iTP Secure WebServer System Administrators Guide (Version 7.5+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

271

272

273

274

275

276

277

278

279

280

In other words, in public key systems, only half of the encryption mechanism (the public key) is

shared among the parties to a communication; the other half (the private key) never leaves the

possession of its owner. Neither key is of any value without the other.

Public key cryptography can be used for both privacy (encryption) and authentication (digital

signatures).

Figure 14 Public-Key Systems

Web Client

Internet

iTP Secure WebServer

Subsequent requests are

sent with the same ticket

...so the resource is returned

immediately

URL Request with Ticket

Requested Resource

Encryption

For encryption,public key systems work as follows: To send a private message to Juliet, Romeo

looks up Juliet's public key in a public directory. Using this public key, he encrypts his message

and then sends it to Juliet across a normal (nonsecure) communications channel. Upon receiving

Romeo's message, Juliet uses her private key, which is uniquely associated with her public key, to

decrypt it.

Because only Juliet has access to her private key, no one else can decrypt Romeo's message.

Therefore, even if Capulet, Juliet's father, intercepts Romeo's message, he cannot read it – unless

he gains access to Juliet's private key.

Session Keys

In practice, encrypting data with a public key system is computationally slow and therefore

expensive. Secret key systems, based on a technology such as the Data Encryption Standard (DES),

are much faster.

To save time, instead of encrypting his message with Juliet's public key, Romeo could generate a

random key on the basis of a secret key technology, and then use this key (called a session key)

to encrypt his message. After using Juliet's public key to encrypt his session key, Romeo would

send Juliet both his encrypted message and the encrypted session key. Upon receiving the encrypted

message and key, Juliet would use her private key to decrypt Romeo's session key, and then use

the session key to decrypt Romeo's message. The net result is more steps, but less time.

Digest Functions

Generating a digital signature by encrypting an entire message is also computationally expensive.

To speed things up, many signature systems first compute a digest of a message. A digest is a

string of bits (128 bits, for example) constructed such that it would be highly unlikely for any two

digests to be identical. It would also be essentially impossible to re-create a message on the basis

of its digest or to find another message with the same digest.

After generating a digest from his message, Romeo could sign this digest instead of the entire

message. Upon receiving Romeo's message and its accompanying digest, Juliet could verify

Romeo's signature by independently computing the digest and verifying the signature.

Cryptographic Techniques 271