All encryption systems rely on the concept of a key. A key is the
basis for a transformation, usually mathematical, of an ordinary message into
an unreadable message. For centuries, most encryption systems have relied
on what is called private key encryption. Only within the last 30 years has
a challenge to private key encryption appeared - public key encryption.
Private key encryption
Private-key encryption systems
use a single key that is shared between the sender and the receiver. Both
must have the key; the sender encrypts the message by using the key, and the
receiver decrypts the message with the same key. Both must keep the key private
to keep their communication private. This kind of encryption has characteristics
that make it unsuitable for widespread, general use:
- Private key encryption requires a key for every pair of individuals who
need to communicate privately. The necessary number of keys rises dramatically
as the number of participants increases.
- The fact that keys must be shared between pairs of communicators means
the keys must somehow be distributed to the participants. The need to transmit
secret keys makes them vulnerable to theft.
- Participants can communicate only by prior arrangement. There is no way
to send a usable encrypted message to someone spontaneously. You and the other
participant must make arrangements to communicate by sharing keys.
Private-key encryption is also called
symmetric encryption, because
the same key is used to encrypt and decrypt the message.
Public key encryption
Public key encryption
uses a pair of mathematically related keys. A message encrypted with the first
key must be decrypted with the second key, and a message encrypted with the
second key must be decrypted with the first key.
Each participant in
a public-key system has a pair of keys. The symmetric (private) key is kept
secret. The other key is distributed to anyone who wants it; this key is the
public key.
To send an encrypted message to you, the sender encrypts
the message by using your public key. When you receive the message, you decrypt
it by using your symmetric key. To send a message to someone, you encrypt
the message by using the recipient's public key. The message can be decrypted
with the recipient's symmetric key only. This kind of encryption has characteristics
that make it very suitable for general use:
- Public-key encryption requires only two keys per participant. The increase
in the total number of keys is less dramatic as the number of participants
increases, compared to symmetric key encryption.
- The need for secrecy is more easily met. Only the symmetric key needs
to be kept symmetric and because it does not need to be shared, the symmetric
key is less vulnerable to theft in transmission than the shared key in a
symmetric key system.
- Public keys can be published, which eliminates the need for prior sharing
of a secret key before communication. Anyone who knows your public key can
use it to send you a message that only you can read.
Public-key encryption is also called asymmetric encryption,
because the same key cannot be used to encrypt and decrypt the message. Instead,
one key of a pair is used to undo the work of the other. WebSphere Application
Server uses the Rivest Shamir Adleman (RSA) public and symmetric key encryption
algorithm.
With symmetric key encryption, you have to be careful of
stolen or intercepted keys. In public-key encryption, where anyone can create
a key pair and publish the public key, the challenge is in verifying that
the owner of the public key is really the person you think it is. Nothing
prevents a user from creating a key pair and publishing the public key under
a false name. The listed owner of the public key cannot read messages encrypted
with that key because the owner does not have the symmetric key. If the creator
of the false public key can intercept these messages, that person can decrypt
and read messages intended for someone else. To counteract the potential for
forged keys, public-key systems provide mechanisms for validating public keys
and other information with digital signatures and digital certificates.