Public Key technology is based on Public Key cryptography, a technology that itself is mathematically complex. Essentially, it is a cryptographic technique that enables one person to encrypt some data with one key and this data can only be decrypted with another, related, key. You can also encrypt data with the related key and it can only be decrypted with the original one key. These key “pairs” are related and no other key or key pair can encrypt or decrypt data outside of this pair. This is the notion that two keys can fit the same lock, as mentioned above. This basic concept is transformed into a powerful utility once a basic premise is applied. And this premise is – make one key of the key pair a secret and make the other key publicly available. The “secret key” is only known to the holder of that key, and the “public key” is known to all, and is known by all as belonging to holder of the corresponding secret key. This truly amazing technology can now be applied to accomplish all of the three concerns mentioned above. How? Consider the diagram below. Any data encrypted using Key A, the “private key” can only be decrypted with Key B, the “public key.” Since Key B is public, anything encrypted by Key A can be decrypted using Key B. The point in encrypting here is not to make anything a secret (if you think that the only reason to encrypt something is to make it a secret – not so!). Since Key B is a public key, anyone in the world has access to it and anyone in the world can decrypt the data encrypted by Key A. So what? So that means by virtue of being able to decrypt the message, you know 2 things – it was encrypted by Key A (any message encrypted by any other key would result in junk data), and the message was not tampered with (had anyone messed around with the encrypted data, the result would also have been junk data). This is the same thing the medieval king did when he put his signet ring into a gob of wax on a proclamation to be posted in the castle. It
ORIGINAL MESSAGE
PUBLIC KEY
ENCRYPTED MESSAGE
PRIVATE KEY
was guaranteed authentic and unchanged. (Well, a clever fellow might be able to scrape the parchment and change the message, so PKI signatures are better!) Conversely, if anyone were to encrypt data using the Public Key B – which, remember, everyone has – then only the corresponding Key A would be able to decrypt it. In this case, we are keeping secrets and only the holder of Key A could see the message. Now the king has put the parchment into a secure envelope and put a seal on the flap! So the notion of Public Key technology – the ability to have related key pairs that only work with one another where one of which is kept secret and the other made public, makes for a powerful utility that can protect data, provide knowledge about the other party, and secure transactions. The other part of PKI, the “I” or infrastructure component, is what makes Public Key technology work in a global arena, enabling individuals and organizations to trust one another. Key to this infrastructure are the concept of certificates and authorities. The Public Key pairs and identities mentioned above are of little value without something to guarantee their authenticity. One must be able to associate a person, or entity, with their keys. This is accomplished via something called certificates. A certificate is basically a container that holds the Public Key (of the public/private key pair) and data associated with that key such as the individual’s name, the key’s expiration date and other pertinent data elements. The certificate becomes the essential component that relates a key to its owner. Certificates are issued by authorities. Authorities are high-level entities that establish the notion of a trust center. All certificates issued by an authority can be trusted if one trusts the authority. All certificates issued by an authority are all a part of the family of that authority.
DECRYPTED MESSAGE
u u u u
Sue encrypts a message using Joe’s freely-available public key and sends it to Joe. Using his private key, Joe is able to encrypt the message but only he can do so. Both parties can be confident that no other person else can decrypt the message as only Joe is in possession of his private key.
Winter 2009
41