Understanding Encryption, Digital Signatures, and Certificates

Here's a high level overview of how sensitive data is secured on the web...
The internet uses a system called 'public-key cryptography' to secure information that is sent, and to verify the identity of the sender.  This form of cryptography requires that you have two keys. One key can scramble up data so that no one can read it, and the other key can unscramble it, so that it can be read.

I don't want to go into the details of scrambling, or encrypting, messages.  But in essence it's a matter of applying an equation that mixes up the message, and then using another equation that returns it to its original form. Here's an ancient example; Julius Ceaser used encryption before sending messages by replacing each letter with the one that appears three places to the right in the Latin alphabet.

Back to public-key cryptography, which requires a public key and a private key.  The public key is made available to anyone, while the private key should be kept completely safe and secure from anyone other than it's owner.  In some cases the public key does the scrambling while the private key does the unscrambling.  In other cases, the reverse is true, the private key scrambles while the public key unscrambles. In either scenario, the two keys work together, and it is very, very difficult scramble AND unscramble data unless you have both keys.

When you communicate with a web server via https, the server sends your browser a public key, which in this case, scrambles the data. Anyone who has access to the server can get a pubic key. So when you type information into your browser, it applies the public key to mix up the data before sending it. This protects your data while it's in transit, and the only thing that can unscramble the data is the private key, which the web server does not share.  So when your encrypted message reaches the server, it uses the private key in order to read its contents.

Digital signatures are used to verify the identity of the person sending you data (acually, it's the server that does the sending, but we'll assume that a person is controlling the server). Once again, anyone can get the public key, while only the server has the private key. But in this case, unlike the previous example, the private key does the  scrambling while the public key does the unscrambling. The theory is that anyone can unscramble the data, but only the server, which has the private key, can scramble it.  So if the server sends a scrambled message to your browser, and your browser is able to use the public key to unscramble the message, it is safe to assume that two keys match and the sender of the data is the true holder of the private key.  At this point you might be wondering how this makes sense.  Just because a person sends you a public key, and you can use that key to unscramble the message, it doesn't mean you should trust that he is the person he claims to be.  After all, when communicating over the web, you never get see what's on the sending end, everything comes through the 'cloud' of the internet. This is where certificates come into play.

Certificates verify the owner of a public key and they are issued by 'certificate authorities', which are organizations that do background checking to confirm that the owner of a public key is telling the truth about his/her identity.  So when your browser encounters a server that wants to communicate via encryption, it not only receives the public key, it also asks for the certificate so that you can be sure of the identity of the owner of the public key.

At this point you might be wondering how you can trust the certificate (good question).  The certificate actually comes with a public key of it's own and your browser is able to confirm the identity of the certificate because almost all browsers are packaged with information about the major certificate authorities.  So unless your browser was somehow corrupted when you installed it, it should be able to safely verify that you can indeed trust the certificate.
2 Comments - Average Rating:4

If the idea is to explain the concept without getting the reader bogged down in details, it's ... great! :-)
Rating: 5
Date Posted: June 22nd, 2010

Rating: 3
Date Posted: March 23rd, 2010