(Public Key Cryptography|Asymmetric Cipher)
About
Public key cryptography is a cryptographic system from the 70's that uses pairs of keys
It's also known as:
- non-secret encryption
Public key cryptography is used by Internet standards, such as:
- PGP,
- and GPG.
The public key cryptographic scheme is often used to exchange an on-the-fly symmetric key, which will only be used for the current session because it's much more performance efficient
Concept
Keypair
In public key cryptography, Two keys are used:
- one public (that is public, everybody can read it)
- one private (that is kept secret)
They are used for several usage.
An algorithm produce a keypair.
- It selects a private key uniformly at random from a set of possible private keys.
- Acceptable keypairs are created with the help of a large random number.
In short:
- the public key is used for the verification of encryption or signature ;
- the private key is kept secret, decrypt and sign.
The keys are related mathematically, but the parameters are chosen so that calculating the private key from the public key is unfeasible.
Public Key Authenticity
PKI
A central problem with the use of public key cryptography is confidence/proof that a particular public key is authentic, in that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs through a certificate. See below.
Certificate
To be able to tell a key's owner, public keys are enriched with attributes (such as names, addresses, and similar identifiers). This packed collection (public key and its attributes) is digitally signed.
The resulting object model is called a certificate and is signed by a certificate authority (CA). This procedure is called the public key infrastructure (PKI). This is a hierarchical trust model.
The certificate has no role in the encryption. It's a signed document (by a trusted Certificate Authority (CA)) which, ensures that the party you are communicating with is whom you think.
Public Key Distribution
Usage
Secrecy
Secrecy: ensure that the communication being sent is kept confidential (secrecy) during transit.
More:
Digital Signature
A digital signature is a mathematical scheme to prove a message came from a particular sender:
- neither can anyone impersonate the sender
- nor can the sender deny having sent the message.
Authentication
The digital signature can be used for sender/receiver authentication
Non-repudiation
The digital signature can be used for non-repudiation
Procedure
Some public key algorithms provide:
- key distribution and encryption (e.g., Diffie–Hellman key exchange),
- some provide digital signatures (e.g., Digital Signature Algorithm),
- and some provide both (e.g., rsa).
To achieve both authentication and confidentiality, the sender should;
- include the recipient's name in the message,
- sign it using his private key (ie computes the digital signature for the message)
- encrypt both the message and the signature using the recipient's public key.
- sends the signature together with the message to the intended receiver.
Management
See Public Key
Application
Public key cryptography is often used to secure electronic communication over an open networked environment such as the Internet, without relying on a hidden or covert channel, even for key exchange.
Enveloped Public Key Encryption (EPKE) is often the method used when securing communication on an open networked environment such by making use of the;
- Transport Layer Security (TLS)
- or Secure Sockets Layer (SSL) protocols.
Implementation
Implementations by chronological order
RSA
RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems.
In 1973, a British cryptographer at the UK Government Communications Headquarters (GCHQ), Clifford Cocks implemented it.
DH
DSA
DSA keys (Digital Signature Algorithm) can only be used for signing and verifying, not for encryption.
A word about Security
Revocation / replacement - All events requiring revocation or replacement of a public key can take a long time to take full effect with all who must be informed (i.e., all those users who possess that key). For this reason, systems that must react to events in real time (e.g., safety-critical systems or national security systems) should not use public key encryption without taking great care.