Public Key Cryptography and Digital Certificates

written by: Dave O'Brien; article published: year 2006, month 09;



In: Categories » Internet » Web design and development » Public Key Cryptography and Digital Certificates

This article presents background technical information on cryptographic systems. This includes Public Key Cryptography (PKC) and the system underlying SSL—the basis for every e-commerce trust infrastructure.

Encryption is the process of transforming information before communicating it to make it unintelligible to all but the intended recipient. Encryption employs mathematical formulas called cryptographic algorithms, or ciphers, and numbers called keys, to encrypt or decrypt information.

Symmetric Cryptography

Until recently, symmetric encryption techniques were used to secure information transmitted on public networks. Traditional, symmetric cryptographic systems are based on the idea of a shared secret. In such a system, two parties that want to communicate securely first agree in advance on a single “secret key” that allows each party to both encrypt and decrypt messages.

Symmetric cryptography has several drawbacks. Exchanging secret keys is unwieldy in large networks. Furthermore, the sharing of secret keys requires both senders and recipients to trust, and, therefore, to be familiar with, every person they communicate with securely. Also, symmetric systems require a secure channel to distribute the “secret” keys in the first place. If there is indeed such a secure channel, why not use it to send the entire secret message?

In today’s Web-based systems involving many participants and transitory interactions with strong cryptography requirements, such symmetric key-based systems are highly impractical as a means for agreeing upon the necessary secrets to begin communicating securely. This problem, the key agreement, or key distribution problem, is part of a larger problem that is central to the modern understanding of cryptographic systems—the key management problem. Together, they represent the fundamental challenge in designing effective cryptography systems for modern computing systems. Symmetric key encryption plays an important role in the SSL protocol, along with asymmetric public key encryption.

Public Key Cryptography

Today’s public key, or asymmetric cryptography systems are a considerable improvement over traditional symmetric cryptography systems in that they allow two parties to exchange data privately in the presence of possible eavesdroppers, without previously agreeing on a “shared secret.” Such a system is a called “asymmetric” because it is based on the idea of a matched cryptographic key pair in which a cryptographic key is no longer a simple “shared secret,” but rather is split into two subkeys, the private key and public key.

Abstractly, a participant wanting to receive encrypted communications using an asymmetric cryptography system first generates such a key pair, keeping the private-key portion as a secret and “publishing” the public-key portion to all parties that want to encrypt data for that participant. Because encrypting data requires only access to the public key, and decrypting data requires the private key, such a system in principle can sidestep the first layer of complexity in the key management problem because no shared secret need be exchanged.

Modern Cryptography Systems: A Hybrid Approach

In fact, a combination of both public key and traditional symmetric cryptography is used in modern cryptographic systems. The reason for this is that public key encryption schemes are computationally intensive versus their symmetric key counterparts. Because symmetric key cryptography is much faster for encrypting bulk data, modern cryptography systems typically use public key cryptography to solve the key distribution problem first, then symmetric key cryptography is used to encrypt the bulk data.

Such a scheme is used by today’s SSL protocol for securing Web transactions and by secure e-mail schemes such as Secure/Multipurpose Internet Mail Extensions (S/MIME) that are built into such products as Netscape Communicator and Microsoft Internet Explorer.

The Key Management Problem

Underlying every cryptographic system is a set of practical problems and questions involving privacy, security, and overall confidence in the underlying confidentiality features of the system. In principle, the techniques of asymmetric and symmetric cryptography are sufficient to resolve the security questions and properties previously described. For example, today’s Web browsers use the public key of a Web site in order to send credit card numbers over the Web. Similarly, one can protect access to files and data using a private symmetric key to scramble the information before saving it.

However, in practice, each of these problems requires a “certified” public key in order to operate correctly without third parties being able to interfere. This leads to a second set of questions. For example, how can you be sure that the public key that your browser uses to send credit card information is in fact the right one for that Web site, and not a bogus one? And, how can you reliably communicate your public keys to your correspondents so that they can rely on it to send you encrypted communications?

What is needed in order to address such concerns is the notion of a “secure binding” between a given entity that participates in a transaction and the public key that is used to bootstrap secure communication with that entity using asymmetric public key cryptography. The next part of the article describes how a combination of digital signatures and X.509 digital certificates (which employ digital signatures), including SSL certificates, fulfills this role in e-commerce trust systems.

Digital Signatures

Digital signatures are based on a combination of the traditional idea of data hashing with public key-based encryption. Most hash functions are similar to encryption functions. In fact, some hash functions are just slightly modified encryption functions. Most operate by grabbing a block of data at a time and repeatedly using a simple scrambling algorithm to modify the bits. If this scrambling is done repeatedly, then there is no known practical way to predict the outcome. It is not, in general, practical for someone to modify the original data in any way while ensuring that the same output will emerge from the hash function. These hash-based signature algorithms use a cryptographically secure hash function, such as Message Digest 5 (MD-5) or Secure Hash Algorithm (SHA), to produce a hash value from a given piece of data.

Because the digital signature process is central to the idea of a digital certificate (and in turn, the digital certificate is the primary tool to ensure e-commerce security), it’s useful to look at a diagram of the process.

The first step is to take the original message and compute a “digest” of the outgoing message using a hashing algorithm. The result is a “message digest,” which is typically depicted as a long string of hexadecimal digits (and manipulated by software as binary data). In the next step, the sender uses his private key to encrypt the message digest.

The original message content, together with the encrypted digest, forms a digitally signed message. This digitally signed message is suitable for delivery to the recipient. On receipt, the receiver verifies the digital signature using an inverse set of steps: first, the encrypted digest is decrypted using the sender’s public key. Next, this result is compared to an independent computation of the message digest value using the hashing algorithm. If the two values are the same, the message has been successfully verified.

