The solution to problems of identification, authentication, and privacy in computer-based systems lies in the field of cryptography. Because of the non-physical nature of the medium, traditional methods of physically marking the media with a seal or signature (for various business and legal purposes) are useless. Rather, some mark must be coded into the information itself in order to identify the source, authenticate the contents, and provide privacy against eavesdroppers.
Privacy protection using a symmetric algorithm, such as that within DES (the government-sponsored Data Encryption Standard) is relatively easy in small networks, requiring the exchange of secret encryption keys among each party. As a network proliferates, the secure exchange of secret keys becomes increasingly expensive and unwieldy. Consequently, this solution alone is impractical for even moderately large networks.
DES has an additional drawback—it requires sharing of a secret key. Each person must trust the other to guard the pair's secret key, and reveal it to no one. Since the user must have a different key for every person they communicate with, they must trust each and every person with one of their secret keys. This means that in practical implementations, secure communication can only take place between people with some kind of prior relationship, be it personal or professional.
Fundamental issues that are not addressed by DES are authentication and nonrepudiation. Shared secret keys prevent either party from proving what the other may have done. Either can surreptitiously modify data and be assured that a third party would be unable to identify the culprit. The same key that makes it possible to communicate securely could be used to create forgeries in the other user's name.
The problems of authentication and large network privacy protection were addressed theoretically in 1976 by Whitfield Diffie and Martin Hellman when they published their concepts for a method of exchanging secret messages without exchanging secret keys. The idea came to fruition in 1977 with the invention of the RSA Public Key Cryptosystem by Ronald Rivest, Adi Shamir, and Len Adleman, then professors at the Massachusetts Institute of Technology.
Rather than using the same key to both encrypt and decrypt the data, the RSA system uses a matched pair of encryption and decryption keys. Each key performs a one-way transformation upon the data. Each key is the inverse function of the other; what one does, only the other can undo.
The RSA public key is made publicly available by its owner, while the RSA private key is kept secret. To send a private message, an author scrambles the message with the intended recipient's public key. Once so encrypted, the message can only be decoded with the recipient's private key.
Inversely, the user can also scramble data using their private key; in other words, RSA keys work in either direction. This provides the basis for the "digital signature," for if the user can unscramble a message with someone's public key, the other user must have used their private key to scramble it in the first place. Since only the owner can utilize their own private key, the scrambled message becomes a kind of electronic signature—a document that nobody else can produce.
A digital signature is created by running message text through a hashing algorithm. This yields a message digest. The message digest is then encrypted using the private key of the individual who is sending the message, turning it into a digital signature. The digital signature can only be decrypted by the public key of the same individual. The recipient of the message decrypts the digital signature and then recalculates the message digest. The value of this newly calculated message digest is compared to the value of the message digest found from the signature. If the two match, the message has not been tampered with. Since the public key of the sender was used to verify the signature, the text must have been signed with the private key known only by the sender. This entire authentication process will be incorporated into any security-aware application.
Users of RSA technology typically attach their unique public key to an outgoing document, so the recipient need not look up that public key in a public key repository. But how can the recipient be assured that this public key, or even one in a public directory, really belongs to the person which it indicates? Could not an intruder masquerade in the computer network as a legitimate user, literally sitting back and watching as others unwittingly send sensitive and secret documents to a false account created by the intruder?
The solution is the digital certificate, a kind of digital "passport" or "credential." The digital certificate is the user's public key that has itself been "digitally signed" by someone trusted to do so, such as a network security director, MIS help desk, or VeriSign, Inc. The following figure presents a pictorial description of a digital certificate.
Every time someone sends a message, they attach their digital certificate. The recipient of the message first uses the digital certificate to verify that the author's public key is authentic, then uses that public key to verify the message itself. This way, only one public key, that of the certifying authority, has to be centrally stored or widely publicized, since then everyone else can simply transmit their public key and valid digital certificate with their messages.
Using digital certificates, an authentication chain can be established that corresponds to an organizational hierarchy, allowing for convenient public key registration and certification in a distributed environment.
Once a user has a digital certificate, what do they do with it? Digital certificates have a wide variety of uses ranging from interoffice electronic mail to global electronic funds transfer (EFT). In order to use digital certificates there must be a high degree of trust associated with the binding of a digital certificate to the user or organization linked with the digital certificate. This trust is achieved by building hierarchies of digital certificates, with all members of this hierarchy adhering to the same set of policies. Digital certificates will only be issued to people or entities, as potential members of a hierarchy, once proof of identity has been established. Different hierarchies may have different policies as to how identity is established and digital certificates are issued.
Verisign operates numerous digital certificate hierarchies. The Commercial CA has a high degree of assurance as to the binding between the end user's digital certificate and the actual end user. Members of RSA's Commercial CA will have a high level of assurance, via adherence to the policies, as to who they are communicating with. This will not generally be the case when two end users, who are members of lower-assurance hierarchies, are communicating with digital certificates. Without the assurance associated with a properly managed digital certificate hierarchy, the use of digital certificates has limited value.