Crash course on

cryptography:
Public
key
cryptography
In this document

The basic principle

How public key cryptography works
Applications of public key cryptography

See also

Crash course: Introduction

Crash course: Secret key cryptography
Crash course: Digital signatures
Crash course: Digital certificates
Crash course: Security aspects of cryptographic
systems

In order to decrypt a message, Bob (the

recipient) has to know the key. However, it
may be difficult for Alice (the sender) to tell
Bob what the key is. If they simply agree on
a key by e-mail for example, Eve could be
listening in on their e-mail conversation and
thus also learn what the key is. Public key
cryptography was invented to solve this
problem.

The basic principle

Public keys and private keys

When using public key cryptography, Alice

and Bob both have their own key pairs. A
key pair consists of a public key and a
private key. If the public key is used to
encrypt something, then it can be decrypted
only using the private key. And similarly, if
the private key is used to encrypt something,
then it can be decrypted only using the
public key. It is not possible to figure out

what the private key is given only the public

key, or vice versa.
This makes it possible for Alice and Bob to
simply send their public keys to one another,
even if the channel they are using to do so is
insecure. It is no problem that Eve now gets
a copy of the public keys. If Alice wants to
send a secret message to Bob, she encrypts
the message using Bob's public key. Bob then
takes his private key to decrypt the message.
Since Eve does not have a copy of Bob's
private key, she cannot decrypt the message.
Of course this means that Bob has to
carefully guard his private key. With public
key cryptography it is thus possible for two
people who have never met to securely
exchange messages.

Combining public key

secret key cryptography

and

A problem with public key cryptography is

that it is very slow. Encrypting a message
that is several megabytes long takes a very
long time, much longer than when using
secret key cryptography. For this reason few
people use only public key cryptography.
What Alice usually does is encrypt the
message using a secret key encryption
algorithm and a key she made up on the
spot. She then encrypts this key (called the
session key) using Bob's public key. Bob can
then obtain the session key by decrypting it
using his private key. And with the session
key he can decrypt the message. This way a
long message is encrypted very quickly and
Alice can still send it to Bob without needing
a secure way of agreeing on the key.

How
public
cryptography works
See also

The RSA public key cryptographic system

The Diffie-Hellman system

key

The ElGamal public key system

Elliptic curve cryptography

Public key cryptography systems are usually

based on the assumption that a particular
mathematical operation is easy to do, but
difficult to undo unless you know some
particular secret. This particular secret that
serves as the private key. The two most
famous public key cryptography systems are
Diffie-Hellman and the RSA system, named
after its inventors Rivest, Shamir and
Adleman. More recently public key
cryptography based on so-called elliptic
curves has gotten a lot of attention.
Using public key cryptography it is possible
to easily encrypt a message for multiple
recipients. It is even possible to later
authorize recipients to read the message. The
message is simply encrypted with a session
key. The session key is encrypted multiple
times, once for every recipient using his
public key. If later another recipient needs to
be added, the session key is simply then also
encrypted using his public key. Every
recipient can now decrypt the session key
independently from every other recipient.

Applications of public key

cryptography
Secure Web communication
See also

Encrypted Internet transmissions

Electronic payment techniques

One important application of public key

cryptography is encrypted communication
with a Web server. This enables Alice to
securely place an order and to transmit her
credit card details. Alice's Web browser
generates a random number which will be
used to encrypt all communication with the
server using secret key cryptography. The

browser obtains a copy of the public key of

the server and uses this public key to encrypt
this random number (called the session key).
The result is sent to the server. After that,
browser and server can encrypt all
information so that Eve cannot read it.
Alternatively, it is the server that generates
the session key. This requires that the
browser sends its own public key to the
server so that the session key can be
transmitted securely. This makes it easier to
upgrade the hardware or software that
generates the session key.

Secure content distribution

See also

Selling intangible goods

Content such as music or video can be

distributed in encrypted form. To be able to
play it back, the recipient needs the
decryption key. To avoid having to encrypt
the entire movie or song again for every
recipient, the content is encrypted with a
session key. Every recipient receives the
encrypted content together with the session
key. The session key is of course encrypted
using the recipient's public key. This way
only a very small amount of data needs to be
encrypted again for every recipient.
It is even possible to distribute the encrypted
content in advance. If the recipient wants to
play back the content, he can at any time
contact the distributor and obtain (purchase)
a copy of the session key encrypted using his
public key. This is sometimes called
'superdistribution'.

Crash course on
cryptography:
Security aspects

of cryptographic
systems
In this document

Keeping the keys secure

Implementation issues

See also

Crash course: Introduction

Crash course: Secret key cryptography
Crash course: Public key cryptography
Crash course: Digital signatures
Crash course: Digital certificates

Cryptographic systems are quite complex.

This makes them vulnerable to a variety of
attacks. If an attack succeeds, then Eve may
be able to read Alice's and Bob's messages,
or even to forge a message in their names.
The most common security problem is
keeping the cryptographic keys secure. This
is more difficult with secret key cryptography,
since there Alice and Bob need to
communicate this key to one another.
However, even if Alice and Bob are very
careful with their keys, the implementation of
their cryptographic system may have a bug
(or an intentional backdoor) that allows Eve
to crack the system.