Why is a digital signature compelling evidence that only the intended signer could have created the message? For example, what if interlopers were to change the original message? It was not encrypted, after all, and could have been changed by a third party in transit. The answer is that if such a change had been made, then the decrypted, original message digest wouldn’t have matched the recomputed one for the changed data in the message. Verification of the digital signature would fail. Similarly, the creation of a bogus signature is impractical because an interloper doesn’t have the appropriate private key.

Digital Certificates

A digital certificate is an electronic file that uniquely identifies individuals and Web sites on the Internet and enables secure, confidential communications. It associates the name of an entity that participates in a secured transaction (for example, an e-mail address or a Web site address) with the public key that is used to sign communication with that entity in a cryptographic system.

Typically, the “signer” of a digital certificate is a “trusted third party” or “certificate authority” (CA; such as VeriSign). In addition, all participants who use such certificates agree it is a point of secure storage and management of the associated private signing key. The CA issues, creates, and signs certificates, as well as possibly playing a role in their distribution.

Using digital certificates simplifies the problem of trusting that a particular public key is in fact associated with a participating party, effectively reducing it to the problem of “trusting” the associated CA service. Digital certificates, therefore, can serve as a kind of digital passport or credential. This approach represents an advance in the key management problem, because it reduces the problem of bootstrapping trust to the problem of setting up (or in today’s marketplace, selecting as a vendor) the appropriate CA functionality. All parties that trust the CA can be confident that the public keys that appear in certificates are valid.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Advantages and Disadvantages of HTTP Authentication
Authentication can be passed in the HTTP headers of incoming requests. This is the same type of authentication that is used when your browser creates a small login window when attempting to access a site. The authentication information is Base 64-encoded, so it does look like it is encrypted when transmitted over the wire, but in reality it is not. This encoding only ensures that all characters are valid to be passed in the header and is not intended to provide any level of security. Advantages: Easily hand...

2. Advantages and Disadvantages of Message Based Authentication
Client credentials can also be passed along with the regular message payload. This is marginally easier to implement on the client side because adding credentials should be no more difficult than adding another parameter to the request. Remember that even if a secure (SSL) endpoint is used, the URL used for the request is still sent in the clear, so if the credentials are passed on the URL (as is the case with a REST request), they will be visible to any and all intermediaries. Advantages: Easily handled &m...

3. 7 Things You Should Not Use in Web Design to Get a Quality Web Site
If you have any of these on your website or you have built websites for other people that include some of these ‘No-No’s’ then don’t feel too bad. We all make mistakes and it’s only my opinion right? 1. Flash In The Pan Pan being a slang term for toilet – as that’s where it belongs. Okay, maybe not all use of Flash but certainly Flash introduction pages. What a nightmare they are – ever visited a site where you positively revelled in the fact you got to...

4. How To Quickly And Easily Protect Your Adsense Account From Accidental Clicks
Not a day goes by without somebody complaining that they’ve been shutdown by Adsense because of “click fraud”. Scary isn’t it? Your kids or family members accidentally “stumble” on your website as they’re browsing the net (using the home computer)… and proceed to click on YOUR ads. You accidentally click on your ads yourself while you’re “checking” your site in your browser. Now, I’m sure that some people have accidentally ...

5. What Should I Do For a Successful Business Website
There are just four cornerstone foundations you need to perfect to make your website a success. These foundations need to be central to your way of thinking about your website from now on. Whenever you make a single change to your website, whenever you have an idea about your website, whenever you think about your website in any way you need to think about the four cornerstone foundations – so here they are… Volumes The volume of people you attract to your website is crucial to your websit...

6. The 7 Deadly Sins Of Web Design
Sin 1 - Starfield backgrounds You know the sort – zillions of tiny white pixels glinting back at you from behind the text. Beautiful. Not! In a galaxy far, far away, in a time long, long ago people thought this was cool. It’s not. It sucks and people who use it should be shot. Sin 2 - Anything that moves. Okay, that’s maybe a little bit harsh – let me zero in on something more specific - animated cursors. I know 12 year-old kids that think they’re crap. Wise up an...

7. General advantages and disadvantages of HTML vs XML and XHTML
There are three markup languages. These include Hypertext Markup Language (HTML), Extensible Markup Language (XML), and the combination of the two, Extensible Hypertext Markup Language, (XHTML). HTML HTML is the primary format used on the World Wide Web. HTML can display Web pages with a wide range of colors, shapes, and objects. Although not a true programming language, HTML has increased in power over the years. HTML is actually a loosely defined subset of XML. However, whereas XML is a strict languag...

8. Wireless Markup languages ~ Overview ~ WAP WML WMLScript
The most common standard of data transfer and presentation for a handheld device involves the combination of Wireless Application Protocol (WAP) with Wireless Markup Language (WML). Although WAP can be used with other forms of presentation, its coders primarily designed it to be used with WML. WAP Because of the small size of PCS devices, and because they operate with much less bandwidth or speed, than the rest of the Internet, a special protocol was necessary to redefine how they handle data transmission. This protoc...

9. How To Configure Apache or IIS Web Server to Work with WML ~ Openwave SDK
It could be a useful exercise for you to create your own WML program and test it on a live Web server. This requires the following two items: Access to a Web server (IIS or Apache both work well) A development tool to test the programming For the development tool, we recommend that you download and use the latest version of Openwave's SDK, which is freely available to developers at http://www.openwave.com. Once you install this program, you simply need to specify where the files ...

10. Developing a Commerce Site
Developing a commerce site is similar to developing an application, and a structured approach is recommended. This article discusses a development methodology for the commerce site. An approach with the following stages is recommended here: Scope Prototype Design Implementation Testing Deployment Scope The Scope stage involves the following activities: ...