Cryptography, Public and Private Key

views updated

CRYPTOGRAPHY, PUBLIC AND PRIVATE KEY

Cryptography—called "crypto" by its practitioners—is the study of codes and ciphers and their use to protect information. Cryptography has existed, in one form or another, since the ancient Greeks began toying with methods for encoding with mathematics. In the modern period, cryptography was utilized mainly in wartime to protect sensitive military information, and in the high-stakes and secretive world of diplomacy and spying.

For years, computer-based cryptography was almost exclusively used by the United States National Security Agency (NSA) for coding and decoding sensitive information and messages during the Cold War. For many years after private-sector computer scientists began working on cryptography, the government fought such efforts out of concern for national security. Cryptographers, however, were wary of government monopolization of the technology, which raised fears of a "big brother" capable of snooping into the private lives and communications of its citizens.

This door was opened in 1975 by Massachusetts Institute of Technology graduate Whitfield Diffie and Stanford University professor Martin Hellman. The two were searching for a way to share encrypted messages between two people who didn't know each other, and thus couldn't have devised their own scrambling formula beforehand. The Diffie-Hellman algorithm that resulted was the birth of contemporary public-key cryptography, the dominant cryptographic infrastructure used on the Internet.

Cryptography assumed a whole new significance with the development of e-commerce in the mid-1990s. Perhaps the biggest roadblocks to e-commerce were consumer fears over privacy and the security of their financial and personal information. Because of this, cryptography was of central importance to the growth of the Internet economy.

Encryption is the scrambling of text-based messages into unrecognizable code via a complex mathematical algorithm. Only those with the correct "key" are able to encrypt or decrypt such a message in a given cryptographic system. The key is a set of specific parameters, based on the algorithmic encryption formula, that act to lock and unlock the coded information. The formula typically consists of a long string of bits, sometimes more than 200 digits long. The more digits involved and the more complicated the algorithmic equation used to generate the code, the more difficult the hacker's job in breaking it.

The two basic infrastructures used in cryptographic systems are public-key and private-key. While early computer systems used private-key cryptography almost exclusively, by the late 1990s and early 2000s the tide was shifting in favor of public-key cryptography. The dominant encryption standards were testament to the sea of change. The 25-year-old Data Encryption Standard (DES), a private-key algorithm developed by the NSA, was being phased out due to its lack of flexibility and a level of security that could no longer withstand sophisticated modern attacks, not to mention the limited use of private-key systems in e-commerce. In its place, the public-key Advanced Encryption Standard (AES) was preparing for international launch in the early 2000s.

PRIVATE-KEY CRYPTOGRAPHY

Private-key, or symmetric, encryption systems employ a single common key, possessed by those on both sides of the transaction, to both lock and unlock a message. Private keys are generally smaller, meaning they contain less bits of information, and as a result compute more quickly than do public keys. However, that also means they are more vulnerable to attack than are public keys.

Because private-key cryptography involves a series of one-to-one transactions, the concern over secrecy is paramount. For example, if a firm maintained a private-key infrastructure with several thousand clients, the company would need to ensure the secrecy of several thousand separate keys, and the opportunity for compromised security escalates. Thus private-key encryption can pose difficulties, especially over large networks of individuals, simply because key management can become a headache that costs a good deal of time and effort to manage.

PUBLIC-KEY CRYPTOGRAPHY

Public-key, or asymmetric, cryptography involves two separate keys: both a private key maintained by a single entity and a public key available to any user over a network. A central authority, such as an online bank, broadcasts its public key, enabling any client to send encrypted messages to that destination. Only that original authority, however, can decrypt the communications using its private key, thereby securing the information from hackers and other unauthorized onlookers. Because the usage of these keys is spread over such a wide network of people, they typically contain a greater number of information bits to make the code more difficult to crack.

Because of its simple availability to large numbers of people, public-key encryption was considered the favored infrastructure for e-commerce in the early 2000s. Digital signature technology, for instance, relies on the public-key infrastructure. The 1999 passage of the Electronic Signatures in Global & National Commerce Act opened the floodgates for public-key cryptography as never before by creating legal parity between handwritten signatures and digital signatures. In turn, this was a major boon to a whole range of new and established forms of e-commerce, particularly in the financial services industries. The leading public-key encryption scheme used in e-commerce was Secure Sockets Layer (SSL), developed by Netscape but long supported by both Netscape and Microsoft browsers.

The primary vehicle by which transactions and messages are encrypted using public-key cryptography is the digital certificate. Digital certificates are issued by a central authority and contain the user's name and e-mail address, an expiration date, and the authority's name. Digital certificates are stored on the user's computer or, increasingly, on a smart card or a central server accessible over the Internet.

The complexity of the public-key infrastructure stems from the management of a hierarchy of different certificate authorities and central servers, along with the level of individual customization involved in using a digital certificate on a personal computer or smart card. But once a public-key infrastructure is in place and a sound key management system has been implemented, the rewards can be astounding, particularly for those e-commerce firms engaged in the transfer of massive amounts of sensitive information, as in online banking. In business-to-business operations, public-key cryptography also can lead to efficiency gains. With the security afforded by digital certificates, companies can allow each other mutual access to internal company network infrastructures, greatly streamlining the transaction processes between business partners.

THE CRYPTOGRAPHIC OUTLOOK

The Gartner Group estimated that by 2003 up to 80 percent of large businesses would test at least one public-key infrastructure, according to Information-Week. Meanwhile, the search for ever-more impenetrable encryption systems was certain to intensify. The U.S. Department of Energy's Los Alamos National Laboratory was home to a program dedicated to the development of quantum cryptography, which incorporates the laws of quantum physics into traditional cryptographic methods to design the most powerful encryption systems yet, overcoming the flaws and cracks in public-key encryption systems. Quantum cryptographic codes are built on a series of photons, each with their own individual and varying properties that render them analogous to computer language's ones and zeroes. Essentially, the development of such technologies and the increasing sophistication of hackers and code-breaking systems has set off a virtual arms race between those using cryptography to enhance security and those using cryptography to compromise security.