PKI Part I: Public-Key Cryptography

PKI, or public-key infrastructure, is a method of associating a cryptographic key with a user by way of a trusted third party. Its usefulness can be found in various areas of security such as assuring that data has not been modified, verifying that data was sent by the person who claims to have sent it, making certain that the sender cannot deny having sent a particular set of data, and scrambling data for the sake of confidentiality. In this post, we will be looking into public-key cryptography, its benefits and how it works. Other aspects of PKI will be explored in future installments.

Throughout the history of cryptography, the most common method for encrypting a message was to have a shared secret. A message would be written using a secret method that protected the contents while in transit. Then, the receiver would be able to decipher the message using their knowledge of the secret method to reverse the encryption. This is like symmetric-key encryption.

Symmetric-key encryption uses one key to both encrypt and decrypt data. This key must be somehow delivered to everyone who needs to be able to read the encrypted message. Protecting data becomes more and more difficult, however, as the amount of senders and receivers grows and the key is exposed to more people. When communicating over a large network, it is often necessary for encrypted data to pass between two parties who have never met. This is difficult to accomplish using symmetric keys.

Public-key encryption is asymmetric. That means the key that encrypts is not the same key used to decrypt. Each entity in a public-key infrastructure has its own public and private keys which have a special mathematical relationship. The public key is used to encrypt data, but it cannot decrypt. For this reason, it can be distributed to any number of people without the risk of compromising the confidentiality of protected data. The private key is known only to its owner. It can be used to decrypt any data that has been encrypted with the public key and therefore should be kept private and never be shared.

Another advantage to using public and private keys is the ability to “sign” data. The private key, along with a special algorithm, is used to create a number called the digital signature, and the public key is used to verify it. So, anyone with a private key can sign data and send it to others along with their public key. The math behind this operation makes it extremely difficult to duplicate the signature. Therefore, when the recipients verify the digital signature, they can be certain that the data has not been changed and that it was sent by the person who claimed to have sent it.

Now, you may be saying to yourself, “OK. I know that the person who sent me the public key has the corresponding private key, but how do I know for sure that this person is who they claim to be?” Check back later for a discussion on the role of certification authorities in a public-key infrastructure.

Each Thursday, Security Musings features a security-related technology or tool.  Featured items do not imply a recommendation by Gemini Security Solutions.  For more information about how Gemini Security Solutions can help you solve your security issues, contact us!