Friday, November 02, 2007

Basics of Encryption

Introduction:

The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. But a major concern has been just how secure the Internet is, especially when you're sending sensitive information through it.

Let's face it, there's a whole lot of information that we don't want other people to see, such as:

Credit-card information

Social Security numbers

Private correspondence

Personal details

Sensitive company information

Bank-account information

Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like floppy disks. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.

Computer encryption is based on the science of cryptography, which has been used throughout history. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes. The existence of coded messages has been verified as far back as the Roman Empire. But most forms of cryptography in use these days rely on computers, simply because a human-based code is too easy for a computer to crack.

Most computer encryption systems belong in one of two categories:

Symmetric-key encryption

Public-key encryption

Symmetric Key

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.


Public-key encryption

The main problem in Symmetric is the transmission of private key. If user A wants to send a encrypted file to user B, user B should have user A’s private key.For this user A have to send his private key to user B.The transmission of the private key is vulnerable. For this they came to a new concept called Public-key encryption.

Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP),

To implement public-key encryption on a large scale, such as a secure Web server might need, requires a different approach. This is where digital certificates come in. A digital certificate is basically a bit of information that says that the Web server is trusted by an independent source known as a certificate authority. The certificate authority acts as a middleman that both computers trust. It confirms that each computer is in fact who it says it is, and then provides the public keys of each computer to the other.

A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the "http" in the address line is replaced with "https," and you should see a small padlock in the status bar at the bottom of the browser window.

SSL operation:

Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetry. If a ssl session is established the client computer will generate a public key and private key. the server already have a public key(which ssl certificate issued by a CA) and a private key.

SERVER


Client machine


Server Public KEY


Server private KEY


client Public KEY


client private KEY


Once the ssl session enabled, the next process is to exchange the key. We need a public key to decrypt the data encrypted by the private key.

The first process is to exchange the public keys’s.

SERVER


Client machine


Server Public KEY


Server private KEY


client Public KEY


client private KEY


So now the client will have server’s public key, and the server will have client’s public key. So server can decrypt client’s data and client can decrypt server’s data.

SERVER


Client machine


Server Public KEY


Server private KEY


client Public KEY


client private KEY


Server Public KEY


client Public KEY


Now the encryption can be attained.


HOW SSL TECHNOLOGY USES ROOT CERTIFICATES IN THE ENCRYPTION PROCESS

When connecting to a web server over SSL, a visitor's browser decides whether or not to trust the website's SSL certificate based on which CA issued the actual SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities -- represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor.

Like SSL certificates, root certificates also have a public and private key pair used to encrypt and decrypt information that is sent between two devices. The private key of the root certificate is heavily guarded and kept in the certificate provider's secure data center; while the public key of the root certificate is given to browser and application manufacturers to be added to their list of trusted roots. Embedding the public key into the browser or application allows the software to automatically recognize and trust any SSL or client certificate that has been signed by that root certificate.

The more browsers, web servers and applications that a certificate provider embeds their root certificates in, the higher their certificate "ubiquity" is. Certificate ubiquity is a term that essentially means "the percentage of the most popular browsers, web servers, and applications that inherently recognize and trust the providers root certificate." For example, COMODO maintains 99.3% browser ubiquity in the marketplace, which means that all comodo certificates will be recognized and trusted by all the most popular browsers, web servers and applications available today.