Keeping the keys secure

See also

Je mag alles van me weten... behalve m'n

wachtwoord! (in Dutch)

The best way to keep the secret key a secret

is to never write it down. If Alice and Bob
have agreed on a secret key to encrypt their
messages, they should memorize the key so
that Eve will not be able to find it if she

breaks into their houses. Alice might think

the risk of burglary is not very big, since
she's just encrypting love letters to Bob. But
Eve might be Alice's mother or roommate,
allowing her to easily read all the yellow
notes attached to Alice's computer monitor.
In many systems the secret key is made up
on the spot and used only once. It can then
safely be thrown away after use. This makes
the risk that Eve can steal it much smaller.
Throwing away the key after use is not an
option for public key cryptography. To
protect Alice's private key, it is often stored
encrypted with secret key encryption using a
password supplied by Alice. If Eve now steals
Alice's hard disk, she cannot use Alice's
private key.
However, to decrypt and sign messages
Alice's private key needs to be present in the
computer's working memory in unencrypted
form. At that moment Eve might be able to
steal it. For example, she could have
installed a program on Alice's computer that
makes a copy of her entire working memory
whenever Alice's public key encryption
program is started. On UNIX-like systems
(like Linux) applications that crash generate
a copy of the contents of their working
memory on the hard disk for debugging
purposes (the so-called core dump). If Eve
can get a copy of such a core dump, she could
analyze it to find the part where Alice's
private key resides.
Many operating systems use a so-called swap
file in which unused portions of working
memory are stored. If such a portion
contains a copy of Alice's private key, Eve
can recover it by examining the swap file.
Programs running on such operating
systems therefore should wipe the relevant
portions of the working memory as soon as
possible. It is sometimes also possible to
mark such portions as "do not write to swap

file". Alternatively, Alice might erase her

swap file when the operating system shuts
down. However, if she does this while the
operating system is running, her computer
will crash.

Smart cards

See also

Hoe betrouwbaar is de digitale handtekening? (in

Dutch)

The secret key is sometimes stored on a

secure storage medium such as a smart card.
A smart card contains a processor and a
memory for storing the secret key. It is
programmed to encrypt or decrypt messages
using the key stored in the memory. The
smart card has an input/output port to
communicate with Alice's computer, for
example using the USB interface. Because
the memory is embedded in the smart card,
it is very difficult for Eve to read out or copy
the secret key. Breaking open the smart card
is usually not possible without destroying it.
Activation of the smart card usually requires
Alice to enter a personal identification
number (PIN) or a password, or maybe to
supply her fingerprint or a voice command.
This way Eve cannot use the smart card if
she steals it.
Smart cards can also be used to protect
Alice's private key. The processor is then
programmed to decrypt and sign messages
using her private key. If Alice wants to read a
message from Bob that was encrypted using
her public key, her e-mail program transmits
the encrypted message to the smart card,
which decrypt it and transmits the result
back to the e-mail program.
Eve now cannot obtain a copy of Alice's
private key. She could however write a
program that covertly transmits data to the
smart card with the request to decrypt or
sign it. For this reason smart cards are

usually programmed to only operate after

Alice enters a PIN or password, or confirms
the operation by e.g. pressing a button on the
device holding the smart card.
An additional advantage of using a smart
card is that the secret key, or the private key,
can be programmed on it beforehand. This
way Alice does not have to worry about how
to securely generate this key. And in many
cases, Trent will not issue a certificate for
Alice's public key unless he generated Alice's
public and private key himself. This way he
can be sure that it's really Alice's key, and
that her household does not have a copy.

Key exchange

In some cases, Alice and Bob have separate

key pairs for encryption and for digital
signatures. Alice then uses the one private
key only to decrypt messages, and the other
private key only to create digital signatures
on messages she sends herself. This allows
Alice to protect the two key pairs in different
ways. Furthermore she could use different
algorithms or key lengths for decryption and
for signing.

Implementation issues
Keeping
the
algorithm
implementation a secret

or

Some people think that the cryptographic

algorithm or its implementation should be
kept a secret. This way Eve, who is trying to
listen in on Bob and Alice, will not be able to
figure out how to decrypt the message. This
is not a very good idea. Keeping the key a
secret is difficult enough, but also guarding
all information regarding the cryptographic
algorithm and its implementation is much
harder. Furthermore, cryptography is a
complex science. Only by thoroughly
reviewing the system can you be sure that
there are no errors in the algorithm and the
implementation.

The most popular cryptographic algorithms

are public knowledge (although they may be
patented) and anyone can study them to
discover weaknesses or to improve them.
The same goes for implementations. The
most famous encryption program, called
Pretty Good Privacy (PGP), has been
available on the Internet including source
code for more than a decade. No one has
been able to find any serious flaws in this
program. Some small implementation errors
were found by people studying the source
code. This has enabled the authors of the
program to fix these errors. It is unlikely that
they would have found these errors if they
kept the source code a secret.

