While a comprehensive discussion of public-key cryptography is beyond the scope of this document, the basics are described here to give you an understanding of how SSL secures Internet communication channels.
Several mechanisms, known collectively as public-key cryptography, have been developed and implemented to protect sensitive data during transmission over the Internet. Public-key cryptography consists of encryption and decryption, digital signatures, and digital certificates.
Encryption is a process wherein a cryptographic algorithm is used to encode information to safeguard it from anyone except the intended recipient. Decryption is the process of decoding the information. Encryption and decryption allow two communicating systems to disguise information they send to each other. The sender encrypts information before sending it, and the receiver decrypts the information after receiving it. While in transit, the encrypted information is unintelligible to an intruder, making it less prone to theft.
Public-key encryption involves a pair of keys—a public key and a private key—associated with an entity that needs to encrypt and decrypt data. The public key is published, and the corresponding private key is kept secret. Data encrypted with your public key can be decrypted only with your private key. The reverse is also true—data encrypted with your private key can be decrypted only with your public key.
Digital signatures are used for tamper detection and nonrepudiation. Digital signatures are created using a mathematical algorithm that generates a unique, fixed-length string of numbers from a text message; the result is called a hash or message digest. To ensure message integrity, the message digest is encrypted by the signer’s private key, then sent to the recipient along with information about the hashing algorithm. The recipient decrypts the message with the signer’s public key. This process also regenerates the original message digest. If the digests match, the message proves to be intact and tamper free. If they do not match, the data has either been modified in transit, or the data was signed by an imposter.Further, the digital signature provides nonrepudiation—senders cannot deny, or repudiate, that they sent a message, because their private key encrypted the message. Obviously, if the private key has been compromised (stolen or deciphered), the digital signature is worthless for nonrepudiation.
