Specifications
The most common public key algorithm is RSA, developed by Rivest, Shamir, and Adelman at
MIT and published in 1978. RSA was a proprietary system, but the patent expired in
September 2000.
The capability to transmit a public key in the clear and not need to worry about it being seen
by a third party is a huge advantage, but secret key systems are still in common use. Often, a
hybrid system is used. A public key system is used to transmit the key for a secret key system
that will be used for the remainder of a session’s communication. This added complexity is tol-
erated because secret key systems are around 1000 times faster than public key systems.
Digital Signatures
Digital signatures are related to public key cryptography, but reverse the role of public and pri-
vate keys. A sender can encrypt and digitally sign a message with her secret key. When the
message is received, the recipient can decrypt it with the sender’s public key. As the sender is
the only person with access to the secret key, the recipient can be fairly certain from whom the
message came and that it has not been altered.
Digital signatures can be really useful. They let the recipient be sure that the message has not
been tampered with, and they make it difficult for the sender to repudiate, or deny sending, the
message.
It is important to note though that although the message has been encrypted, it can be read by
anybody who has the public key. Although the same techniques and keys are used, the purpose
of encryption here is to prevent tampering and repudiation, not to prevent reading.
As public key encryption is fairly slow for large messages, another type of algorithm, called a
hash function, is usually used to improve efficiency.
The hash function calculates a message digest or hash value for any message it is given. It is
not important what value the algorithm produces. It is important that the output is determinis-
tic, that is, that the output is the same each time a particular input is used, that the output is
small, and that the algorithm is fast.
The most common hash functions are MD5 and SHA.
A hash function generates a message digest that matches a particular message. If you have a
message and a message digest, you can verify that the message has not been tampered with, as
long as you are sure that the digest has not been tampered with.
To this end, the usual way of creating a digital signature is to create a message digest for the
whole message using a fast hash function, and then encrypt only the brief digest using a slow
public key encryption algorithm. The signature can now be sent with the message via any nor-
mal unsecure method.
E-commerce and Security
P
ART III
296
17 7842 CH13 3/6/01 3:36 PM Page 296