What is encryption?
Encryption is the transformation of data into a form
unreadable by anyone without a secret decryption key. Its purpose
is to ensure privacy by keeping the information hidden from anyone
for whom it is not intended, even those who can see the encrypted
data. For example, one may wish to encrypt files on a hard disk
to prevent an intruder from reading them.
In a multi-user setting, encryption allows secure
communication over an insecure channel. The general scenario is
as follows: Alice wishes to send a message to Bob so that no one
else besides Bob can read it. Alice encrypts the message, which
is called the plaintext, with an encryption key; the encrypted
message, called the ciphertext, is sent to Bob. Bob decrypts the
ciphertext with the decryption key and reads the message. An attacker,
Charlie, may either try to obtain the secret key or to recover
the plaintext without using the secret key. In a secure cryptosystem,
the plaintext cannot be recovered from the ciphertext except by
using the decryption key. In a symmetric cryptosystem, a single
key serves as both the encryption and decryption keys.
What is authentication? What is a digital signature?
Authentication in a digital setting is a process
whereby the receiver of a digital message can be confident of
the identity of the sender and/or the integrity of the message.
Authentication protocols can be based on either conventional secret-key
cryptosystems like DES or on public-key systems like RSA; authentication
in public-key systems uses digital signatures.
In this document, authentication will generally refer
to the use of digital signatures, which play a function for digital
documents similar to that played by handwritten signatures for
printed documents: the signature is an unforgeable piece of data
asserting that a named person wrote or otherwise agreed to the
document to which the signature is attached. The recipient, as
well as a third party, can verify both that the document did indeed
originate from the person whose signature is attached and that
the document has not been altered since it was signed. A secure
digital signature system thus consists of two parts: a method
of signing a document such that forgery is infeasible, and a method
of verifying that a signature was actually generated by whomever
it represents. Furthermore, secure digital signatures cannot be
repudiated; i.e., the signer of a document cannot later disown
it by claiming it was forged.
Unlike encryption, digital signatures are a recent
development, the need for which has arisen with the proliferation
of digital communications.
What is public-key cryptography?
Traditional cryptography is based on the sender and
receiver of a message knowing and using the same secret key: the
sender uses the secret key to encrypt the message, and the receiver
uses the same secret key to decrypt the message. This method is
known as secret-key cryptography. The main problem is getting
the sender and receiver to agree on the secret key without anyone
else finding out. If they are in separate physical locations,
they must trust a courier, or a phone system, or some other transmission
system to not disclose the secret key being communicated. Anyone
who overhears or intercepts the key in transit can later read
all messages encrypted using that key. The generation, transmission
and storage of keys is called key management; all cryptosystems
must deal with key management issues. Secret-key cryptography
often has difficulty providing secure key management.
Public-key cryptography was invented in 1976 by Whitfield
Diffie and Martin Hellman in order to solve the key management
problem. In the new system, each person gets a pair of keys, called
the public key and the private key. Each person's public key is
published while the private key is kept secret. The need for sender
and receiver to share secret information is eliminated: all communications
involve only public keys, and no private key is ever transmitted
or shared. No longer is it necessary to trust some communications
channel to be secure against eavesdropping or betrayal. Anyone
can send a confidential message just using public information,
but it can only be decrypted with a private key that is in the
sole possession of the intended recipient. Furthermore, public-key
cryptography can be used for authentication (digital signatures)
as well as for privacy (encryption).
Here's how it works for encryption: when Alice wishes
to send a message to Bob, she looks up Bob's public key in a directory,
uses it to encrypt the message and sends it off. Bob then uses
his private key to decrypt the message and read it. No one listening
in can decrypt the message. Anyone can send an encrypted message
to Bob but only Bob can read it. Clearly, one requirement is that
no one can figure out the private key from the corresponding public
Here's how it works for authentication: Alice, to
sign a message, does a computation involving both her private
key and the message itself; the output is called the digital signature
and is attached to the message, which is then sent. Bob, to verify
the signature, does some computation involving the message, the
purported signature, and Alice's public key. If the results properly
hold in a simple mathematical relation, the signature is verified
as genuine; otherwise, the signature may be fraudulent or the
message altered, and they are discarded.
What are the advantages and disadvantages of public-key cryptography
over secret-key cryptography?
The primary advantage of public-key cryptography
is increased security: the private keys do not ever need to transmitted
or revealed to anyone. In a secret-key system, by contrast, there
is always a chance that an enemy could discover the secret key
while it is being transmitted.
Another major advantage of public-key systems is
that they can provide a method for digital signatures. Authentication
via secret-key systems requires the sharing of some secret and
sometimes requires trust of a third party as well. A sender can
then repudiate a previously signed message by claiming that the
shared secret was somehow compromised by one of the parties sharing
the secret. For example, the Kerberos secret-key authentication
system involves a central database that keeps copies
of the secret keys of all users; a Kerberos-authenticated message
would most likely not be held legally binding, since an attack
on the database would allow widespread forgery. Public-key authentication,
on the other hand, prevents this type of repudiation; each user
has sole responsibility for protecting his or her private key.
This property of public-key authentication is often called
Furthermore, digitally signed messages can be proved
authentic to a third party, such as a judge, thus allowing such
messages to be legally binding. Secret-key authentication systems
such as Kerberos were designed to authenticate access to network
resources, rather than to authenticate documents, a task which
is better achieved via digital signatures.
A disadvantage of using public-key cryptography for
encryption is speed: there are popular secret-key encryption methods
which are significantly faster than any currently available public-key
encryption method. But public-key cryptography can share the burden
with secret-key cryptography to get the best of both worlds.
For encryption, the best solution is to combine public-
and secret-key systems in order to get both the security advantages
of public-key systems and the speed advantages of secret-key systems.
The public-key system can be used to encrypt a secret key which
is then used to encrypt the bulk of a file or message. This is
explained in more detail in How is RSA used for encryption in
practice? In the case
of RSA, Public-key cryptography is not meant to replace
secret-key cryptography, but rather to supplement it, to make
it more secure. The first use of public-key techniques
was for secure key exchange in an otherwise secret-key system, this is
still one of its primary functions.
Secret-key cryptography remains extremely important
and is the subject of much ongoing study and research. Some secret-key
encryption systems are discussed in What
is DES? and What are the alternatives to DES?
Click on icon to go back to debate.
Click on icon to go back to abstract.
Click on icon to go to Sources and Acknowledgements.