Brute force attacks: trying out

all possible keys

Eve can of course try out all possible secret

keys until she finds one that gives her a
readable message. This is called a brute force
attack or an exhaustive key search. The only
way to defend against this attack is to make
sure that there are so many keys that Eve
cannot try them all out in any reasonable
amount of time. State of the art
cryptographic algorithms use keys that are
16 characters (16 bytes, or 128 bits) long.
While this may seem a bit short, 16
characters
allow
340,282,366,920,938,463,463,374,607,431,
768,211,456 different keys. That's a three
with 38 zeros. Given a specially designed
chip that can try out one one thousand
billion (a one with 12 zeros) keys per second,
and given one thousand billion of those
chips, Eve needs about 340,282,366,920,938
seconds to try all keys. Since there are about
31 million seconds in a year, this works out
to slightly more than ten million years.
Right now making chips that can try out one
thousand billion keys per second appears to
be utterly out of the question. However, it is
impossible to predict what technology might
be available in 20 years. In 1977 the U.S.

government developed together with IBM

the Data Encryption Standard (DES). This
secret key encryption algorithm uses a key
that is 56 bits, or seven characters long. At
the time it was believed that trying out all
72,057,594,037,927,936 possible keys (a
seven with 16 zeros) would be impossible
because computers could not possibly ever
become fast enough. In 1998 the Electronic
Frontier Foundation (EFF) built a specialpurpose machine that could decrypt a
message by trying out all possible keys in less
than three days. The machine cost less than
$250,000 and searched over 88 billion keys
per second.
A difficulty in this type of attack is that
computers cannot easily recognize when
something is the "real" message. Ways to
overcome this problem are to check the
result using a dictionary, or to check whether
the letter frequencies of the result
corresponds to the letter frequencies in
English. It could also be that part of the
message is known, for example because it
begins with today's date and a salutation. In
that case, Eve can simply compare all
possible outcomes with the known part of
the message. If that part occurs in the
outcome, then the key was probably correct.
This was one of the tricks that helped British
cryptographers decrypt messages encrypted
using the German Enigma machine.
This system has two important points of
failure. If the browser does not generate a
good random number, Eve might be able to
guess what it is and she can then read all
messages. A popular way to make random
(or rather: random-looking) numbers is to
take the current time expressed in
microseconds since January 1st 1970
combined with the process identifier of the
Web server or browser. This can be guessed
with some effort.

It is also possible to replace the public key of

the trusted third party with another public
key by overwriting the relevant portions of
the browser's files as they are stored on the
hard disk of the user.
And the most common way to steal
information that has been transmitted using
this system is to simply hack the Web server.
Many Web applications receive data such as
credit card numbers encrypted in this
fashion and then store it on their hard disk
in plain form. A hacker then merely has to
read out the file containing the credit card
numbers and does not have to bother with
guessing the session key.

Crash course on
cryptography:
Digital
certificates

Alice needs a copy of Bob's public key to

encrypt messages to him using public key
cryptography. And Bob needs Alice's public
key to verify any digital signatures on Alice's
messages. Both must be sure that they have
the right public key. This is where digital
certificates come in.
Digital certificates are messages that couple
an identity to a public key. They are signed
by the person or authority that created them.
If Bob trusts that authority, he can be sure
that certificates issued by that authority are
genuine and so he can check that he really
has Alice's public key.

The basic principle

An important aspect of public key

cryptography is that Alice and Bob must be
convinced that they have the right public key
of each other. Eve could have substituted her
own public key for Bob's, and then Alice
would be encrypting messages intended for
Bob in a way that Eve could read them. Eve
could then encrypt them again with Bob's
real public key so that he would not notice
Alice has the wrong public key. If Eve does
the same the other way around, all
communication between Alice and Bob can
be read by Eve and neither of them knows it!
Alice and Bob could of course meet in person
or call each other over the phone to verify
that they have the right public keys. This is
often impractical, and Alice and Bob might
not even know each other. For example,
Alice could own a Web store and use public
key encryption so that her customer Bob can
securely send her his credit card details. Now
if Bob tries to call Alice, how can he possibly
know that he's talking to Alice and not to
Eve?
The use of digital certificates solves this
problem. Next to Alice, Bob and Eve, there is
now also a trusted third party, usually called
Trent because that name also starts with a T.
if Alice wants to have Bob's public key, she
will go to Trent to ask for a copy. Trent will
then send her a message containing details
of Bob's identity and Bob's public key. This
message, called the certificate for Bob's
public key, is signed by Trent. Alice now
verifies that the digital signature is correct
using Trent's public key. If this is the case,
she knows that she has Bob's real public key
and she now also knows that Bob is called
Bob.
Eve is now no longer able to impersonate
Bob by giving Alice a public key pretending it
is Bob's. Since this public key is not signed
by Trent, Alice will not accept it. And Alice is

sure that Trent checked Bob's passport or

driver's license before making the certificate.
Of course Eve might now try to pretend that
she is Trent. If she can pull this off, she can
listen in on everybody's communication! To
prevent this, Alice should make sure that she
really has Trent's public key. This should be
quite easy. Trent could be a government
agency or a notary public, and so she can
simply visit Trent and take a copy of this
public key home with her. She only has to do
this once and then she can securely
communicate with everyone else who visited
Trent and had him make a certificate.

