Key Cryptography?
What is a digital envelope?
What is RSA?
What are certificates?
Who issues certificates and how?
How are certificates used?
What is a digital signature and what is authentication?
Does everybody that I communicate with need a key pair?
How do I get a key pair?
What key size should be used?
How do I find someone else's Public Key?

 

Other Guides

Certification Authorities

Introduction to Secure Internet Commerce and E-mail

Introduction to Cryptography

 

 

 

 

 

 

What is Public Key cryptography?

The original forms of cryptography involved the use of a single secret key that was used to both encrypt and decrypt the message (known as symmetric cryptography). The challenge was always the logistics of communicating the secret key to the intended recipient without other parties gaining knowledge of the key.

In 1976, Whitfield Diffie and Martin Hellman introduced the concept of Public Key cryptography (asymmetric cryptography). In their system, each person is the owner of a mathematically related pair of keys: a Public Key, intended to be available to anyone who wants it; and a Private Key, which is kept secret and only known by the owner. Because messages are encrypted with a Public Key and can only be decrypted by the related Private Key, the need for the sender and receiver to communicate secret information (as is the case in symmetric cryptography) is eliminated.

The two primary uses of Public Key cryptography, encryption and digital signatures, are explained below:

Encryption: Messages are encrypted by using the Public Key of the intended recipient. Therefore, in order to encrypt a message, you must either have the Public Key sent to you from the recipient, or obtain the Public Key through a directory of Public Keys, such as that posted by IDRBT CA. The recipient of the message decrypts the message by using their Private Key. Because only the recipient has access to the Private Key (through password protection or physical security), only the recipient can read the message.

Digital Signatures: When signing a message, the sender's computer, through their e-mail application, performs a calculation that involves both their Private Key and the message that is going to be sent. The result of the calculation is a digital signature, which is then included as an attachment to the original message. The recipient of the message performs a similar calculation that includes the message, the digital signature of the sender, and the sender's Public Key. Based on the result of the recipient's calculation, known as a hash, it can be determined whether the signature is authentic (or is fraudulent) and whether the message had been intercepted and/or altered at any point between the sender and the recipient.  

Top

 

 

 

What is a digital envelope?

The digital envelope involves transmitting a message that has been encrypted using secret key (symmetric) cryptography combined with an encrypted secret key that usually has been encrypted using Public Key (asymmetric) cryptography. (Public Key cryptography is not always necessary, such as in cases where both parties already know the secret key.)

Not only do digital envelopes help solve the key management/key transfer problem, they increase performance (relative to using a Public Key system for direct encryption of message data) without sacrificing security. The increase in performance is obtained by using the more efficient symmetric encryption to encrypt the potentially large and variably sized amount of message data, while the less efficient asymmetric cryptography is reserved only for encryption of the symmetric keys.

Generally speaking, secret key cryptosystems are much faster than Public Key cryptosystems. Top

   

 

 

 

What is RSA?

RSA is a Public Key (asymmetric) cryptosystem that offers both encryption and digital signatures (authentication). RSA was developed in 1977 and is named after the three developers of the technology Ron Rivest, Adi Shamir, and Leonard Adleman.

Public Key encryption is based on two mathematically related keys that are generated together. Each key in the pair performs the inverse function of the other so what one key encrypts, the other key decrypts, and vice versa. Because each key only encrypts or decrypts in a single direction, Public Key encryption is also known as asymmetric encryption.

A Public Key system has two keys: one of the keys in the pair is made publicly available (thus the term "Public Key encryption"), and the other is kept private, either on a hardware token such as a smart card, or hidden in software that performs the cryptographic functions on your computer (typically secured with a password).

Encryption and authentication take place without any sharing of Private Keys: each person uses only another's Public Key or their own Private Key. Anyone can send an encrypted message or verify a signed message, but only someone in possession of the correct Private Key can decrypt or sign a message. Top

 

 

 

What are certificates?

Certificates are attachments to an electronic message that are used for security purposes. The two common uses of a digital certificate include authenticating that a user sending a message is who he/she claims to be and providing the receiver with the means to encode a reply by using the senders Public Key, which makes up part of the certificate.

If you wish to send an encrypted message, you must apply for a digital certificate from a Certification Authority, commonly referred to as a CA. The CA will issue a digital certificate that contains the applicant's Public Key, validity data, a serial number, and information about the CA and a variety of other identification information. Top

 

 

 

 

Who issues certificates and how?

Certificates are issued by a Certification Authority (CA) such as IDRBT CA. A CA is a trusted entity whose central responsibility involves certifying the authenticity of individuals and organizations. For an individual to obtain a certificate from a CA, they must generate a key pair on their own computer and then send the Public Key portion of the key pair to a CA with appropriate proof, based upon criteria stipulated by the CA, that ascertains their identity. Once the CA verifies the validity of the applicant's identification, a certificate is issued.

