Lenovo ThinkCentre M50 IDC white paper titled "The Coming of Age of Clien - Page 10

Identifying The Sender And Guaranteeing Data Integrity

Get Lenovo ThinkCentre M50 PDF manuals and user guides View all Lenovo ThinkCentre M50 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 10 highlights

Public key encryption is based on the idea that some mathematical operations are easy to do - but hard to undo. A simple example is a square versus a square root. If you already have the square root of three (which, although approximately 1.73205080756888, has no finite answer), multiplying it by itself easily yields three, but trying to find the root given only the number three is a lot more difficult. The essence of the RSA algorithm is the same: Two large prime numbers are easily multiplied, but factoring the result to find the original numbers is extremely difficult. Asymmetric encryption starts with two randomly chosen 100-digit prime numbers. The sender "knows" them or at least has possession and usage of them. They are multiplied together, and the product becomes one of the two elements in both the keys. For the other two elements (one each for the public and private keys), one is chosen from a restricted set that relates to the first two and the other is derived algorithmically from the product of the first two and the third (the one just chosen). These four numbers (three, really, since one is shared) are the kernels for RSA asymmetric encryption. If the public key pair is used to transform clear text via complex mathematics, then only the private pair can be used to decrypt, via a similar set of calculations. By the same logic, if the private key pair is used to encode the clear text, only the public key can be used to decipher it. Although the two key pairs are interrelated, neither can be derived from the other. The strength of public key encryption is that it is fantastically robust. Anyone can send a message encrypted with a public key, but only the holder of the associated private key can decrypt it. The weakness of asymmetric cryptography is that it is computationally intensive and would slow down data traffic unacceptably if it were applied promiscuously. So, as previously mentioned, in practical circumstances it is used only to encode the symmetric key (i.e., the AES key) used for bulk data encryption. The result of encoding the symmetric key with an asymmetric public key is called a "digital envelope," and the process is referred to as "PKI key exchange." IDENTIFYING THE SENDER AND GUARANTEEING DATA INTEGRITY We now have an infrastructure robust enough to guarantee the identity of the sender. The sender is fairly confident of the recipient because only the proper recipient has the correct private key pair and can turn the message back into clear text. But a trusted third party (sometimes called the "certificate authority") is required as well - one that knows all participants and guarantees the identity of the sender. Everybody has access to the authority's public key pair. Once the sender has proven his or her identity (through, for example, a handwritten signature, iris scan, voiceprint, or fingerprint), the authority is able to return a copy of the sender's public key, "signed" with the authority's private key, and the sender can include this "certificate" in his or her outgoing message. Thus, you are proven to be you for the purposes of ebusiness. The signature is simply a secure one-way "hash" of the message itself, encrypted with a sender's private key. Analogous to a Cyclic Redundancy Check (CRC), the hash is produced by reducing the message through an algorithm to a "digest," a string of between 64 and 256 bits. The original message cannot be reconstructed from the hash by any means because most of the information has been destroyed in the hashing process. However, the hash is uniquely related to the original message mathematically. As with the AES algorithm, changing a single bit in the message will change half the bits in the hash. The hash, encrypted with the sender's private key, is attached to the message, and at the recipient end, the same math is performed on the message itself. The recipient decrypts the signature with the sender's public key and compares the result to the local hash of the message. If the two strings match perfectly, then the recipient is sure that the sender is authentic and that the message has not been altered during transmission. Thus, data integrity is assured. 10 #3577 ©2003 IDC

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
10
#3577
'2003 IDC
Public key encryption is based on the idea that some mathematical operations are
easy to do ° but hard to undo. A simple example is a square versus a square root. If
you already have the square root of three (which, although approximately
1.73205080756888, has no finite answer), multiplying it by itself easily yields three,
but trying to find the root given only the number three is a lot more difficult. The
essence of the RSA algorithm is the same: Two large prime numbers are easily
multiplied, but factoring the result to find the original numbers is extremely difficult.
Asymmetric encryption starts with two randomly chosen 100-digit prime numbers. The
sender "knows" them or at least has possession and usage of them. They are
multiplied together, and the product becomes one of the two elements in both the
keys. For the other two elements (one each for the public and private keys), one is
chosen from a restricted set that relates to the first two and the other is derived
algorithmically from the product of the first two and the third (the one just chosen).
These four numbers (three, really, since one is shared) are the kernels for RSA
asymmetric encryption. If the public key pair is used to transform clear text via
complex mathematics, then only the private pair can be used to decrypt, via a similar
set of calculations. By the same logic, if the private key pair is used to encode the
clear text, only the public key can be used to decipher it. Although the two key pairs
are interrelated, neither can be derived from the other.
The strength of public key encryption is that it is fantastically robust. Anyone can send
a message encrypted with a public key, but only the holder of the associated private
key can decrypt it. The weakness of asymmetric cryptography is that it is
computationally intensive and would slow down data traffic unacceptably if it were
applied promiscuously. So, as previously mentioned, in practical circumstances it is
used only to encode the symmetric key (i.e., the AES key) used for bulk data
encryption. The result of encoding the symmetric key with an asymmetric public key is
called a "digital envelope," and the process is referred to as "PKI key exchange."
IDENTIFYING THE SENDER AND GUARANTEEING DATA INTEGRITY
We now have an infrastructure robust enough to guarantee the identity of the sender.
The sender is fairly confident of the recipient because only the proper recipient has
the correct private key pair and can turn the message back into clear text. But a
trusted third party (sometimes called the "certificate authority") is required as well °
one that knows all participants and guarantees the identity of the sender. Everybody
has access to the authority’s public key pair. Once the sender has proven his or her
identity (through, for example, a handwritten signature, iris scan, voiceprint, or
fingerprint), the authority is able to return a copy of the sender’s public key, "signed"
with the authority’s private key, and the sender can include this "certificate" in his or
her outgoing message. Thus, you are proven to be you for the purposes of ebusiness.
The signature is simply a secure one-way "hash" of the message itself, encrypted
with a sender’s private key. Analogous to a Cyclic Redundancy Check (CRC), the
hash is produced by reducing the message through an algorithm to a "digest," a string
of between 64 and 256 bits. The original message cannot be reconstructed from the
hash by any means because most of the information has been destroyed in the
hashing process. However, the hash is uniquely related to the original message
mathematically. As with the AES algorithm, changing a single bit in the message will
change half the bits in the hash. The hash, encrypted with the sender’s private key, is
attached to the message, and at the recipient end, the same math is performed on
the message itself. The recipient decrypts the signature with the sender’s public key
and compares the result to the local hash of the message. If the two strings match
perfectly, then the recipient is sure that the sender is authentic and that the message
has not been altered during transmission. Thus, data integrity is assured.