Just as a key for a Ford truck won’t work with your front door lock, keys made for algorithms are made for that algorithm alone. A key made for the 3DES algorithm will only be able to encrypt and decrypt with the 3DES algorithm;
it can’t encrypt or decrypt with Twofish, for example. You usually don’t have to worry about that, though, because your encryption program knows which algorithms it has made and will look for the correct keys. If the correct keys are not present, it will tell you so. Then it’s time to call the IT department for help.
Most cryptographic programs are able to choose different algorithms to work with. Sometime you choose which algorithm to use and other times the programmers or vendors have set up the rules and parameters for you. In that case, the appropriate keys will be made and exchanged and you rarely have to worry about this.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
One Key; Two Keys . . .
There are encryption algorithms that only generate one key and others that generate two keys. The keys made by the single-key algorithms are called symmetric keys. That doesn’t mean that each key is shaped the same, or that one side looks the same as the other, it simply means that the same key is used to encrypt data and decrypt data. Both keys are made of the exact same data. Sometimes you’ll see this referred to as a secret key, but I’ll call it a symmetric key for now just to help keep things straight.
Some encryption algorithms generate two keys, and that’s called asymmetric algorithms with asymmetric keys. What this means is that two keys are generated; one key is kept by the user and the other key is shared with anyone the user wants to have it. The keys are different from one another and don’t seem to have any connection to one another.
However, hidden in the keys is some special stuff that indicates they have some mathematic properties in common.
This “special stuff” is not obvious, either. These keys are also known as public/private keys. The public key is one you give to other people. The private key is the one you keep to yourself and never share with anyone. I explain how that works in a minute.
One thing I want you to note is that sometimes people mistakenly call their private key a secret key. As you can see, this creates a lot of confusion because the single key created by a symmetric algorithm is also known as a secret key. I can’t stop people from making incorrect references, otherwise I’d wave my magic wand and make everyone do things right. (Chey for President?) What you can do is question a person’s use of the phrase “secret key” by asking them if they mean a single key, or one of a key pair. If they really mean one of the keys of a key pair, then they really mean
“private key.”
So, here’s how you start using public and private keys:
The algorithm is told to generate the keys. (If you are using PGP or similar, it will ask for your passphrase at this point.)
1.
Your computer stores the two files: a private key and a public key.
2.
You can copy or move your private key to a safe place like a floppy or USB drive.
3.
If you want others to have immediate, unlimited access to your public key, you send your public key to a public key server. (There are hundreds of public key servers — a very popular one is www.keyserver.net/en.)
4.
If you want to limit who has your public key, you send it to those people in an e-mail message (or similar).
5.
Now you’re ready to start encrypting and decrypting messages. You can’t do this with a wave of your hand, though; you need special programs capable of handling encryption and decryption.
E-mail programs generally all have this capability.
6.
I’m sorry that I can’t give you a step-by-step guide on all the different public/private keys and encryption programs with instructions on how to use your keys. That entails a book in itself! But, I do give step-by-step lessons in Chapter 8 on how to use public/private keys with Outlook Express and Eudora. In that chapter I use Digital Certificate public/private keys and PGP public/private keys because they are the most common.
I can’t give you all those individual steps, but I can give you a good idea on how the concept works. For that I’m going to revert to some graphics to tell my story.
Public/private keys
These keys are “linked” to each other by some special math operations done by the encryption algorithm. I’m being overly simplistic here, but imagine you have one key and you break it down the middle: One part is your public key and the other part is your private key (see Figure 7-2).
Figure 7-2: Two halves make the public and private keys.
Please note that I have said this is overly simplistic, because it is. In reality, you could never look at one key and be able to figure out what the other key is like. In my example, the two sides obviously fit together, but that’s only to help you understand the concept.
I’m going to have Boris and Natasha exchange some e-mails using their public and private keys. They have already exchanged their public keys with one another and, of course, they have their own private keys. Next I describe how the process works.
The magic encryption machine
As this is just an exercise in comprehension, I’m going to tell you that the encryption machine is actually a “magic shredding and de-shredding machine.” This machine has two key locks in the front of it; one is for the private key and the other is for the public key (see Figure 7-3).
Figure 7-3: Boris uses his private key and Natasha’s public key to encrypt a message.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Boris puts his message in the magic encryption shredding machine, inserts his private key in one lock, inserts Natasha’s public key in the other lock, and turns both keys. This action makes a separate, encryption key. You don’t see this key or even realize it exists. It does the actual encryption and the result is a special confetti — the encrypted message. (The temporary key information is actually included in this confetti, but you don’t see it or notice it.) Boris then packs up this special confetti in an e-mail message and sends it to Natasha. He doesn’t need to tell her about the keys, because she’ll use a similar process to decrypt the message.
The magic decryption machine
Now that Boris has e-mailed Natasha his encrypted message, she’s now confronted with a pile of nonsense (that’s what an encrypted message looks like). To decrypt the message, she has to use her “magic” machine to get the plaintext version of what Boris wrote.
As shown in Figure 7-4, Natasha puts her private key in place and then puts Boris’s public key in its place. (Remember that Boris had already mailed her his public key and she owns her own private key.) When those two keys are in place, she’s asked for her passphrase and the temporary key information “pops” out of the confetti and quickly starts the decryption process. Then the plaintext message magically appears! This happens very, very quickly, too.
Figure 7-4: Natasha decrypts Boris’s message.
The actual process is almost as simple as shown here in my pictures! When you are using e-mail in particular, it knows about your private key and asks you where you’ve kept it (if you are not storing it on your hard drive). I will also ask you to locate the public key for the person who is receiving your message. Usually, public keys have the person’s name or e-mail address associated with them and you can search public key servers with that information.
Finding private and public keys works a bit differently with high-end corporate PKI systems but, for the most part, finding the keys is usually automated and you don’t have to worry about it.
Symmetric keys (again)
The process of encrypting and decrypting data with a symmetric (secret) key is almost exactly the same as the examples I’ve shown to you in the public/private key figures. The real difference is that there is only one key used to encrypt and decrypt.
Using one key presents a bit of a problem. If you are using the same key to encrypt a message as you are to decrypt
it, how does Boris get that key to Natasha without someone else finding it first? Sending it by e-mail is just plain dumb
— unencrypted e-mail can be read by anyone who wants to try. And, it’s not hard to do. So, that method is out. Boris could send the secret key by snail mail or express mail of some sort, but there’s still a slight chance that the package could be intercepted.
There is one solution that many people have proposed and that’s breaking up the key into pieces and giving them to a number of people. When the key needs to be used, all the people who have the pieces have to go to the computer and enter their parts. If one part or piece is missing, the key won’t work. But, that doesn’t work too well in the real world.
What if you have shared pieces of the key with three people and one of those people is on vacation when you need to use the entire key? Or, what if you go into work at 6 a.m. on Sunday morning to catch up on some work and an important encrypted message comes in? Do you think the three people you need would be willing to come in to the office on their day off, just so you can read a message? I’d be willing to bet the chances of them agreeing to come in fit somewhere with a snowball and Hades.
That, in a nutshell, sharing the secret key with others has always been the weakest part of symmetric key encryption.
Cryptographers have muddled over this problem for decades. If you are using a system that relies solely on symmetric keys, you have to make sure that they method in which symmetric keys are shared is safe and secure. You wouldn’t want someone to intercept the symmetric key during its “sharing” process!
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.