How
work

digital

certificates

Certificate chains

Alice and Bob may trust Trent because he is

their local notary. But if Alice and Bob are in
different cities, Alice might not know
whether this person claiming to be Bob's
notary is for real. Fortunately for her, Trent
is a member of the National Notary
Association (NNA). This association has
created a certificate with Trent's public key.
Alice now visits her own notary and picks up
a copy of the public key for the NNA. She
then asks Trent for a copy of his own
certificate and for a copy of Bob's certificate.
Using the public key for the NNA Alice can
verify that she really has Trent's public key
and that Trent is Trent. She is then confident
that she also has Bob's real public key,
because the certificate with that public key
was signed by Trent.
As you can see in the figure, this produces a
whole chain of certificates that have to be
verified before Alice can check whether she
really has Bob's public key. The chain can in
principal be of any length. For instance, the
NNA could have representatives in different
states or provinces. Each representative

creates the certificates for the notaries in his

state. The national NNA creates the
certificates for all the representatives. And
maybe there is a government agency that
creates a certificate for the NNA itself.
It is important to understand that if you trust
the first certificate in the chain, and then
accept the public key that comes out as valid
in the last certificate, you implicitly also trust
all the other certificates in the chain. If one
notary was bribed by Eve, he could have
created a certificate for Eve stating she was
Bob. If one of these NNA representatives was
bribed by Eve, he could have created a
certificate for Eve's Notary Service and then
Eve would be able to make up certificates in
anyone's name in that particular state.
When to trust a certificate
By trusting the government agency that
issued the certificate for the NNA, Alice also
trusts that the NNA itself is doing the right
thing when issuing certificates for their
representatives. She trusts that the NNA
would not issue a certificate for a
representative who could be bribed, and that
these representatives would not certify
notaries that could be bribed.
It is therefore recommended that trusted
third parties make clear policies that indicate
when and how they issue certificates and
what those certificates mean. For example, a
certificate that was issued based on a request
by e-mail is probably less trustworthy than a
certificate that was issued based on a
personal visit during which two separate
forms of ID were presented. However, this
first certificate might be trustworthy enough
if all you're doing is authenticating people
posting to your Web based discussion board.
Trusting a certificate and trusting
its owner
See also

Safely secured - when is a security program to be

trusted

Some systems distinguish between "trust"

and "validity". If Alice thinks a certificate
is valid, it means that she accepts that the
information in the certificate is genuine. In
other words, she is sure that the public key in
that certificate really belongs to the person
whose name is in the certificate. She then
knows that any messages with correct digital
signatures are really from the person
mentioned in the certificate.
If Alice trusts the certificate, it means she
thinks the person in that certificate is
capable of creating valid certificates for
others. If Bob were to create certificates
without doing any checks, Alice would
probably not consider those certificates
valid.
In the above example, Alice first decides for
herself that the certificate for the NNA she
picked up at her local notary is valid. She
then makes the decision that she will
automatically trust all the certificates issued
by the NNA. for the representatives. Alice
could then say that she puts no trust in the
certificate for representative Eve. This means
that she would not trust any certificates
created by Eve. However, if Alice received a
message that was signed by Eve, Alice would
be sure that this message really came from
Eve, because she can verify the signature
using the trusted certificate for Eve issued by
the NNA.

Crash course on
cryptography:
Digital signatures
In this document

The basic principle

How digital signatures work

Public key cryptography is not only used to

protect messages. An important application
is the creation and checking of so-called
digital signatures. Digital signatures are
coupled to the electronic document to which
they apply. This coupling is established
using public-key cryptography and so-called
cryptographic hash functions.

The basic principle

In public key cryptography, anything Alice
encrypts with Bob's public key can be
decrypted by Bob with the corresponding
private key. Alice can also encrypt a message
with her private key, which means that Bob
can decrypt it with Alice's public key. Since
the public key is, as the name suggests,
publicly available, this is not very good idea
if Alice wants to keep that message a secret.
Eve can also simply obtain a copy of Alice's
public key and thus also decrypt the
message.
But because Alice keeps her private key to
herself, Bob knows that only Alice could have
encrypted this message. Bob can now be sure
that this message was written by Alice. A
signature on a paper message serves as proof
that this message was written by the person
who signed it. Encrypting with a private key
thus can be regarded as an equivalent to
placing one's signature on the message. This
is why this is called creating a digital
signature for the message.
If Alice wants to keep the message a secret
that only Bob is allowed to learn, she of
course then simply encrypts the digitally
signed message with Bob's public key. Bob
first decrypts the message with his own
private key and then decrypts the result with
Alice's public key. He now knows that no one
else could have read the message (because it
was encrypted using his public key) and that

no one but Alice could have written this

message (because it was encrypted using her
private key).

How
work

digital

signatures

Digitally signing large messages takes a long

time, just like encrypting large messages
with someone's public key. Just like with
public key encryption, placing digital
signature therefore involves an extra step.
First a summary of the message is computed,
and then this summary is signed.

