What is Cryptography?

Cryptography is the art and science of keeping information secure. A person who does not know the method used to change the information to keep it secure cannot copy the method used or reverse the change. The basic components of cryptographic systems are used to encipher (scramble) information so that it is difficult to determine the meaning without the appropriate key or key(s) to decipher (unscramble) the information. The components include cryptographic algorithms (mathematical functions) for enciphering or deciphering information and keys (strings of information that cause a cryptographic algorithm to encipher or decipher in a distinctive way).

Symmetric and asymmetric are two examples of cryptographic systems. Symmetric systems use the same key to encipher and decipher (also called a secret key algorithm). Asymmetric systems generate and use different keys to encipher and decipher a secure key pair. With this key pair, consisting of a public key and a private key, only one key can decipher what the other enciphers. Merely knowing one key does not make it probable that a person will be able to determine the other key. Asymmetric key pairs are used in creating digital signatures and transporting symmetric keys.

In the past, most encryption systems only used symmetric cryptography. The problem with symmetric cryptography, however, is the difficulty encountered in distributing keys to targeted recipients. Since symmetric cryptography uses the same key for enciphering and deciphering, a person has to use creative and difficult means to prevent the unwanted from intercepting the key. If a third party were to intercept the key, they could use it to decipher anything it was used to encipher.

A solution to this problem is public key cryptography that uses asymmetric cryptography to transport symmetric keys. In such a system, a recipient's public key is used to encipher a symmetric key. Once enciphered, the symmetric key can only be easily deciphered using the corresponding private key.

An example of how symmetric cryptography and asymmetric cryptography are used together can be shown in the following e-mail example:

A person who wishes to send an enciphered message to another person:

• Uses a symmetric key to encipher the message
• Enciphers the symmetric key with the recipient's public key
• Sends the encrypted message with the enciphered symmetric key to the recipient

To decipher the message, the person who receives it does the following:

Retrieves the message

Deciphers the symmetric key with his private key

Deciphers the message with the symmetric key

To maintain security, the private key is never revealed to the unauthorized. Only the public key is made public.

Why is Cryptography Necessary?

The Internet and other networked environments are full of hackers, viruses, eavesdroppers, thieves, terrorists, and other threats to information privacy and control. Cryptography is necessary because it helps individuals and organizations protect themselves from these threats. For years, government intelligence agencies, military forces, and the banking industry have predominantly used cryptography. Today, others are beginning to realize the benefits and the necessity of cryptography.

Electronic commerce and other forms of secure communications require adherence to four fundamental security principles that cryptography greatly enhances. These principles are privacy, authentication, data integrity, and no repudiation.

1. Privacy is needed to help make sure that information is not revealed to unauthorized people.
2. Authentication is needed to help make sure that persons in a communication or transaction are who they claim to be.
3. Data Integrity is needed to ensure that information has not been altered since the data was signed.
4. Nonrepudiation is needed to prevent a signer of a document or communication from denying the origination, submission, delivery, or integrity of its contents.

Privacy or Confidentiality -- Symmetric Cryptography

Symmetric cryptography can be used to enhance privacy during digital communications or storage. With this technology, information can be enciphered so that unauthorized personnel cannot understand it. Only with the appropriate key can the information be easily deciphered or understood. Even if someone were to eavesdrop, steal, or copy enciphered information, it would be incomprehensible without the appropriate key to decipher it.

Authentication, Data Integrity, and Nonrepudiation-Asymmetric Cryptography

To enhance authentication, data integrity, and nonrepudiation during digital communications or storage, asymmetric cryptography is used. Using this technology, authentication systems can be improved to prevent wrongdoers from destroying, copying, or stealing valuable information. And once in a system, the intruder can be easily tracked and identified. Data integrity is maintained since asymmetric cryptography can be used to alert information recipients of tampering. Additionally, it is difficult for a document signer to repudiate the contents of the document or involvement with the signed document.

Overall, cryptography helps make the Internet and other environments safe for electronic commerce and other forms of communiation because it enhances privacy, authentication, data integrity, and nonrepudiation in these environments.

