Cryptography, to most people, is concerned with keeping communications private. Indeed the protection of sensitive communications has been the purpose of cryptography for most of its history. Today, however, the use of cryptography has extended into other areas, and is becoming available in commodity software products.
The OECD Guidelines on Cryptography Policy define cryptography as: "The discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation and/or prevent its unauthorised use."
The underlying principle of cryptography in any form is the transformation of data (plaintext) into some indecipherable form (ciphertext) - Encryption - and the corresponding transformation back into understandable form - decryption. Encryption and decryption require the use of some secret information, usually referred to as a key. In general, the longer a key, the more secure the associated cryptographic mechanism becomes. There are two common forms of cryptographic mechanism used - known as symmetric or secret key, and asymmetric or public key. In either case, for cryptographic mechanisms to work, associated keys must be kept secret - the concern of key management. The extent to which this is necessary depends on the form of cryptography used.
Secret key mechanisms work as shown in Figure 1. The original information is encrypted using a key, and the ciphertext is decrypted using the same key. For this to work, it is essential that both parties share this secret. If this key is compromised, then all information encrypted with that key is compromised. Hence management and secure storage of the secret key is a major concern. Secret key mechanisms are usually fast to process and are, therefore, suitable for encryption of large volumes of information.
Figure 1 Symmetric (Secret Key) Cryptography
Public key mechanisms work as shown in Figure 2. Here key pairs are generated such that information encrypted using the private key can only be decrypted using the public key (and vice versa). While the private key assigned to an individual must be kept secret by that individual (or else they could be impersonated), the public key is made public, and associated with the same individual. If I want to send a confidential message to that individual, I encrypt it using their public key - and only their private key can decrypt it. Public key mechanisms are, usually, slow to process and are, therefore, better suited to encrypting small amounts of information.
Figure 2 Asymmetric (Public Key) Cryptography
For public key systems to work, there need to be trusted mechanisms that associate a public key with the individual to which it has been assigned. This requires the creation of Certification Authorities that certify public keys as belonging to certain individuals. Certification authorities sign public key certificates with their own private key, so that key has to be trusted. This leads to the concept of certificate hierarchies. These functions are one of the services that can be offered by Trusted Third Parties, the subject of a separate Paper.
A familiar use of cryptography is to conceal the information, whether stored or being communicated. This is most efficiently achieved by use of secret key methods. Common mechanisms are the Data Encryption Standard (DES), and RC2/RC4 from RSA Inc.
Public key mechanisms are more commonly used where there is a need to prove an association between an individual and some information. An example is a digital signature or seal. The originator performs a computation involving both their private key and a digest, or unique "fingerprint", of the original information. The resultant signature is attached to the information. The recipient does a similar computation involving a digest of the information, the originator's public key and the attached signature. If the result is consistent, then the information came from the owner of the associated private key and the content of the information has also not been changed. The signing process is shown in Figure 3. A common public key mechanism is RSA.
Figure 3 Creating a Digital Signature
Cryptography is also used to achieve a number of other processes useful in the electronic world. Authentication provides the means of ensuring the identity of a user; a digital timestamp bound to information can establish when it was created; the digital signature itself can be used to prove who sent a document, and prevent the originator repudiating ownership.
These basic cryptographic mechanisms can be used to build more complex processes such as electronic cash, anonymous transactions, and control of distribution of information to closed groups (such as subscribers to an electronic magazine).