Assignment 3 ( Encryption and Decryption )

Definition

Encryption is a process of translating a message, called the Plaintext, into an encoded message, called the Ciphertext. This is usually accomplished using a secret Encryption Key and a cryptographic Cipher.

Two basic types of Encryption are commonly used:

•  Symmetric Encryption, where a single secret key is used for both encryption and decryption.
• Asymmetric Encryption, where a pair of keys is used -- one for Encryption and the other for Decryption.

Some interesting politics surround strong Encryption:

•  Strong (i.e., hard to break) Encryption algorithms are considered to be a munitions by the United States government. Exporting such algorithms therefore amounts to arms smuggling -- a very serious offence!
• Some countries (i.e., France) forbid their citizens from using strong Encryption.
• Strong encryption algorithms are freely available everywhere in the world, on the Internet.

In the United States, it is possible to patent an algorithm, including an Encryption Cipher. This can limit who can make such algorithms.

Decryption is the reverse process to Encryption. Frequently, the same Cipher is used for both Encryption and Decryption. While Encryptioncreates a Ciphertext from a Plaintext, Decryption creates a Plaintext from a Ciphertext.

Public Key Encryption and Digital Signatures

Public key encryption, also known as asymmetric encryption, is based on a public/private key pair. The keys are mathematically linked, so that data encrypted with the public key can only be decrypted with the corresponding private key. X509 certificates use public key encryption as an alternative to shared symmetric keys, which are discussed in the Data Confidentiality pattern in Chapter 2, "Message Protection Patterns."

With public key encryption, the sender converts the plaintext message into ciphertext by encrypting it with the public key in the message recipient's X.509 certificate. The message recipient converts the ciphertext back into the plaintext message by decrypting it with the corresponding private key.

Figure 1 illustrates how public key encryption and decryption take place.

Figure 1. Public key data encryption and decryption

By using public key encryption, a message sender has assurance that only the recipient will be able to read the message.

In addition to providing data confidentiality through encryption, you can use the public key in the X.509 certificate to verify digital signatures created by a message sender. A digital signature is a value produced by the message sender to bind message data to the sender's identity and to provide a means of verifying the integrity of the message to detect tampering. In this case, the private key of the message sender is used to create the digital signature. The corresponding public key, which is found in the sender's X.509 certificate, is used to verify the signature. Digital signatures are used to assure the message recipient that the message originated from the identified sender, and that the message contents have not been altered since they were signed by the sender.

Note   With digital signatures that use public key cryptography, the origin of the signed message can be traced to the sender's identity, thereby satisfying nonrepudiation requirements. This differs from symmetric key integrity, where a message may have been signed by either party with knowledge of the shared secret key.

The public key can be distributed openly to encrypt messages and to verify digital signatures, but the private key in a key pair should be carefully guarded by its owner. This is necessary because it is used to prove the identity of the certificate subject and to decrypt messages that are intended for that subject.

Figure 2 illustrates the process of using public keys to sign a message.

Figure 2. Creation and verification of a digital signature

For a more detailed description of data confidentiality, see the Data Confidentiality pattern. For more details about digital signatures, see the Data Origin Authentication pattern.