Cryptographic hash functions

The summary is generated using so-called

cryptographic
hash
functions.
A
cryptographic hash function can transform
input of an arbitrary length to an output of a
certain number of bits, typically 128 or 160
bits. The output is called the hash value.
Well-known hash functions are MD5 and
SHA-1, although many more exist.
A very simple example of a hash function is
to simply add up the position in the alphabet
of all the characters in the message. For
example, the message "ape" would give as
output 22 (1 plus 16 plus 5).
Since the hash value is usually shorter than
the message itself, this makes it easier and
faster to compare two messages or to find a
particular message in a table. For example, it
is common in database management systems
to compute the hash value of all the names in
a database with information on people. To
determine whether a particular person
occurs in the database, the hash value of his
name is computed and compared against the
hash values of all the names. This is much
faster than comparing the name itself against
all the names in the database, because the
hash value is a number of a fixed length.
Names can be many characters long and

each character has many more possibilities

than just 0-9.
Hash functions should have two properties:
1. Given a particular output, it should be
difficult to find a message that has
that
particular
output
(for
cryptographers this means the hash
function is "one-way").
2. Given two messages, the chance that
they have the same hash value should
be small (cryptographers refer to this
as "collision-free").
If a particular hash function has these
properties,
it
is
called
a
cryptographic hash function. It is
now possible to use the hash value of
a message instead of the message
itself.
The simple example given above does
not have these properties. There are
many messages that have the hash
value 22. And furthermore, it is quite
easy to find another message that also
has this hash value.
Cyclic
Redundancy
Check
functions
So-called CRC (Cyclic Redundancy
Check) functions are often used to
check the integrity of a message. The
output of a CRC function is normally
called the checksum of the message.
CRC functions are designed to help
detect errors in the message that
occurred during transmission. If a
disruption on the communication
channel changed one of the bits of the
message, the checksum of the
resulting message will be different. A
checksum thus can be seen as the
hash of a message.

However, CRC functions are not as

strong
as
cryptographic
hash
functions. They produce short
checksums, typically 32 bits (4
characters), which means that the
chance that two messages have the
same checksum is quite real.
Furthermore, with longer messages it
is easily possible to modify the
message
without
affecting
the
checksum. Sometimes it is sufficient
to simply append a certain number of
spaces to the end of the modified
message to make sure that the result
has the same checksum as the original
message.

Cryptographic
functions
and
signatures

hash
digital

Hash functions can be used to

determine whether a message has
been modified. Alice computes the
hash value of the message she wants
to send to Bob and sends the hash
value of the message together with the
message to Bob. Bob computes the
hash value of the message he receives,
and compares it against the hash
value he received from Alice. If these
two hash values are the same, Bob
knows that the message was not
modified. After all, the second
property of the hash function says
that the chance that the modified
message has the same hash value as
the original message is very small.
Eve can now no longer just modify the
message without Bob noticing this.
However, Eve can modify the message
and compute the hash value of the
modified message. She can then
replace the hash value that Alice sent
with the hash value she computed.
Bob will then think that the message

was not modified, because the

message he received has the same
hash value as the one he got from
Alice. But Bob has no way to know
that he did not get that hash value
from Alice.
Of course this is where digital
signatures come in. After computing
the hash value of the message she
wants to send, Alice digitally signs
this hash value and sends the result
(the digital signature of the message)
to Bob. Bob then decrypts the digital
signature using Alice's public key. He
compares the result with the hash
value he computed for the message he
received and so determines whether
the message was modified. If
everything checks out, Bob knows that
this message really came from Alice
and it was not modified.
Because Eve does not have Alice's
private key, she is no longer able to
replace the hash value that Alice
signed with the hash value of the
modified message. And it is next to
impossible for Eve to modify the
message in such a way that the hash
value remains the same. Because of
the first property of the hash function,
it is difficult for Eve to find another
message that has the same hash value.
And even if she manages to find one,
the chance that this other message is
even remotely the same as the original
message from Alice is extremely
small.
An important reason for using a
cryptographic hash function is that
the message remains in unencrypted
form. Furthermore, the (digitally
signed) hash value can now be
transmitted and stored invisible to the
user, for example as part of the

headers of an e-mail message or

encapsulated using the well-known
MIME standard. The digital signature
can also be transmitted over an
entirely separate channel. Alice could
publish the digital signature of a
message in a newspaper. This way,
she could later prove that she had a
copy of this message on the date of
publication of this newspaper without
having to reveal the message. This can
be useful for example if Alice had to
prove that she wrote a particular
message and did not infringe on
somebody else's copyright.

Applications of digital
signatures
See also

Digitale
Dutch)

handtekening

rechtsgeldig

(in

Digital
signatures
offer
many
applications other than signing
messages such as e-mail. A digital
signature can be created for any kind
of file. The digital signature then can
be used as proof that the file was not
modified after the digital signature
was created. It can also be used to
make the file unique, for example by
appending a serial number to the file
and signing the result.

Authenticating
servers

Web

Using public key cryptography a Web

browser and server can communicate
with each other securely. The browser
can encrypt a session key using the
public key of the server and send it to
the server.

In this application the Web browser

typically obtains a copy of the public
key of the server by requesting a
certificate containing this public key
from the server. This certificate has
been signed by some trusted third
party. The public key of this trusted
third party has been programmed into
the Web browser beforehand. Using
this public key the browser can
determine that the certificate is
authentic. The browser then knows it
has the right public key.

