Secure Communication - Encryption, SSL, PKI explained
Opening up the corporation or business with electronic communications has not only created opportunities for closer relationships with customers and partners it has also presented the very real threat of prying eyes getting access to sensitive information.
While there are many anti-virus and security products available to ensure hackers, crackers and infections are kept outside the corporate system there's still the risk that industrial spies or others with malicious intent may intercept important data in transit.
In fact the growing acceptance of e-commerce where credit card, account information and personal details are required to be provided on the Internet has heightened concerns not only about security but about privacy.
Encryption is the process of transforming information so it
can't be read or understood by anyone but the intended recipient. Decryption is the process of transforming that information so that it can be read again in the form intended. This process often uses cryptography, or a mathematical algorithm, to scramble and unscramble messages.
The ability to keep encrypted information secret is based on a number called a key that must be used with the algorithm to code or decode information. Decryption requires the correct key to unscramble the information sent.
There are many levels of complexity used in such keys, some are not available for use inside the US for example because they are considered military strength. The levels of security provided range from the commonly used 128bit encryption to 256bit and beyond for more industrial or military strength requirements
There are two kinds of cryptosystems: symmetric which uses the same secret key to encode and decode a message and asymmetric which use a single public key to encrypt a message and a different public key to decrypt it.
Symmetric encryption is effective only if the two parties involved keep the key secret. If someone else gets hold of the symmetric key they can not only decrypt messages sent with that key, but encrypt new messages and send them as if they came from one of the two original parties.
Symmetric-key encryption plays an important role in the secure sockets layer (SSL) protocol, which is widely used for authentication, tamper detection, and encryption over TCP/IP networks. It is a protocol developed by Netscape for transmitting private documents via the Internet and adopted by Microsoft's Internet Explorer. SSL uses a public key to encrypt data.
Many Web sites use SSL to obtain confidential information such as credit card numbers. The URLs that use a SSL connection start with https: instead of http:.
Public-key encryption (also called asymmetric encryption) involves a pair of keys - a public and a private key - to authenticate or identity electronically or to sign or encrypt data. Each public key is published, and the corresponding private key is kept secret. Data encrypted with your public key can be decrypted only with your private key.
The most commonly use of public-key encryption is based on algorithms patented by RSA Data Security ( www.rsa.com ) which is used in the popular personal security tool PGP (pretty good privacy at http://www.pgpi.org ).
Public key infrastructure (PKI), more suited to secure business communications, uses a system of digital certificates to verify and authenticate the validity of each party involved in an Internet transaction. It is known as a trust hierarchy and uses a set of well-established techniques and standards which disguise or encrypts information while it is in transit ensuring it can only be read by the person who has the key to unlock and translate it back into a readable form.
PKI also verifies to the recipient that this information has not been tampered with or modified and that a false message has not been substituted. It also authenticates the information has come from the source indicated and confirms the sender's identity. It also means that the sender cannot at some later stage claim the information was not sent.
The most common use of a digital certificate is to verify the sender of a message is who they claim to be and enable the receiver to reply in a secure manner. Anyone wishing to send an encrypted message in this manner applies for a certificate from a trusted third party or Certificate Authority. This authority usually has some arrangement with a financial institution or credit card company. The resulting certificate contains the applicant's public key and other identification information. The authority makes its own public key available so recipients can verify the source.
The recipient of an encrypted message uses the public key to decode the digital certificate attached to the message to verify it is officially recognized, and to receive the sender's public key and ID number to send an encrypted reply.
- Encryption: Scrambling information into a mathematical code that cannot be read in transit.
- Decryption: The unscrambling of the encrypted mathematical code by the authorized recipient who has the key to unlock the information.
- Secure Sockets Layer (SSL): A symmetric style encryption commonly used by web sites receiving sensitive information to authenticate and encrypt information over the internet using a public key.
- Public Key Encryption (PKE): A system that uses a public and private key to authenticate identity or to sign and encrypt data over the Internet.
- Public Key Infrastructure (PKI): A system of digital certificates - one private and one public - which verify who the sender of information is and the authenticity of their information and then provides a means for a secure response. Often used to communication sensitive information, for example for e-commerce.
- Digital Certificates: A certificate obtained from a registered authority that verifies the identity of a user sending a message and providing the receiver with a secure means of replying.
Back to the iStart e-Security Research Pavilion
