Public-Key Cryptosystem

From InfoAnarchy
Jump to: navigation, search

See also: Security | Cryptography | Public key | Cryptosystem | Symmetric-Key Cryptosystem

Also: Asymmetric-Key Cryptosystem

A form of cryptography which requires no mutual password, unlike symmetric. Instead, it is a method of scrambling data that requires sharing only half of a two-part key. This system is common and very useful, allowing the exchange of information securely without ever meeting the source you wish to connect with.

The most common example of this is in Web browsers every time you enter a secure area.

  • Benefits: Communicate securely with someone you have never personally met.

Components

This system is made up of three main parts:

For the more paranoid users, keeping track of key fingerprints, or hash, would be useful. One method of individual key verification is with a key fingerprint.

A non-math explanation for the public-key private-key system.

Examples

Public-Key Algorithms

Public-Key Based Technologies

Key Signatures

Also known as authentication, this system also allows the use of hashes, or signatures, which allow the key owner to "sign" their documents or files to prove authenticity. The hash can be independantly tested to see if it matches the user's public key, or certificate, including the time and date the file was hashed.

Signatures help defeat spoofing.

Uses

  • On security Web sites that post downloadable security programs, since being virus and backdoor-free is often critical.
  • In public messages where falsification would be very harmful, such as from governments or a high-level administrator. The message is public so it is left unencrypted but signed in order to verify it's sender.
  • Can be used to connect to a remote system

Other concerns in Public-Key

PGP vs. Certificates

PGP/GPG and S/MIME are commonly used e-mail encryption tools. PGP and GPG do not cost any money per "certificate" or Public-Key, Private-Key pair, but SSL servers and S/MIME clients require purchasing a certificate with a Certificate Authority company like Verisign in order to have a certificate verfied to you or your specific company.

Public Key Servers

Public Keys can be uploaded a Public Key Server, acting like an informal Certificate Authority.

Policy

Upon its inception, Public-Key was believed to be the Holy Grail of security. Unfortunately, Public-Key technology has not quite led to the universal system of identification, authorization and trust that had been hoped for. With the need for a separate authority (like Verisign) to guarantee authenticity and some institutions not trusting any outside source, no single form of verification is available.