Electronic money (digital

cash)

See also

Electronic payment techniques

Making files unique with digital

signatures is the basis of digital cash
(electronic money). Alice the banker
creates electronic banknotes of
various denominations and puts a
unique number on every banknote.
She signs the result. Bob the client
now makes a withdrawal from his
account with Alice and receives some
of the signed banknotes. The
banknotes can be anonymous or
include Bob's name. Bob then goes to
Charlie's electronic hardware store
and purchases a digital camera using
these banknotes as payment. Charlie
verifies that the banknotes bear
Alice's signature and so knows that
they are not counterfeit.
Bob could of course make as many
copies of the signed banknotes as he
wants, since the banknotes are in
electronic form. Charlie therefore now
has to go to Alice and report to her the
unique number on the banknote he
received. Alice will then record that
number as "spent" and indicate to

Charlie that the transaction is okay. If

the number was already recorded as
"spent", Alice will reject the
transaction. If the transaction is okay,
the amount indicated on the
banknotes is credited to Charlie's
account.
This system has many advantages
over traditional payment techniques.
Alice can create banknotes of any
denomination, including for example
millicents (0.001 cents). This way for
example an electronic archive could
charge one millicent for every
document Bob requests, and Bob
could pay that without having to take
a subscription or make a deposit in
advance.
One disadvantage of this system is
that it requires Charlie to immediately
check with Alice whether the
banknote he still valid. If Charlie waits
even a few minutes, Bob can spend
the banknote again at Dave's. Then
either Charlie or Dave is not going to
get his money.
This principle is currently used for
electronic coupons. As a coupon is
less valuable than a banknote, the risk
of double spending a coupon appears
to be acceptable. Furthermore,
coupons are usually only valid at one
particular store.

Timestamping services

The insight that the digital signature

of a message can be handled totally
separate from the message itself has
given rise to several interesting new
applications. It is now possible for
example
to
offer
a
digital
timestamping service. This basically
works just like the above example of
publishing a digital signature in a

newspaper. Alice now sends the

document she wants timestamped to a
timestamping server. The server
computes the hash value of Alice's
document, adds the current date and
time and digitally signs the result (the
"timestamp"). The timestamp is then
published for example on the Web site
of the timestamping service.
From that moment on anyone can
verify that that particular document
existed at the time indicated by the
timestamping server. Because the
hash value contained in the
timestamp is for all practical purposes
unique for that document, it is not
possible for Alice to re-date a later
document
by
appending
the
timestamp of the original.
It is of course possible for the
timestamping server to generate
timestamps with any date and time.
Alice could bribe the operator of the
server to generate a timestamp that is
one year in the past, for example. A
simple trick to make this impossible is
to assign a sequence number to every
timestamp. The first timestamp gets
the number 1, the second gets the
number 2, and so on. This way it is
not possible to insert a later
timestamp between two earlier ones,
because there is no sequence number
available.
The operator of the timestamping
server could now simply remove one
of the other timestamps and replace it
by the one Alice gave him. As long as
nobody notices that a timestamp went
missing or changed, he can get away
with this. By inserting a sequence
number and the hash value of the
previous timestamp this also becomes
impossible. If the operator replaced

the fourth timestamp with something

else, the hash value for the fourth
timestamp contained in the fifth
timestamp is no longer correct. The
operator could then of course also
replace the fifth timestamp, but then
the sixth timestamp and all the other
timestamps also have to be replaced.
While it is of course possible for the
operator to replace all timestamps in
order to insert one forged one, the
chance that somebody will notice is of
course much bigger. To increase the
security of the system the server could
regularly publish some of the
timestamps in a location where it can
no longer be modified. For example,
every Sunday the most recent
timestamp could be published in the
New York Times. Or the server could
make a document listing the last 100
timestamps and timestamp that one.
This "super- timestamp" could then
be published in a newspaper, or
maybe sent to another timestamping
server operated by a different entity.
This way Alice would have to bribe
different persons.

Signed
programs

computer

See also

Java versus ActiveX (in Dutch)

Safely secured - when is a security program
to be trusted

Digital signatures can also be used to

authenticate software applications.
The manufacturer of a computer
program can generate a digital
signature for the executable. When a
user downloads the program, he can
verify that the digital signature is
correct. He then knows that this
program was really made by that

particular manufacturer. If he trusts

that manufacturer, he can safely
install
the
application.
The
manufacturer of course promises that
the application will not do anything
malicious.
The source code of many open source
software programs is distributed
together with the digital signature of
the author(s). This way the recipients
can check that they have not been
modified by anyone else. For instance
everyone can verify the authenticity of
the Linux kernel by checking whether
it was properly signed by Linus
Torvalds.
ActiveX controls (more or less
comparable to Java applets, but based
on a Microsoft standard) are digitally
signed. Microsoft's Internet Explorer
checks the digital signature using a
Microsoft public key installed in the
browser. The control is only executed
if the digital signature is authentic. If
the signature does not check out, or
the browser security level is set to
high, the user will be asked to confirm
execution.
Unfortunately it appears to be difficult
to properly sign ActiveX controls so
that all users can verify that the
signature is authentic. This has led to
the practice of telling users in the
installation manual or on the web
page containing the control to simply
press "Yes" whenever Internet
Explorer says anything about the
digital signature. This makes it of
course very easy for a hacker to
replace the ActiveX control with
anything he desires. Although the
digital signature will not check out,
the user will simply follow the manual
and click "Yes" anyway.

