The
original forms of cryptography involved the use of a single secret key that was
used to both encrypt and decrypt the message (known as symmetric cryptography).
The challenge was always the logistics of communicating the secret key to the
intended recipient without other parties gaining knowledge of the key.
In
1976, Whitfield Diffie and Martin Hellman introduced the concept of Public Key
cryptography (asymmetric cryptography). In their system, each person is the
owner of a mathematically related pair of keys: a Public Key, intended to be
available to anyone who wants it; and a Private Key, which is kept secret and
only known by the owner. Because messages are encrypted with a Public Key and
can only be decrypted by the related Private Key, the need for the sender and
receiver to communicate secret information (as is the case in symmetric
cryptography) is eliminated.
The
two primary uses of Public Key cryptography, encryption and digital signatures,
are explained below:
Encryption:
Messages are encrypted by using the Public Key of the intended recipient.
Therefore, in order to encrypt a message, you must either have the Public Key
sent to you from the recipient, or obtain the Public Key through a directory of
Public Keys, such as that posted by IDRBT CA. The recipient of the message
decrypts the message by using their Private Key. Because only the recipient has
access to the Private Key (through password protection or physical security),
only the recipient can read the message.
Digital
Signatures: When signing a message, the sender's computer, through their email
application, performs a calculation that involves both their Private Key and the
message that is going to be sent. The result of the calculation is a digital
signature, which is then included as an attachment to the original message. The
recipient of the message performs a similar calculation that includes the
message, the digital signature of the sender, and the sender's Public Key. Based
on the result of the recipient's calculation, known as a hash, it can be
determined whether the signature is authentic (or is fraudulent) and whether the
message had been intercepted and/or altered at any point between the sender and
the recipient.
The
digital envelope involves transmitting a message that has been encrypted using
secret key (symmetric) cryptography combined with an encrypted secret key that
usually has been encrypted using Public Key (asymmetric) cryptography. (Public
Key cryptography is not always necessary, such as in cases where both parties
already know the secret key.)
Not
only do digital envelopes help solve the key management/key transfer problem,
they increase performance (relative to using a Public Key system for direct
encryption of message data) without sacrificing security. The increase in
performance is obtained by using the more efficient symmetric encryption to
encrypt the potentially large and variably sized amount of message data, while
the less efficient asymmetric cryptography is reserved only for encryption of
the symmetric keys.
RSA
is a Public Key (asymmetric) cryptosystem that offers both encryption and
digital signatures (authentication). RSA was developed in 1977 and is named
after the three developers of the technology—Ron Rivest, Adi Shamir, and
Leonard Adleman.
Public
Key encryption is based on two mathematically related keys that are generated
together. Each key in the pair performs the inverse function of the other so
what one key encrypts, the other key decrypts, and vice versa. Because each key
only encrypts or decrypts in a single direction, Public Key encryption is also
known as asymmetric encryption.
A
Public Key system has two keys: one of the keys in the pair is made publicly
available (thus the term "Public Key encryption"), and the other is
kept private, either on a hardware token such as a smart card, or hidden in
software that performs the cryptographic functions on your computer (typically
secured with a password).
Authentication
can be defined as any process that verifies the validity or legitimacy of
certain information. In the realm of digital certificates, authentication can
refer to two different processes:
(a)
authentication can refer to proving, by use of a digital signature, the identity
of the sender of a message, the date and time a document was sent, the origin of
a document, or the identity of a computer; or
(b)
the methods used by a Certification Authority to verify the identity and
legitimacy of the applicant for either an Internet certificate or Commerce
certificate, including individuals and/or companies.
Individuals
can generate their own key pair through their Internet browser, or, in the
hardware cryptographic devices like Smart Cards or Tokens.
When
a key is generated, the next step is to register the Public Key with a
Certification Authority (CA), like IDRBT CA. The process of generating your own
key pair and then submitting your Public Key registration to the CA is as simple
as filling out a form with some personal information (your name, address, email
address, credit card information, etc.) and then clicking a button to submit the
form to the CA.
Obviously,
the larger the key size, the stronger the encryption. While some people could
argue that you can never have too strong a level of encryption, in the world of
cryptography the word "overkill" can certainly be applicable. With
stronger encryption comes longer processing durations to both encrypt and
decrypt.
There
are four different "grades," that refer to the strength of the
protection:

Export
grade gives minimal real protection (40bit for symmetric encryption or 512
for asymmetric).

Personal
grade (56 or 64bits symmetric, 768 asymmetric) is recommended for keys
that are not very important, such as those that protect one person's
personal email or those that serve as "session keys" for
lowimportance transactions. These should provide plenty of protection
relative to how much they are worth to break.

Commercial
grade (128bit symmetric or 1024 asymmetric) is recommended for information
that is valuable and fairly sensitive, such as financial transactions.

Military
grade (160bit symmetric or 2048bit asymmetric) is recommended for
information that is truly sensitive and must be kept secret at any cost.