In practice, both symmetric-key and public-key techniques are used in popular security protocols such as SSL because symmetric-key algorithms tend to be much faster than public-key algorithms. To communicate securely and quickly, here is what relatecasts.com will do:
- The relatecasts.com member generates a random number (key) that will be used for actually encrypting the message being sent to relatecasts.com.
- The member encrypts the random number (key) with relatecasts.com’ public key.
- relatecasts.com decrypts the random number with its private key. Now relatecasts.com can encrypt and decrypt messages with a secret shared with only with that particular member.
- Once a secure session has been established between relatecasts.com and the relatecasts.com member, ALL information transferred between the Web browser member and the relatecasts.com server is encrypted and secure and cannot be ‘listened to’, intercepted, or altered.
In reality, most security protocols are much more complicated than this, but the four-step process above is illustrative of security fundamentals. SSL is an excellent example of a security protocol that uses these techniques to safeguard communications.
Private-Key cryptography
Symmetric-key or private-key cryptography uses the same key to encrypt and decrypt messages and their advantage is speed. This is a familiar real-world phenomenon: we use the same key to unlock and lock our car doors, for instance. The problem with symmetric-key cryptography is having the sender and receiver agree on a secret key without anyone else finding out. The current methods for achieving this are using telephone or fax machines, mailing on a floppy disk and using a courier, but all of these are cumbersome, slow and error-prone techniques. In addition, the number of Keys tends to be much larger than the number of nodes; that is, people may have multiple keys they use for different purposes.
A major disadvantage of private key cryptography, however, is key management, since each pair of individuals who wishes to communicate must have a unique shared key. For example, for relatecasts.com to use private key encrypted communication, each relatecasts.com member would need a separate private key to keep account data and transactions secure (using the same private key with all of BetGameDay’ member would allow each member to access other member’s account information).
Public-Key cryptography
Public-key cryptography was invented to solve the problem inherent in private key cryptography described above. With public-key cryptography, each person gets a pair of keys, a public key and a private key. Each person’s public key is published, while the private key is kept secret. For example, when a member wishes to establish a secure connection to the BetGameDay Web site, the member encrypts the connection using relatecasts.com’ public key. When BetGameDay receives the message, relatecasts.com decrypts it using the relatecasts.com private key. The member and BetGameDay no longer have to share secret information before secure communication is possible.
In other words, each key actually consists of two parts: an encryption half (the “public key”) and a decryption half (the “private key,” which unlocks data encrypted with the matching public key). This fail-safe system allows a more convenient key distribution method—members wishing to communicate with BetGameDay can use the BetGameDay public key. Moreover, intruders can not use an intercepted public key to decrypt files. The downside is that public key cryptosystems are typically slower than private ones.
Public-key cryptosystems are based on trapdoor one-way functions. A one-way function is a mathematical function that is significantly easier to perform in one direction (the forward direction) than in the inverse direction. One might, for example, compute the function in minutes but only be able to compute the inverse in months or years. A trapdoor one-way function is a one-way function where the inverse direction is easy if you know a certain piece of information (the trapdoor), but is difficult otherwise. The public key gives information about the particular instance of the function; the private key gives information about the trapdoor. Whoever knows the trapdoor can perform the function easily in both directions, but anyone not knowing the trapdoor can perform the function only in the forward direction. The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation.
In almost all public-key systems, the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions. For a digital signature to be secure for years, for example, it is necessary to use a trapdoor one-way function with inputs great enough that someone without the trapdoor would need many years to compute the inverse function. Despite the improbability of breaking the relatecasts.com algorithm, the relatecasts.com cryptosystem has an additional layer of security which mandates that all digital keys expire after one year.