More recently suggestions have been

made to extend this application to
hardware as well. The CPU in a PC
would check the digital signature on
the
operating
system
or
on
applications to be executed. If the
digital signature does not check out,
or it was not created by an authorized
manufacturer, the CPU refuses to
execute the operating system or
program. It is unclear at the time of
writing whether the owner of the PC
in question will be able to indicate
who are authorized manufacturers.

Crash course on
cryptography:
Secret
key
cryptography
In this document

The basic principle

How secret key cryptography works
Applications of secret key cryptography

See also

Crash course: Security aspects of cryptographic

systems
Crash course: Digital certificates
Crash course: Digital signatures
Crash course: Introduction
Crash course: Public key cryptography

Secret key cryptography uses a single key

which both parties (usually named Alice and
Bob) both must know. They must keep this
key a secret (hence the name) from an
eavesdropper (named Eve), otherwise Eve
will be able to decrypt any messages
encrypted using that key.

Alice uses a secret key encryption scheme

(or cryptographic algorithm) to transform a
message into something resembling random
noise. The scheme may be publicly known.
The security of the system comes from the
secret
key
that
Alice
uses.
The
transformation can only be undone by Bob
and Alice herself, since only they know the
secret key.

The basic principle

Encryption
and
using a secret key

decryption

To secretly communicate with Bob, Alice

encrypts her messages before sending them.
There are many techniques (cryptographic
algorithms) that she can use. All these
algorithms have in common that they can
transform a message using a key into
something that resembles random noise.
This is called encrypting the message.
Only the persons who know the key can
transform the random noise back into the
original message, or in other words, decrypt
the message. This means that those
persons must keep this key a secret, hence
the name secret key cryptography.

How to get the key to the

recipient

A fundamental problem with secret key

encryption is that somehow the secret key
has to be delivered to the recipient of the
message in a secure way. Once that key has
been securely delivered, other keys can be
delivered by simply encrypting them with
that first key. One way to solve this problem
is to have Alice and Bob meet in person so
they can agree on a key. They must make
sure that Eve is not listening in on them,
otherwise Eve also learns the key. This
applies especially if Alice and Bob agree on a
key via telephone or e-mail. Of course Bob
must also be able to distinguish Alice and

Eve if they meet for the first time (for Alice it

shouldn't be a problem to tell Bob from Eve).
If Alice and Bob can not meet in private to
agree on the key, it is very difficult for them
to use secret key cryptography. If they simply
agree on a key by e-mail for example, Eve
could be listening in on their e-mail
conversation and thus also learn what the
key is. If Alice and Bob had a secure channel
that Eve could not tap, they could use that
channel to agree on a secret key. However,
then they could also use the secure channel
to simply transmit their messages.
This problem is solved by using public key
cryptography, which is discussed in the next
chapter.

How
secret
cryptography works

key

Secret
key
cryptography
transforms
(scrambles) a message into something
resembling random noise. The precise
transformation is determined by the key.
Mathematically seen, a cryptographic
algorithm is a function that maps a message
onto a ciphertext (an encrypted message). By
using keys, it is possible to encrypt many
different messages using one particular
cryptographic algorithm in different ways.
And keeping the key a secret is much easier
than keeping a complete algorithm a secret.
Some cryptographic algorithms operate on
single characters of the message. These are
called stream ciphers. Others operate on
entire blocks, and therefore are called block
ciphers. Stream ciphers are easier to
implement in hardware than block ciphers,
and they are also generally faster. Block
ciphers tend to be harder to crack.
See also

The DES encryption algorithm

Encrypting using XOR and a password

Popular cryptographic algorithms are DES,

3-DES, IDEA, Blowfish and recently also the
Advanced Encryption Standard (AES).

An example of a secret key

cryptographic system
A very simple technique to encrypt messages
is to replace every letter of the message with
one that is a certain number of positions
further in the alphabet. The key then is the
number of positions. For example, the
message "This is an example" can be
encrypted using the key "1 position" into the
encrypted message "Uijt jt bo fybnqmf".
Taking the letter that is 1 position previous in
the alphabet results in the original message
again.

This system is of course not very secure.

There are only twenty-six possible keys. Eve
can simply try out all the keys to see which
one results in a readable message.
Furthermore, it is a well-known fact that
certain letters occur more often in messages
than others. The letter "e" is the most
frequently used letter in the English
language, for example. Using this fact Eve
can simply count which letter occurs the
most often in the encrypted message and
replace that one with the letter "e". She then
knows how many positions she has to rotate
to get from "e" to the encrypted version of
"e" and thus she immediately knows the key.

