Symmetric and asymmetric key encryption

It should be noted that the asymmetric encryption algorithm loses much symmetrical in terms of encryption and data decryption time, therefore, many modern encryption systems use a combination of asymmetric and traditional symmetric encryption systems. Public key encryption is used to transmit a symmetric key, which serves directly to encrypt the transmitted information. In order to understand the logic of this circuit, we turn to Fig. 10.6.

 

 

 

Fig. 10.6. Symmetric and asymmetric key encryption

 

First, A encrypts the source file using a symmetric (secret) key (point 1). Then (point 2) A receives from public sources a public key belonging to B, and using this key encrypts its symmetric key. Further (point 3), both objects (encrypted file and encrypted symmetric key) are sent to address B via the Internet.

B receives both objects (paragraph 4). The symmetric key is decrypted with the private key belonging to B (clause 5) and, finally, the source file is decrypted using the decrypted symmetric key (clause 6).

When someone receives a message from you that is encrypted with your private key, they are sure of the authenticity of the message. That is, in this case, encryption is equivalent to the supplied signature.

Thus, a digital signature or electronic signature is a method of authentication of the sender or author of a signature, confirming that the content of the document has not been changed. Digital signatures can be made in both encrypted and open messages.

Digital certificates

When using a public key encryption scheme, you need to distribute the public key to your correspondents or put it on the Web on an open server. However, an attacker may use your name and distribute the public key on your behalf. In order to determine who is the true owner of the public key, you need a third party that all correspondents trust. With this task cope CAs CA (the Certification Authority). They issue certificates - digital data signed with a digital signature of the guarantor, confirming the correspondence of the public key and information identifying its owner. The certificate contains the public key, information about the key holder, name of the certification center, time during which the certificate is valid, etc. Each copy of the certificate is digitally signed by the organization issuing the certificate, so that anyone who receives the certificate can verify its authenticity.

The certificate is an analogue of an identity card. The identification problem also exists in person (passports, driver's licenses, etc.). On the Web, where we communicate with a partner we don’t see, identification is even more necessary.

Certificate Classes

Personal certificates can be of different classes. To obtain a lower level certificate, a minimum level of verification of the public key holder is required. When issuing a certificate of the highest level, not only the personal data of the owner is checked, but also the level of its creditworthiness. In this case, the certificate can act as an analogue of a "credit card", confirming the creditworthiness of transactions on the Web.

To obtain a personal certificate, the user must pay a fee, which is the higher, the higher the certificate class. 

The authenticity of the certificate is confirmed by the signature of the certification center that issued the certificate. The certification system may have a multi-level nature (Fig. 10.7.).

 

 

 

Fig. 10.7. The certification system is multi-level.

In order to understand how the issuance and use of certificates is organized, you can resort to an analogy with the conditional certification scheme of a regular signature.

Let there be an employee of the certification center Ivanov authorized to issue certificates certifying that the signature belongs to the owner. Let's consider how the work of such a service can be organized by mail (Fig. 10.8.). 

 

 

Fig. 10.8. The issuance and use of certificates can be illustrated by a conventional certification scheme for a conventional signature

 

Initially, everyone should have a root certificate in which there is a sample signature of Ivanov. If someone Petrov (Fig. 10.8, paragraph 1) wants to receive a personal certificate, he sends his passport to the certification center and in return receives a personal certificate certified by Ivanov’s signature (paragraph 2-3). Petrov has a sample signature of Ivanov, so he believes that the certificate came from Ivanov. Petrov retains this certificate and sends copies of it to his correspondents (paragraph 4), one of which is a certain Sidorov. Sidorov receives a certificate certified by Ivanov’s signature, and therefore has no doubt that the certificate is valid (paragraph 5). After Sidorov received Petrov’s certificate, he can write to Sidorov, in full confidence that he will not be mistaken for someone else (paragraph 6). Sidorov receives a letter with Petrov’s signature (paragraph 7), compares it with the signature in Petrov’s personal certificate and makes sure that the letter is from Petrov.

