Asymmetric Cryptography

Asymmetric encryption, on the other hand, uses two seperate keys, respectively for encryption & decryption:

• The public key, used for encrypting messages and

• The private key, used for decrypting messages. In contrast to symmetric encryption, the keypair cannot be chosen freely, as they need to be mathematically connected to each other.

For instance, let there be Person A (Alice) and Person B (Bob). Each of them has a public & private key. The public key needs to be available for everyone who wants to encrypt messages. The private key must be kept private, as it can be used to decrypt any messages encrypted with the respective public key.

Alice wants to send an encrypted message to Bob. Firstly, Alice encrypts the message using Bob's public key for, which is then transmitted to Bob. Then, Bob uses his private key for decrypting the message.

The provided steps serve as a generic illustration about how to create an RSA keypair:

1. Generate two large random prime numbers (p, q). It is important to ensure that those prime numbers are generated using a cryptographic random number generator with sufficient entropy, as numbers generated by pseudo-random number generators are predictable, making the resulting keypair unsafe.

2. Calculate N = p * q.

3. Calculate Φ(N) = (p-1) * (q-1).

4. Choose e such that 1 < e < Φ(n), gcd(e, Φ(N)) = 1.

5. Calculate d such that e * d ≡ 1 (mod Φ(N)).

6. Public key: (e, N).

7. Private key: (d, N).

Encryption & Decryption

The plain data is defined as m, whereas the encrypted data is defined as c. Both m and c are treated as unsigned integer.

• Encryption:

  • c = m^e mod N.

• Decryption:

  • m = c^d mod N.

Digital Signatures

Digital signatures are cryptographic techniques used to ensure the authenticity & integrity of digital messages. Here, you'll find an overview about the most common ways to sign & verify messages.

• RSA

In asymmetric encryption, we used the public key to encrypt the data, whereas the private key was used for decrypting the data. For digital signatures, the keys are used the other way around: The private key is used for encrypting the data, and the public key is used for decryption. For instance, we initially generate a hash of a piece of data. Then, we encrypt the hash using the private key. Now everyone with the public key can compare the decrypted hash against the actual hash of the data. A mismatch indicates that the original data was tampered with.

• HMAC (Hash-Based Message Code)

HMAC is another way of verifying digital messages. In contrast to RSA, a shared secret is used instead of the private key. Here, the message is combined with a secret code, creating a so-called tag. In context of symmetric encryption, the tag is created based on both the plaintext & the secret code. After transmission, the tag can be re-created by the receiver, which can be compared against the initial tag in order to detect transmission errors. While HMAC can be used to verify the integrity and authenticity of data, it is important to note that it's not a signing method, and not to be used as such.

Public Key Infrastructure (PKI)

PKI, also know as Public Key Infrastructure, is a hierarchical system for issuing, distributing and verifying digital certificates. Digital certificates allow a trustworthy and secure association between various entities and their public keys. Public Key Infrastructure consists out of multiple components

• Registration Authority:

  • The registration authority is responsible for verifying certificate signing requests & forwarding them to the certificate authority.

  • When you want to get a digital ceriticate, you need to request a certificate signing here. As the registration authority needs to verify the user's identity, you need to provide personal information such as

    • Personal information

    • Proof of identity

    • Information about the company to issue the certificate to

• Certificate Authority:

  • The certificate authority is responsible for issuing the digital certificates.

  • After the registration authority validated the user's identity, the certificate authority will create the certificate to be issued to the user.

• Validation Authority:

  • The validation authority is responsible for validating digital certificates, as well as providing information about it's validity.

  • In the case of a code signing certificate, windows sends a validation request to the validation authority to see whether the signed certificate is still valid.

Let's make an example: You are a software developer, and want to create a computer game. After you are finished with coding, you want to publish your program, allowing everyone to download it. Once the program downloads & executes the program, the operating system attempts to verify the publisher by looking for a digitally signed certificate within the executable. That's where PKI comes in: In order to verify yourself as publisher of the program, you need to request a code-signing certificate. In case it's not present, windows states that the program was released by an unknown publisher, and therefore cannot be trusted.

Obtaining a code-signing certificate can be quite expensive, especially when it comes to signing kernel-mode drivers. With that being said, as of now, there is no way to obtain a code-signing certificate for free.

HTTPS-certificates are also managed via PKI, which are used for providing traffic encryption & verifying the ownership of websites. Fortunately, HTTPS-certificates are easy & free to obtain. One example of a free certificate authority offering free certificates would be https://letsencrypt.org.