In many ways the function of a CA can be compared to that of a country's passport-issuing office. A passport acts as a document that certifies that the citizen is who he or she claims to be�foreign countries trust the authority of the passport-issuing country and, therefore, recognize the authenticity and validity of the passport. Top

 

 

 

 

How are certificates (digital certificates) used?

Certificates (digital certificates) are used in the transmission of electronic messages in order to identify the sender of the message. The primary purpose of a digital certificate is to instill confidence in the recipient of an electronic message that the Public Key that they are viewing is legitimate and that the sender of the message is who they claim to be.

A Certification Authority (CA) such as IDRBT CA issues the digital certificates.

What is authentication and what is a digital signature?

Authentication can be defined as any process that verifies the validity or legitimacy of certain information. In the realm of digital certificates, authentication can refer to two different processes:

(a) authentication can refer to proving, by use of a digital signature, the identity of the sender of a message, the date and time a document was sent, the origin of a document, or the identity of a computer; or

(b) the methods used by a Certification Authority to verify the identity and legitimacy of the applicant for either an Internet certificate or Commerce certificate, including individuals and/or companies.

A digital signature is a process that attaches digital code to electronically transmitted messages in order to identify the sender of a message, and to guarantee that they are who they claim to be. The digital signature is typically derived from combining the document itself and the sender's Private Key and applying a mathematical function to the result. To check the validity of a digital signature, it is necessary to obtain the Public Key of the sender; because the sender's Private Key was used to create the signature, the corresponding Public Key must be used to verify the signature. Top

 

 

 

 

What is authentication and what is a digital signature?

Authentication can be defined as any process that verifies the validity or legitimacy of certain information. In the realm of digital certificates, authentication can refer to two different processes:

(a) authentication can refer to proving, by use of a digital signature, the identity of the sender of a message, the date and time a document was sent, the origin of a document, or the identity of a computer; or

(b) the methods used by a Certification Authority to verify the identity and legitimacy of the applicant for either an Internet certificate or Commerce certificate, including individuals and/or companies.

A digital signature is a process that attaches digital code to electronically transmitted messages in order to identify the sender of a message, and to guarantee that they are who they claim to be. The digital signature is typically derived from combining the document itself and the sender's Private Key and applying a mathematical function to the result. To check the validity of a digital signature, it is necessary to obtain the Public Key of the sender; because the sender's Private Key was used to create the signature, the corresponding Public Key must be used to verify the signature. Top

 

 

 

 

 

 

Does everybody that I communicate with need a key pair?

Anyone who wishes to sign messages and/or receive encrypted messages must have a key pair. It is possible, but not necessary, to have more than one key pair�one pair for signing your e-mail messages and another for receiving encrypted messages. Or, you might have a key pair for your place of work and a separate key pair for personal use.

Conversely, a group of people can have a single key pair, rather than one key pair per individual. It is feasible, though not necessarily recommended, for a department within a company or, for that matter, an entire company to possess only one key pair that would be used to authenticate and encrypt messages. Top

 

 

 

 

How do I get a key pair?

Individuals can generate their own key pair through their Internet browser, or, in the hardware cryptographic devices like Smart Cards or Tokens.

When a key is generated, the next step is to register the Public Key with a Certification Authority (CA), like IDRBT CA. The process of generating your own key pair and then submitting your Public Key registration to the CA is as simple as filling out a form with some personal information (your name, address, e-mail address, credit card information, etc.) and then clicking a button to submit the form to the CA.

When the CA has processed your validated certificate, you will be intimated with instructions on how to download and install your certificate. Top

 

 

 

 

 

What key size should be used?

Obviously, the larger the key size, the stronger the encryption. While some people could argue that you can never have too strong a level of encryption, in the world of cryptography the word "overkill" can certainly be applicable. With stronger encryption comes longer processing durations to both encrypt and decrypt.

There are four different "grades," that refer to the strength of the protection:

  • Export grade gives minimal real protection (40-bit for symmetric encryption or 512 for asymmetric).

  • Personal grade (56- or 64-bits symmetric, 768 asymmetric) is recommended for keys that are not very important, such as those that protect one person's personal e-mail or those that serve as "session keys" for low-importance transactions. These should provide plenty of protection relative to how much they are worth to break.

  • Commercial grade (128-bit symmetric or 1024 asymmetric) is recommended for information that is valuable and fairly sensitive, such as financial transactions.

  • Military grade (160-bit symmetric or 2048-bit asymmetric) is recommended for information that is truly sensitive and must be kept secret at any cost.

The ultimate choice for the strength of encryption, therefore, becomes a balancing act involving how sensitive or important the data being encrypted is and the efficiency of the encryption/decryption process that is desired. Top

 

 

 

 

How do I get someone else's Public Key?

If you want to encrypt e-mail to someone, you have to obtain their Public Key; there are several different ways of achieving this:

Top