In the case of electronic signatures, the mechanism for verifying and comparing signatures occurs automatically, and the entire complex authentication process is transparent to the user. In this case, a complete analogy with the usual signatures is seen. In the browser (for example, in Internet Explorer), root certificates of well-known certification authorities are already pre-installed. For example, such as Verisign.

The root certificate contains the public key and information about its owner. When you receive your correspondent’s personal certificate certified by Verisign’s signature, you can verify its authenticity and save it on your computer. Moreover, by the term "correspondent" we can mean not necessarily a person, but, for example, the server from which you want to download software.

The newly received certificate contains the public key of your correspondent, which allows you to verify the authenticity of his signature.

To obtain a personal certificate, you need to contact the web server of the certificate publisher, provide personal information necessary to obtain a specific certificate, and select the length of the private key. Before submitting the form, the browser will generate a key pair (public and private) and enter them into the password-protected database. The private key should not be known to anyone, including the certification center. The public key is sent along with other data to the certification center for inclusion in the certificate. After receiving payment, the certification center issues a certificate and indicates the URL from where it can be downloaded. After receiving the certificate, the user's browser automatically starts the installation procedure.

Signed Application System

As already mentioned, distributing software over the Web requires authentication, which is achieved through the use of certificates. Consider this process in more detail.

When buying boxed software, there is usually no doubt that the software product inside is owned by the manufacturer. However, when you download a product from the Web, there is no guarantee that the provider of this software is exactly who it claims to be, and the downloaded software is virus-free. This problem is solved by introducing an authentication code (Authenticode) into the distributed product, which allows you to include information about the developer through the use of a digital signature. By downloading software signed with an authentication code and certified by a certification authority, users can be sure that the software has not been changed after signing. According to the component model, code elements can be downloaded to a user's computer while accessing a Web resource, for example, to play an animation. In order to prevent the loading of unsafe code, a system of signed applications is used. Based on this technology, users can safely receive signed applications. If an Internet Explorer user encounters a component that is distributed without a signature, the program (depending on the browser’s internal security settings) will either refuse to download such code or issue a warning about an unsafe component. If the user encounters a signed application, the client program will confirm its security (Fig. 10.9).

 

Fig. 10.9. Warning of the possibility: on an unsafe installation - from above; secure installation - bottom

 

As of Internet Explorer to import and ex certificates provided port manager their port and export certificates - of Internet Explorer Certificate Manager, which allows you to install and remove the client certificate and CA certificates.

Office2003 uses digital signature technology to sign files, documents, and macros. If the entire file is signed, a digital signature ensures that the file has not changed since signing. Signing a code is similar to digital signing, but usually the concept of " digital signature " refers to the process of signing a document, and " signing a code" refers to signing an executable code. Signing a code ensures that it has not changed since it was originally signed. An important value in Office 2003 has the ability to prohibit the execution of unsigned macros ² . Macros can improve work efficiency, but at the same time pose a threat as a means of spreading viruses.

Correspondence Safety

As shown in the previous sections, to ensure the privacy and authentication of the sender, data encryption and authentication of documents using an electronic signature are necessary.

Consider the mail security system using the example of Outlook 2003.

You can access the security system using the command Service -> Options -> Security (Fig. 10.10).

 

 

Fig. 10.10. Security Tab, Outlook 2003 Options Panel

 

In order to use the security system, in the same way as for working with secure Web resources, you need to get a personal digital identity - a digital certificate that is issued by an independent certification authority to a specific email address. If the user has several email addresses, he needs to have several certificates. Based on the digital certificate, the user receives an individual electronic signature and a pair of keys (public and private).

The button "Get a certificate" (Fig. 10.10) should send the user to the sites of organizations that provide certificates. As a source of certification can be called www.verisign.com or www.thawte.com.

Having received a digital ID, the user can sign their letters. To do this, check the box "Add a digital signature to outgoing messages." In this case, all messages that the user sends will contain his signature and public key, and anyone who receives such a letter will be able to send an encrypted message in response. Checking the box "Encrypt contents and attachments of outgoing messages" makes sense if the user has signatures (public keys) of everyone with whom they correspond.

Outlook 2003 lets you save digital certificates from any Corre- sponding - comrade who send you a signed e-mail, view, revise or delete.