The original forms of cryptography involved the use of a single secret key that was used to both encrypt and decrypt the message (known as symmetric cryptography). The challenge was always the logistics of communicating the secret key to the intended recipient without other parties gaining knowledge of the key.

In 1976, Whitfield Diffie and Martin Hellman introduced the concept of Public Key cryptography (asymmetric cryptography). In their system, each person is the owner of a mathematically related pair of keys: a Public Key, intended to be available to anyone who wants it; and a Private Key, which is kept secret and only known by the owner. Because messages are encrypted with a Public Key and can only be decrypted by the related Private Key, the need for the sender and receiver to communicate secret information (as is the case in symmetric cryptography) is eliminated.

The two primary uses of Public Key cryptography, encryption and digital signatures, are explained below:

Encryption: Messages are encrypted by using the Public Key of the intended recipient. Therefore, in order to encrypt a message, you must either have the Public Key sent to you from the recipient, or obtain the Public Key through a directory of Public Keys, such as that posted by IDRBT CA. The recipient of the message decrypts the message by using their Private Key. Because only the recipient has access to the Private Key (through password protection or physical security), only the recipient can read the message.

Digital Signatures: When signing a message, the sender's computer, through their e-mail application, performs a calculation that involves both their Private Key and the message that is going to be sent. The result of the calculation is a digital signature, which is then included as an attachment to the original message. The recipient of the message performs a similar calculation that includes the message, the digital signature of the sender, and the sender's Public Key. Based on the result of the recipient's calculation, known as a hash, it can be determined whether the signature is authentic (or is fraudulent) and whether the message had been intercepted and/or altered at any point between the sender and the recipient.  

The digital envelope involves transmitting a message that has been encrypted using secret key (symmetric) cryptography combined with an encrypted secret key that usually has been encrypted using Public Key (asymmetric) cryptography. (Public Key cryptography is not always necessary, such as in cases where both parties already know the secret key.)

Not only do digital envelopes help solve the key management/key transfer problem, they increase performance (relative to using a Public Key system for direct encryption of message data) without sacrificing security. The increase in performance is obtained by using the more efficient symmetric encryption to encrypt the potentially large and variably sized amount of message data, while the less efficient asymmetric cryptography is reserved only for encryption of the symmetric keys.

RSA is a Public Key (asymmetric) cryptosystem that offers both encryption and digital signatures (authentication). RSA was developed in 1977 and is named after the three developers of the technology Ron Rivest, Adi Shamir, and Leonard Adleman.

Public Key encryption is based on two mathematically related keys that are generated together. Each key in the pair performs the inverse function of the other so what one key encrypts, the other key decrypts, and vice versa. Because each key only encrypts or decrypts in a single direction, Public Key encryption is also known as asymmetric encryption.

A Public Key system has two keys: one of the keys in the pair is made publicly available (thus the term "Public Key encryption"), and the other is kept private, either on a hardware token such as a smart card, or hidden in software that performs the cryptographic functions on your computer (typically secured with a password).

Certificates are attachments to an electronic message that are used for security purposes. The two common uses of a digital certificate include authenticating that a user sending a message is who he/she claims to be and providing the receiver with the means to encode a reply by using the senders Public Key, which makes up part of the certificate.

Certificates are issued by a Certification Authority (CA) such as IDRBT CA. A CA is a trusted entity whose central responsibility involves certifying the authenticity of individuals and organizations. For an individual to obtain a certificate from a CA, they must generate a key pair on their own computer and then send the Public Key portion of the key pair to a CA with appropriate proof, based upon criteria stipulated by the CA, that ascertains their identity. Once the CA verifies the validity of the applicant's identification, a certificate is issued.

Authentication can be defined as any process that verifies the validity or legitimacy of certain information. In the realm of digital certificates, authentication can refer to two different processes:

(a) authentication can refer to proving, by use of a digital signature, the identity of the sender of a message, the date and time a document was sent, the origin of a document, or the identity of a computer; or

(b) the methods used by a Certification Authority to verify the identity and legitimacy of the applicant for either an Internet certificate or Commerce certificate, including individuals and/or companies.

Anyone who wishes to sign messages and/or receive encrypted messages must have a key pair. It is possible, but not necessary, to have more than one key pair�one pair for signing your e-mail messages and another for receiving encrypted messages. Or, you might have a key pair for your place of work and a separate key pair for personal use.

Individuals can generate their own key pair through their Internet browser, or, in the hardware cryptographic devices like Smart Cards or Tokens.

When a key is generated, the next step is to register the Public Key with a Certification Authority (CA), like IDRBT CA. The process of generating your own key pair and then submitting your Public Key registration to the CA is as simple as filling out a form with some personal information (your name, address, e-mail address, credit card information, etc.) and then clicking a button to submit the form to the CA.

Obviously, the larger the key size, the stronger the encryption. While some people could argue that you can never have too strong a level of encryption, in the world of cryptography the word "overkill" can certainly be applicable. With stronger encryption comes longer processing durations to both encrypt and decrypt.

There are four different "grades," that refer to the strength of the protection:

• Export grade gives minimal real protection (40-bit for symmetric encryption or 512 for asymmetric).

• Personal grade (56- or 64-bits symmetric, 768 asymmetric) is recommended for keys that are not very important, such as those that protect one person's personal e-mail or those that serve as "session keys" for low-importance transactions. These should provide plenty of protection relative to how much they are worth to break.

• Commercial grade (128-bit symmetric or 1024 asymmetric) is recommended for information that is valuable and fairly sensitive, such as financial transactions.

• Military grade (160-bit symmetric or 2048-bit asymmetric) is recommended for information that is truly sensitive and must be kept secret at any cost.

If you want to encrypt e-mail to someone, you have to obtain their Public Key; there are several different ways of achieving this: