Securing your apps with Public Key Cryptography & Digital Signature
Public Key Cryptography offers ultimate security being based asymmetric keys; however it does have a specific purpose and is often not a replacement of symmetric crypto algorithms like AES. This article provides some basic information about the security mechanisms behind Public Key Cryptography with practical details on how it is used by some of the popular tools like PGP, SSL as well as Digital Signature.
Public keys and private keys
One of the main problems with symmetric key cryptography is using the same private key for both encryption and decryption. Two parties sending messages to each other must agree to use the same private key before they start transmitting secure information. Since the two parties may be in different parts of the world, private key must be passed through the network.
An interceptor, that manages to get hold of private key somehow, can easily decrypt the encrypted messages. Security of the Private key is the biggest problem with symmetric key cryptography. There need to be a secure way to communicate the private key between the sender and receiver – if there were a secure way to do this, then the cryptography would not have been necessary in the first place in order to create that secure channel.
Public Key Cryptography solves this problem. The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. With public-key cryptography, keys come in pairs of matched “public” and “private” keys.
The public portion of the key pair can be distributed in a public manner without compromising the private portion, which must be kept secret by its owner.
An operation (for example, encryption) done with the public key can only be undone with the corresponding private key.
Putting public/private to work
Here's how the scheme will work. Let's say Bob and Mary want to communicate securely; they each create a key set and exchange public keys. Bob uses Mary's public key to encrypt a message that only she will be able to read when she decrypts it with her private key. If Marry wishes to issue a secure reply, she uses Bob's public key to encrypt the message so that only Bob can decrypt.
Figure 1 below shows the scheme where both Asymmetric and Symmetric Cryptography is used to transfer message security between two parties.
Figure 1: Using both Public Key Cryptography and Symmetric Cryptography to transfer data securely
Mary generates a Public-Private Key pair and provides her Public Key to Bob. There is no secret with Public key since it is Public so it can be distributed in a public manner without compromising the private portion, which must be kept secret by Mary. Bob generates a Random session key that is used to encrypt the message (using Symmetric Cryptography) Bob wants to send to Mary.
Bob also uses Mary’s Public key and encrypts the random session key (using Asymmetric Cryptography) and send it to Mary. Mary uses her Private key and decrypt the Encrypted session key and re-generate the same random session key that Bob possessed. This session key is now used to decrypt the actual encrypted message Bob has send earlier.
The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption. Conventional encryption (or Symmetric Cryptography) is about 1, 000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues.
Used together, performance and key distribution are improved without any sacrifice in security. This also solves the problem of having to send the session key over the network that anyone can intercept thus providing strong secure channel for communication.