Chapter 3. ssl1000 overview, Overview of public key infrastructure (pki), Encryption – Visara SSL1000 User Manual

707092-001

3-1

Chapter 3. SSL1000 Overview

Overview of Public Key Infrastructure (PKI)

There are two aspects of PKI:

•

Encryption

- the scrambling of data to make it unreadable (and unchangeable

without detection).

•

Authentication

- the process of assuring that you’re talking to whom you think

you’re talking to, by using certificates.

Encryption is the easier to talk about, because no one knows how it works, just that it
works, and to what level it is “unbreakable”. You have no doubt seen the little lock at
the bottom of your web browser while conducting a secure transaction over the Internet.
This means that the data back and forth is being encrypted, so that any evil forces (or
college hackers) who happen to be somehow monitoring the traffic, will not be able see
your passwords, account numbers, etc. You have also heard of the export ban of
encryption technology stronger than 40 bits (now lifted).

The 40-bit and 128-bit (and now 168-bit) encryption strengths that you hear bandied
around refer to the symmetric encryption process. (Yes, there is also an asymmetric
process…just read on). The symmetric process means that the same 128-bit key is used
to encrypt the data being sent, and to decrypt the data received. This process is fairly
efficient, so it is used for the bulk of the Secure Socket Layer (SSL) traffic.

When two computers need to encrypt data, they first must exchange the 128-bit key.
When they connect, the “server” side will randomly generate this key, and send it to the
“client” computer. Then they both use the same key to secure the data for as long as
they stay connected. But how can they prevent this key from being intercepted by the
evil eavesdropper? It must be encrypted as well. Enter asymmetric encryption and digital
certificates.

Asymmetric encryption is an algorithm that uses two keys. Data that is encrypted with
one can only be decrypted with the other. So the plan goes like this: Give anybody and
everybody one of the keys (the public key), and keep the other safe on your PC or
server, locked away under password protection. If you want to exchange encrypted data
with someone, you send them the public key. They use it to decode what they receive
from you and it is also used to encrypt the data sent to you. It can only be decrypted
with the private key, so even if the evil snoopers see the data, and have the public key,
they can’t decrypt the data.

“Why not just encrypt all the traffic with this public/private technique?” you ask. This
algorithm requires much more processing, and requires 1024 or even 2048-bit keys in
order to make it as unbreakable as the 128 bit keys in symmetric encryption. So to keep
things flowing faster, an asymmetric process protects exchanging the symmetric key,
which then protects exchanging the real data.