One-time pads

In principle, all cryptographic systems can be

broken. At the very least, Eve can try out all
different keys until she finds one that
successfully decrypts the message. Eve might
also be able to break one of the mathematical
principles
behind
the
cryptographic
algorithm that Alice and Bob use. For
example, some cryptographic systems
assume that it is very difficult to divide a
number into its prime factors. Eve might

find a quick way to do this. This then enables

Eve to read Alice and Bob's messages or to
recover their keys.
There is one cryptographic algorithm that
cannot be broken. This algorithm is called
the one-time pad (OTP). According to this
algorithm, Alice generates a very large
sequence of random numbers. The numbers
in the sequence serve as the key. The
sequence is called the "pad". Alice
communicates the sequence to Bob in a
secure way, so that Eve cannot obtain a copy
of the key.
Every character in the message that Alice
wants to send to Bob is encrypted with a
different number in the sequence. In practice
this means that the first character of the
message will be encrypted with the first
number in the sequence, the second
character with the second number, and so
on. When Bob receives the encrypted
message, he takes out his copy of the
sequence and simply decrypts the first
character with the first number in the
sequence, the second character with the
second number, and so on.
Because every character of the message is
encrypted with a different key, there is
nothing Eve can do to guess the key. Even if
she knew that the first words of the message
were "Dear Bob", she could not use this
information to recover the key of other
words in the message. Every number is
chosen randomly, so Eve has no way to know
which number is the right one, even if Eve
knew how to decrypt all other characters.
It is absolutely essential that every number
in the sequence is chosen randomly and is
only used once. If Eve can recover some of
the numbers in the sequence and use those
to predict other numbers, she can eventually
reconstruct the entire sequence and thereby
decrypt the message. For this reason it is not

a good idea to use a random number

generator implemented in software. Those
generators are unable to generate really
random numbers. They use a mathematical
function that generates a set of numbers that
appears to be random. But if you know the
mathematical function and the number that
it last generated, you can immediately
compute the next "random" number.
To achieve this unbreakability, Alice and Bob
must have very large sequences that contain
only really random numbers. This makes an
OTP very difficult to manage. It is said to
have been used for the "hotline" between
Washington and Moscow during the Cold
War. In a case like that, it is practical to send
couriers carrying suitcases chained to their
arms to securely transmit the pad.

Applications of secret key

cryptography
Secret key encryption is most often used to
encrypt data to be stored on a particular
location. If the encrypted data has to be
transmitted, there always is the problem of
how to get the secret key to the recipient in a
safe way. Usually the key is encrypted using
public key encryption so it can be
transmitted safely.

Hiding spoilers

Even though it is not secure, the simple

alphabet shifting system is still in use on the
Internet. It is used to hide "spoilers"
(revealing plot twists in movies or books)
and potentially offensive messages from
unsuspecting readers. Such messages are
encrypted using the key "13 positions".
Anyone can thus decrypt the message by
simply taking the letter that is 13 positions
previous in the alphabet. However, this
requires some active step by the reader, and
so he should then not be surprised or upset if
the decrypted message reveals something

about the plot of a movie he wanted to see.

This system is commonly known as "ROT13".

Encrypting
hard disks

the

contents

of

Using secret key encryption Alice can

encrypt her entire hard disk so the data on it
is safe if the disk (or laptop containing it) is
ever stolen. Disk encryption programs exist
that can encrypt and decrypt data as it is
being written and read to and from the hard
disk. This way Alice does not notice that her
data is stored encrypted, except for the fact
that disk access might be a bit slower. Once
she turns off her computer, it is not possible
anymore for Eve to read the data.

Protecting
transmissions

pay

TV

Secret key encryption and smart cards are

used for example in pay TV applications.
Sometimes this is referred to as "conditional
access" television. Television programs
(usually premium movies, football or soccer
matches and adult content) are encrypted
using a secret key. To make it difficult for
Eve to obtain this key, the secret key is
changed every few minutes or sometimes
even every few seconds. This way, even if Eve
can successfully use a brute force attack to
guess the key, she only has a very small
portion of the television program. Alice has a
set-top box and a smart card that allows her
to decrypt the television programs. The settop box passes the decrypted television
program on to the television. Originally these
boxes were designed to be placed on top of
the television set, hence the name.
Special messages, called Entitlement Control
Messages (ECMs), are sent along with the
program. These messages contain the secret
keys. Of course the ECMs themselves are
also encrypted, this time using a key stored
on the smart card. Alice's set-top box

receives the ECMs and passes them on to the

smart card. The smart card decrypts the
ECMs and extracts the secret keys contained
therein. This allows the set-top box to
decrypt the television program.
The keys needed to decrypt the ECMs can be
programmed on the smart card in advance.
By regularly changing these keys, Alice is
forced to purchase a new smart card every
month or so. If Eve manages to make a copy
of the smart card, or to extract the keys from
it, she will only be able to watch the
programs for the rest of that particular
month.
Another option is to regularly send out socalled Entitlement Management Messages
(EMMs) that contain the keys needed to
decrypt the ECMs. The EMMs themselves
are then encrypted with keys stored on the
smart card. The service provider then every
month simply sends out a new EMM. This
provides much greater flexibility, and Alice
does not have to go to the store every month.
Every smart card can now have a different
key. The service provider sends out different
EMMs for all the smart cards in the system.
Every EMM thus is readable only by one
smart card. If the service provider thinks a
particular smart card has been copied
illegally, he simply does not send out a new
EMM for that particular smart card.