Also: Asymmetric-Key Cryptosystem
A form of cryptography which requires no mutual password, unlike symmetric. Instead, it is a method of scrambling data that requires sharing only half of a two-part key. This system is common and very useful, allowing the exchange of information securely without ever meeting the source you wish to connect with.
The most common example of this is in Web browsers every time you enter a secure area.
- Benefits: Communicate securely with someone you have never personally met.
- Vulnerabilites: Man-In-The-Middle Attack and Brute Force with smaller key sizes (128-256 - not commonly used).
This system is made up of three main parts:
Public-Key Based Technologies
Also known as authentication, this system also allows the use of hashes, or signatures, which allow the key owner to "sign" their documents or files to prove authenticity. The hash can be independantly tested to see if it matches the user's public key, or certificate, including the time and date the file was hashed.
Signatures help defeat spoofing.
- On security Web sites that post downloadable security programs, since being virus and backdoor-free is often critical.
- In public messages where falsification would be very harmful, such as from governments or a high-level administrator. The message is public so it is left unencrypted but signed in order to verify it's sender.
- Can be used to connect to a remote system
Other concerns in Public-Key
PGP vs. Certificates
PGP/GPG and S/MIME are commonly used e-mail encryption tools. PGP and GPG do not cost any money per "certificate" or Public-Key, Private-Key pair, but SSL servers and S/MIME clients require purchasing a certificate with a Certificate Authority company like Verisign in order to have a certificate verfied to you or your specific company.
Public Key Servers
Public Keys can be uploaded a Public Key Server, acting like an informal Certificate Authority.
Upon its inception, Public-Key was believed to be the Holy Grail of security. Unfortunately, Public-Key technology has not quite led to the universal system of identification, authorization and trust that had been hoped for. With the need for a separate authority (like Verisign) to guarantee authenticity and some institutions not trusting any outside source, no single form of verification is available.