While recently troubleshooting some issues involving certificates, I realise I had few wholes that needed patched; it also sounded like a good idea for a blog. So what follows next is rather a high level overview on cryptography with emphasis on Digital Certificates – I would say, it is really all you need to know providing you are not planning to become CCIE in security.
In the digital world, IT security is all about exchanging information securely while also considering –
- Confidentiality – it’s a characteristic of secure systems to ensure that exchanged information is and stays confidential between sender and intended recipients only. Confidentiality is achieved through Encryption.
- Authentication – by which the parties exchanging information must authenticate to each-other in order to validate the identity of the sender and intended recipient(s) – it is achieved by means of Hash functions.
- Data Integrity ensures information reaches its intended recipient(s), untampered. To achieve Data Integrity, hashingtechniques are used.
- Non-Repudiation – prevents an entity from denying previous actions. Generally speaking, by employing confidentiality, authentication and data integrity, we also guarantee non-repudiation.
As mentioned above, in order to ensure confidentiality, we employ Encryption – a mathematic algorithm which, by means of an encryption key, scrambles a message so it becomes unreadable.
There is symmetrical and asymmetrical encryption, based on whether a symmetric or asymmetric key is used:
- Symmetric Key Encryption uses the same key for encryption and decryption; this also means the key must be shared between all parties – not very secure indeed; though it has its uses.
- Asymmetric Key Encryption uses a key pair – the public key and the private key. Encryption using one key, can only be decrypted using the other – indeed, there is use cases for encrypting with either private, or public key. An entity will share its public key and, will keep its private key, uhm .. private.
To provide data integrity, we make use of Hashing algorithms by which input data is transformed into a unique, fixed size length output, also called – the message digest.
Below are the properties of a hash:
- changing even one character, the output will be completely different
- providing the same algorithm and same input is used, the output will always be the same
- it is a very fast algorithm
We will see later how Encryption and Hashing are used together to create Digital Signatures which in turn are used to sign Digital Certificates.
For now, you could experiment with different hash algorithms and key lengths here.
To conclude Part I, let’s see three examples:
In conclusion, we can see that each of these methods has its problems – but there is hope, as you will se in Part II.