You are in: ECommerce-Guide > News > Trends

ECommerce-Guide Essentials eBiz FAQ Everything you need to know to start your own successful e-business. Selling on eBay How to make money in the online marketplace. PayPal Payments and More What's new in secure payments for your online store. Shopping Cart Software Solutions to close, process and track your online sales.

Electronic Keys For A Digital Tomorrow
By Mark Merkow, CCP, CISSP
May 21, 1998

What Are Public-Private Key Pairs?

Cryptography can be performed under two basic approaches -- shared keys and secret keys. Shared (symmetric) keys are used to both encrypt and decrypt messages. The problem is that the key must be delivered to the recipient prior to the beginning of communications under a process that prevents key theft along the way. This is no small feat.

Cryptography using secret (asymmetric) keys use a pair of cryptography keys to encrypt and decrypt communications. These keys are mathematically related, but cannot be derived from each other. They operate such that messages encrypted using one key can only be decrypted with the other key, and vice-versa. These keys are generated at the same time (when a certificate is requested), and the private key NEVER leaves the machine upon which it was generated. The other half of the key pair is sent to the Certificate Authority to ''wrap up'' within a certificate. Certificates are meant to be shared with anyone the private key holder desires to assure his privacy in communications. Before a session begins, the sharing of public key certificates must occur.

How Does Message Signing Work?

Using cryptography, a sender desiring private communications with another can ''sign'' or create a digital signature for their message by computing a special value, called a message digest. The algorithms that perform this computation are such that the chances of two messages having the same value are on the order of 1 in 1 X 10 ⁴⁸ , making drowning while water skiing in the Sahara Desert far likelier. Once computed, the message digest is encrypted with the senderUs private key, and attached to the message itself. These signatures are similar to fingerprints for the message -- no two are ever alike.

Once the message is received, the receiver decrypts the message digest using the public key from the sender''s digital certificate and computes their own message digest using the same algorithm the sender used. Next, they compare the digest value they computed to the one just decrypted. If they match, the recipient is assured that the message must have came from who they believe it came from (otherwise the decryption step would fail), and they can be assured that the message was not altered en route (otherwise the message digest would be different). The algorithms that are used in message digest computations are such that a change of a single byte in the message will change roughly half the bits in the message digest.

Furthermore, if the message and the digest together are encrypted using the receiver''s public key (from their digital certificate), the sender can also be assured that only the receiver can read it. This process is known as creating a Digital Envelope for the message. Using digital envelopes, the Internet becomes a Virtual Private Network (VPN) that tunnels communications between two parties, keeping them secure from prying eyes.

Tools:

Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed