February 23, 2019

Public Key Crypto For the Enterprise

Hiding In Plain Sight

  • December 8, 2008
  • By Paul Rubens

Paul RubensPublic key cryptography is one of the fundamental technologies used for exchanging information on the Internet securely. It's used by Web browsers to create secure connections to Web sites, and by e-mail security gateways and applications to encrypt messages. Its strength lies in the fact that it can be used to exchange encrypted information between two parties that have never communicated together before and have therefore never agreed on a secure way of exchanging messages.

To understand how public key cryptography works, let's consider secure communications in general. One way to send a confidential message to someone is to agree on an obfuscation system in advance--like substituting each letter in the message with the next one in the alphabet.

A more sophisticated method would be to use encryption software which uses an encryption algorithm, known as a cipher. The message (known as plaintext ) is entered and passed to the algorithm along with a key--a string of characters that you supply--comes out in encrypted form (known as ciphertext.) This unintelligible jumble of characters can only be converted back to the original plaintext by passing the message through the same cipher and supplying the same key. This is known as a symmetric encryption system.

An interesting thing about this system is that its security doesn't rely on the cipher itself being secret. The only thing that needs to be kept secret is the key. (In fact you could argue that the more widely known and understood a cipher is, the more you can trust it to be effective--proprietary algorithms that aren't open to public inspection by independent experts could have secret "backdoors" built in that allow anyone in the know to decrypt messages without the key.)

One problem with symmetric systems is that to send someone a message securely you have to be able to give them the secret key first without anyone else seeing it. Why is that a problem? Imagine a situation in which you were traveling abroad and had to e-mail some valuable corporate information back to a colleague without the authorities in the country you are in getting their hands on it. If you hadn't already agreed on a key before you went traveling then you'd be stuck: you couldn't send an encrypted message without first supplying a key, and you'd have no way of e-mailing a key securely. Of course you could make a phone call to tell your colleague the key you intend to use, but what if the conversation is overheard or the phone line is tapped?

Most Popular LinuxPlanet Stories