posted on Wednesday, September 16, 2009 4:07 PM
According to various history sites, the earliest known lock to be key operated was from Egypt, some 4000 years ago. It was wooden and actually used moveable pegs that fell into holes to secure the ‘bolt.’ The wooden key would move the pins back into place to allow the lock to be opened. And, of course, Caesar is credited with inventing the first cipher. Ahh, love history and always fun to know where some of today’s technologies came from.
In security, specifically cryptography, a key is a specific number value that when used with an algorithm can encrypt and decrypt a block of data – usually text. The key length or size, typically in bits or bytes, determines how strong the encryption is and thus how difficult it might be to decrypt.
There is Symmetric and Asymmetric encryption. With symmetric encryption, only one ‘secret key’ is used on both ends to encrypt and decrypt messages. This is one of the oldest encryption techniques and can be as simple as shifting or replacing a letter. This works great if both parties have the secret shared key but it needs to stay SECRET. The bad side is that it’s just a single key and if someone gets a hold of it, then they can possibly intercept and decrypt your hidden messages. Key management, such as changing the secret key often and distributing it securely to authorized users can be a challenge.
In Asymmetric encryption, also called Public Key – Private Key cryptography, two keys are used – one for encryption and one for
decryption. The private key is always kept secret while the public key is out in the wild often in the form of a certificate. So you can have my public key, in fact I might just give it to you, since that will be what you use to either encrypt a message to me or decrypt a message from me. It is my private key that will do all the mashing so i can read your encrypted note and respond in secret. The unique keys are paired and by using the same algorithm we can communicate incognito and no other key (or pair) can decrypt the data. This infrastructure can also be useful to prove identity and ensure the message has not been tampered.
Then why PKI? When you send an encrypted message, it is digitally signed with your private key but I’m not standing next to you watching the ink hit the paper. PKI is what validates trust. With certificates (your public key) there is usually a Certificate Authority who is essentially a third-party vouch. Yes you can create self-signed certs but with a Cert Authority, they can verify your identity (or signature) and add their own signature as a stamp of approval. PKI can store your certificates, revoke certificates, backup/recover keys, time stamp and a bunch of other services. While public keys are meant to be public, their integrity is essential and PKI can accomplish that.
Like anything security related, nothing is foolproof. Secure distribution of keys is essential to prevent Man in the Middle attacks. You might ask for my public key and I sent it to you, but someone else intercepts it on the way. They send a forged note to you along with their public key, claiming to be me. You decrypt the message since you think it’s from me and subsequently send an encrypted note back, but you’ve encrypted it with the interceptor’s key. They grab it again, in transit, decrypt, keep a copy, re-encrypt with my original public key and forward on. When I get it, I still believe it came from you and no one’s the wiser. Simple additions like passwords for private keys or mutual authentication can help defend against MITM among other techniques (pdf).
I realize this was not my usual ‘link-fest’ entry with stats and fun stories, there are a slew of mathematical computations to make this all work and many other components to effective key management and deployment. But for number 11 of 26 Short Topics, I just wanted to convey that your digital Keys are an integral part of keeping your data secure from eavesdropping and tampering and can verify that you are transmitting it to/from from a trusted entity. Too bad the trusty TRIX Decoder rings are no longer available.
ps
Related links:
