Information Technology Reference
In-Depth Information
A public key security system, such as your Web browser using HTTPS instead of HTTP in
a URL, can thwart both of the preceding situations. In the first example, using digital certificates
can authenticate the Web site's identity. If your browser is directed to a fraudulent site, the dig-
ital certificate doesn't match the site's URL. In the second example, encryption would provide
confidentiality and prevent an eavesdropper from interpreting information in captured packets.
Of course, for the security system to work, users have the responsibility of checking that the
Web browser is using secure communication (usually indicated by a padlock icon in the
browser). In addition, users must be vigilant in heeding warning messages about Web sites' cer-
tificate validity. PKI is commonly used in many other situations, but whenever a secure transac-
tion is necessary between two parties that don't know each other, PKI is likely to be part of the
transaction.
Before you delve into PKI transactions, review the following list of components that compose
a PKI:
•
Plaintext
—Data that has been unaltered; as used in cryptography, this term defines the
state of information before it's encrypted or after it has been decrypted.
•
Ciphertext
—Data that has been encrypted; it's the result you get when plaintext is trans-
formed by an encryption algorithm.
•
Key
—In encryption, a key is a numeric value used by a cryptographic algorithm to change
plaintext into ciphertext (encrypt) and ciphertext back to plaintext (decrypt).
•
Secret key
—A key used to both encrypt and decrypt data in a secure transaction. The
secret key must be known by both parties because it's used in both ends of the cryptogra-
phy process. The terms symmetric key and shared secret key are also used. Secret keys are
used in symmetric cryptography, defined later in this list, and provide a lower-overhead
secure transaction than using a public/private key pair.
•
Private key
—A key that's held by a person or system and is unknown to anyone else. A
private key is part of a key pair used in asymmetric cryptography (defined later in this list)
and is most often used by the owner to decrypt data that has been encrypted with the cor-
responding public key.
•
Public key
—A key owned by a person or system that's distributed to whoever wants to
have a secure communication session with the key owner. The public key, part of the key
pair used in asymmetric cryptography, is used to encrypt data, which can then be
decrypted only by using the owner's private key. A public key is also used to verify a digi-
tal signature.
•
Symmetric cryptography
—An encryption/decryption process that uses a single secret key to
encrypt and decrypt a message (also called private key cryptography or secret key cryptogra-
phy). The key is often referred to as a shared secret because both parties involved in the com-
munication must have the same key. Symmetric cryptography is vulnerable to attack because
the shared secret must be transmitted to both parties, and the key used in the encryption
algorithm tends to be easier to crack than those used in asymmetric cryptography.
11
Although symmetric cryptography is sometimes referred to as private key
cryptography or private key encryption, these terms are somewhat impre-
cise. A private key is used as part of a pair in asymmetric cryptography and
should never be shared with another party.
•
Asymmetric cryptography
—An encryption/decryption process, used in a PKI system, that
uses both a public key and a private key. Asymmetric cryptography is more complex and
requires more computing resources than symmetric cryptography, but it's also more secure.
Because of its higher resource requirements, asymmetric cryptography is often used along
with symmetric cryptography. Asymmetric cryptography is used to exchange secret keys,
which are then used symmetrically for the bulk of data encryption and decryption.
Search WWH ::
Custom Search