iTP Secure WebServer System Administrators Guide (Version 7.5+)
Juliet's decryption key might be the same secret key Romeo uses to encrypt his messages to Juliet,
or it might be the private component of a public/private key pair: Romeo uses Juliet's public key
to encrypt his message, and then Juliet uses the associated private key to decrypt it.
For a discussion about public keys, see “Public Key Systems” (page 270).
Authentication
Authentication is encryption's complement. While encryption ensures against eavesdroppers,
authentication ensures against imposters. Often, it is not enough to check that only its intended
receiver can read a message; there must also be a way to verify that the sender of a message is
in fact who he or she says they are. In fact, used alone, encryption can make a message appear
to be what it is not: an authentic message from a authentic sender.
Authentication often employs digital signatures, which are pieces of data that function for digital
documents much as handwritten signatures function for printed documents. Digital signatures are
both unique and unforgeable. Many authentication systems, therefore, consist of two parts: (1) a
method of applying a unique, unforgeable digital signature to a message and (2) a method of
verifying the authenticity of a digital signature that has been applied to a message.
Capulet, posing as Romeo, might send a message to Juliet. Capulet's message might even be
encrypted, using Juliet's public encryption key. However, when Juliet tests the digital signature on
the message, she discovers that it does not match Romeo's. She knows, therefore, she has received
a bogus message.
Because digital signatures cannot be forged, they cannot be repudiated. That is, anyone who
applies his or her digital signature to a message cannot later disown it by claiming forgery.
Cryptographic Techniques
This section introduces the two primary cryptographic techniques:
• “Secret Key Systems” (page 270)
• “Public Key Systems” (page 270)
Secret Key Systems
In secret key systems, the sender and receiver of a message each use the same secret key. The
sender uses it to encrypt a message, and the receiver uses it to decrypt this message. This method
is simple and straightforward, but it has an inherent vulnerability.
Key Vulnerability
The secret key system is inherently vulnerable in that both parties must possess the same key. In
other words, the same key must be communicated between both parties without anyone else coming
into possession of it, either inadvertently or through sinister intent. If these parties are proximate,
the chance of compromise is not a large one. However, if the parties are in separate physical
locations, which is most often the case, they must entrust a third party, such as a telecommunications
system, to distribute the secret key between both parties without anyone else coming into possession
of it.
Key Management
The effort to protect and control keys is called key management (see “Secure Sockets Layer (SSL)”
(page 274)). Key management is of paramount importance in secret key cryptography because of
the inherent vulnerability of keys.
Public Key Systems
Inpublic key systems, each party is assigned a pair of keys: a public key and an associated private
key. The owner of a key pair distributes her public key to any sender wanting to communicate
privately with her, while retaining, and keeping absolutely secret, her private key (see “Public-Key
Systems” (page 271)). The sender uses the owner's public key to encrypt his message; the owner
then uses her private key to decrypt it.
270 Security Concepts