What are Digital Certificates?

A digital certificate is an electronic credential issued and digitally signed by a certification authority (CA). Certificate Authorties control public key infrastructures (PKIs). A CA manages a PKI, issues certificates and establishes PKI policies within its domain. The digital certificate represents the certification of an individual, business, or organizational public key. It can also be used to show the privileges and roles for which the holder has been certified.

A basic certificate includes :

• The certificate holder's identity
• The certificate's serial number
• The certificate holder's expiration dates
• A copy of the certificate holder's public key
• The identity of the CA and its digital signature to affirm the digital certificate was issued by a valid agency

Presently, the most sophisticated certificates are X.509 V3 certificates. They include the characteristics mentioned above as well as others.

To certify a public key, the prospective subscriber requesting the certificate must register his public key with a CA. Once this is done and the CA approves the request, a certificate is generated and issued to the subscriber.

Certificates can be used like:

• A driver's license issued by a state government that serves as identification and verifies the holder's right to drive a car.
• An ATM card coupled with a numerical password confirming the right to access a bank account.
• A medical diploma that provides certification of a doctor's competence, skill, and legal right to practice medicine.

Why is a Digital Certificate Necessary?

Digital certificates are necessary to verify the authenticity, roles, privileges, and limitations of the private key holder associated with the public key within the certificate. This level of verification is necessary for electronic commerce and secure communications.

The success and growth of electronic commerce depends on the ability of all parties involved to positively identify those with whom they are dealing. Consumers need to know that the merchant they are buying from is legitimate. Merchants must be certain that the person buying from them is an authorized user of a credit card or any other instrument used to exchange value other than money. The identities of companies ordering thousands or millions of dollars of wholesale goods over the Internet needs to be authenticated. Banks need to authenticate that only their account holders may access their on-line home banking systems.

The impact of digital certificates transcends electronic commerce. Governments intend to use digital certificates to authenticate access for citizens to on-line benefits distribution and possibly even voting. Some courts intend to allow legal briefs and depositions to be electronically submitted, as long as they are digitally signed, for use as evidence in legal cases. Companies plan to use digital certificates to control access to their intranets. Security firms intend to use digital certificates stored on smart tokens to provide and control physical access to secure areas.

What is a Digital Signature?

A digital signature is a logical hash (mathematical summary) of information enciphered using an asymmetric key unique to the signer. A digital signature has properties that can help one accurately identify the creator of the hash and determine whether the original information or hash was tampered with. With these properties, digital signatures can provide a greater level of security than a physical signature.

A digital signature provides solid identification of the sender because only the sender's key can create the signature. It also attests to the integrity of the content of the message that is being signed because the enciphered message hash must correlate to the message content or the signature is invalid. Thus, a digital signature cannot be copied from one message and applied to another because the summary, or "hash," would not match. Any alterations to the message after it is signed would also invalidate the signature.

1. The following example describes the basic process of affixing a digital signature to an e-mail message:
2. A customer creates a message to his investment firm ordering the purchase of 1,000 shares of IBM stock.
3. The customer's browser creates a message hash (mathematical summary) of the original message.
4. The message hash is enciphered using the customer's private key.
5. The resulting signature is affixed to the message and the message is sent to the investment firm.

An individual or trusted authority may verify the digital signature in the following manner

1. The investment firm retrieves the e-mail signed by the customer.
2. The investment firm creates its own hash of the received message.
3. The customer's message hash is deciphered using the customer's signature verification key (public key).
4. The two hashes are compared.
5. If the hashes match and the public key is verifiably the customer's, the signature is valid.

The preceding example demonstrates how digital signatures can be used to sign e-mail. They can also be used to enhance access control systems and protect the integrity of stored information.

Why are Digital Signatures Necessary?

A digital signature is logically similar to a handwritten signature. However, a digital signature has significant advantages over a handwritten signature. A digital signature can:

• Increase transaction speeds
• Extend the geographic reach of communications

Digital Signatures are More Secure than Handwritten Signatures:

Handwritten signatures are difficult to authenticate - the recipients of handwritten signatures are not usually handwriting experts. Handwritten signatures perform poorly in maintaining data integrity. A signature, as well as the data associated with it, can be easily modified if electronically transmitted or stored. Handwritten signatures are subject to repudiation - they can be easily forged.

However, the areas in which handwritten signatures are weak are the same areas in which digital signatures are strong.

Authentication-Over the Internet, it is difficult to determine who actually wrote the digitized handwritten signature that is being presented. Digital signature procedures help enhance authenticity verification. For every transaction, the authenticating party checks the signer's digital certificate to determine if it has expired and is included in a certificate revocation list (CRL). If the certificate is not listed in the CRL, the certificate has not been revoked or suspended. The public key is then used to confirm that the digital signature of the other party is authentic. The software (which is unseen) automatically handles the verification process.

Data and information integrity-Without protection in a hostile environment like the Internet, it is easy for a recipient to receive tampered information without being aware of it. Unlike handwritten signatures, digital signatures include a hash value (mathematical summary) unique to the digitally signed information. Therefore, a digital signature cannot be used interchangeably between transactions as is the case with digitized handwritten signatures. When a document is digitally signed, a hash value is generated by the signer and affixed to the document. When a recipient retrieves the document, he too generates a hash value for the information. Alterations to the information are detectable by comparing the signer's document hash with the recipient's document hash. If the hashes do not match, the data integrity of the document is damaged.

Nonrepudiation-Unlike handwritten signatures, digital signatures make it difficult for signers of an agreement or transaction to deny or repudiate their involvement or the content of a document. Digital signatures help verify that signatures are authentic and data integrity has been preserved. Handwritten signatures can be repudiated because they are often forged-digital signatures cannot be easily forged.

Time stamping-A digital timestamp can also be applied to a transaction to help prove that the transaction occurred when it is claimed to have occurred.

Knowing that this security is inherent to digital signatures is one reason individuals and organizations are trusting digitally signed documents rather than handwritten ones.

Digital Signatures Increase Transaction Speeds: Digital communications are fast. It only takes a few seconds to transmit digital information around the world. Until the advent of digital signatures, however, the advantages of this technology could not be used for electronic commerce. Since digital signatures are more secure than handwritten signatures and can be securely transmitted, users of digital signature technology can safely take advantage of the speed of digital communication mediums like the Internet. Digitally signed documents can also be processed faster by automated processing systems. With this capability, organizations can further decrease transaction processing time.

Digital Communications Allow Organizations to Increase Their Geographical Reach.

Communications between two or more parties usually requires extensive authentication procedures. Depending on the transaction, parties to an agreement typically meet in person to discuss terms and sign contracts. This form of communication comes with a monetary price and drain on human resources. With digital signature technology, much of this process can be done automatically and at a distance. Merchants of different countries who may have never met, can engage in transactions using digital signatures. Properly implemented, digital signatures allow organizations to extend their geographical reach.

Potential Applications of Digital Certificates

Ongoing experiences and discussions with businesses and governments that are interested in PKI technology have revealed six essential applications. As a result, IBM has designed it's PKI offerings to directly support and meet the requirements of these six applications:

1. Privacy and confidentiality -Institutions want PKI for message encryption and decryption.
2. Integrity, authentication, and nonrepudiation (digital signing/verification)-Institutions plan to use PKI for digital signing of messages to establish the identity of the sender and establish that messages have not been tampered with.
3. Access control-Institutions will require digital certificates, whether in browsers, on disks, or on smart cards, to control access to facilities, Internet sites, intranets, and other digital networks.
4. Proof of document transmission (time stamping)-Institutions need to use independent time stamping authorities to verify dates and times of critical messages for legal and commercial uses.
5. Document archive and retrieval-Institutions need to use PKI to make sure that stored messages have not been altered and to provide controlled access to authorized individuals.
6. Identification and privileges -Institutions will require digital certificates to establish their rights and privileges, for instance, for licensing purposes.