|
|
|
|
|
Digital certificates and public key encryption are taking on a greater role in securing Web and e-mail communications between individuals and organizations. By Keith Pleas The explosive growth of the Internet means that every day we entrust more and more of our corporate and individual lives--but to whom or what? We don't always know, and we can't be sure. Luckily, technologies to help solve this problem are growing as well. In particular, digital certificates and public key encryption are taking on a greater role in securing communications between individuals and organizations. In general, there are four main uses for digital certificates:
Digital certificates are issued by certificate authorities (CAs), signed with private keys, and verified with public keys. Detailed treatises on encryption technology are readily available elsewhere, but the gist is that encrypting a data stream with a private key makes decrypting the stream "computationally infeasible" without knowing the private key. Many common algorithms allow decrypting of a stream by running it against the same private key; this is called symmetric encryption, a very useful tool when you need to transmit secure information over an insecure network, as in secure (HTTPS) Web connections. Of course, symmetric encryption makes it difficult to exchange data with other parties, because they must also know the private key. The solution in this case is public key encryption, where two closely related keys are used together (they're often called a key pair). Typically, the public key is used to encrypt the stream, and the private key is used to decrypt the stream. You can publish the public key freely, and in fact, current directory services often come with an integrated public key infrastructure (PKI) for just this purpose. This form of encryption is also called asymmetric encryption. Unfortunately, asymmetric encryption is many times slower than symmetric. In situations where two different parties want to exchange data using the vastly more efficient symmetric encryption, they typically use public key encryption first to pass a secure one-time-use symmetric key to both parties. What exactly does "computationally infeasible" mean? What's clearly infeasible for a single individual or small organization becomes quite possible when a lot of computing power is available. In one well-known case, a group of cryptography enthusiasts used a number of computers--linked over the Internet--to decrypt a key using a brute-force approach (trying all the key possibilities). Governments, particularly their intelligence and military departments, often have substantial computing resources available. The United States government has chosen to limit the length of the key used to encrypt data to 56 bits on exported software. This is usually called weak encryption, because it is possible for a determined intruder to break the key in a reasonable amount of time. Microsoft ships both a weak 40-bit and a strong 128-bit version of its Windows encryption engine: To see which is installed on your system, look at the version description in the properties dialog of Schannel.dll, located in your Windows system directory, which will show either "US and Canada" or "Export Version." Keith Pleas is an independant consultant and a frequent contributor to PC Magazine. Next: Certificate Authorities Published as PC Tech Feature in the 4/20/99 issue of PC Magazine. Related Links |
||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
| TOP | 
Copyright (c) 1999 Ziff-Davis Inc. |
