Basics of

Cryptography &
Digital Certificates

Trusted Internet Services from VeriSign and SafeScrypt.

I n t r odu ct ion :
T he s olution to pr oblems of identification, authentication, and pr ivacy
in computer - bas ed s ys tems lies in the field of cr yptogr aphy. B ecaus e
of the non- phys ical natur e of the medium, tr aditional methods of
phys ically mar king the media with a s eal or s ignatur e (for var ious
bus ines s and legal pur pos es ) ar e us eles s . Rather , s ome mar k mus t be
coded into the infor mation its elf in or der to identify the s our ce,
authenticate the contents , and pr ovide pr ivacy agains t eaves dr opper s .
T his white paper dis cus s es the var ious s ecur ity challenges for
electr onic communication and how PKI pr ovides a s olution to them all.

Ch allen ges f or S ecu r it y :

T he var ious challenges for s ecur ity in e- commer ce have been lis ted
below. T hey ar e popular ly know as the five pillar s of e- commer ce.

i. Confidentiality
ii. Authentication
iii. I ntegr ity
iv. Non- r epudiation
v. I nter oper ability / Univer s ality

i. Con f iden t ial it y

You want to be s ur e the infor mation you ar e s ending, s uch as
cr edit car d infor mation when pur chas ing goods online, or
s ens itive bus ines s infor mation in e- mail can’t be r ead by anyone
other than the intended r ecipient.

i i. I n t egr it y
You want to make s ur e no one has inter cepted infor mation and
changed it in any way. S o tamper ing of the infor mation by
anybody s hould be difficult and evident.

iii. Au t h en t icat ion

You want to be able to check on the identity of us er s . For
ex ample, you wouldn’t want a competitor to download your
company infor mation fr om an Ex tr anet, or in the cas e of a ver y
lar ge financial tr ans action, you want to feel cer tain of who placed

2SafeScrypt Ltd Minimum System Requirements 2

 the or der . As a us er , you als o want to be cer tain if you ar e
buying goods fr om an online s tor e, that the s tor e is legitimate,
that you’ll actually get the goods you ar e paying for - - you’r e not
j us t pr oviding a cr edit car d number with which s omeone can go
on a s hopping s pr ee.

iv. N on -r epu diat ion

I n the r eal wor ld, a contr act with a wr itten s ignatur e is gener ally
binding. T her e is no r eal equivalent on the I nter net. S omeone
might buy s ome s tock over the I nter net, the pr ice falls , and then
they s ay they never placed the or der . T her e is n’t a way to s ign
a contr act electr onically ex cept with a cer tificate.

v. I n t er oper abi l it y
Finally, whatever s olution you have needs to be inter oper able
and univer s al, becaus e the benefits of this model is that
ever yone can wor k together and s har e infor mation acr os s the
networ k tr ans par ently. T he adoption of s tandar ds by I nter net
vendor s has pr ovided this inter oper ability.

Only digital cer tificates can pr ovide all of the above.

PKI Passwords
Authentication Yes Yes

Confidentiality Yes No
Integrity Yes No

Non-repudiation Yes No

Enabled in Yes Yes

standard apps
Proven technology Yes Yes

Standards-based Yes Yes

Shared identity Yes No

across apps

3SafeScrypt Ltd Minimum System Requirements 3

Com par is on w it h P as s w or d bas ed s ys t em
Authentication: While pas s wor ds pr ovide authentication, ther e ar e
s ecur ity pr oblems . About 20% of people us e “bad” pas s wor ds , that is
pas s wor ds that would eas ily be gues s ed, your maiden name, your
child’s name, bir thdate etc.. How many of you ar e guilty? And if you
us e differ ent pas s wor ds , how many of you wr ite it down s omewher e on
a yellow s ticky and place it under your keyboar d or mous epad? How
many of you us e the s ame pas s wor d acr os s multiple applications ?
Once one application is compr omis ed, now all the other applications
us ing the s ame pas s wor d ar e compr omis ed.

I ntegr ity, confidentiality and non- r epudiation: Pas s wor ds do nothing

to pr event the tamper ing of infor mation, nor do they pr ovide
confidentiality; they can’t encr ypt data. And as we talked about
befor e, pas s wor ds ar e not s ufficient to r eplace wr itten s ignatur es and
don’t pr ovide non - r epudiation.
S har ed identity: Pas s wor ds don’t pr ovide any unique identity
infor mation acr os s applications .

H is t or y of Cr ypt ogr aph y an d P K I :

S i n gl e K ey Cr ypt ogr aph y

• B ob has one s ecr et key
• I f Alice wants to s end B ob a s ecr et mes s age
• B ob S ends Alice a copy of his s ecr et key
• Alice encr ypts mes s age with B ob’s s ecr et key
• B ob decr ypts mes s age with his s ecr et key

S ingle key cr yptogr aphy is wher e you us e the S AME “key” (think of
this as a mathematical for mula) to both encr ypt and decr ypt data. T his
is the kind of cr yptogr aphy us ed in WW- I I , wher e code was “cr acked”
by the enemy s o confidential infor mation about tr oop movements
could be gather ed.

4SafeScrypt Ltd Minimum System Requirements 4

P r oblem s :
How does B ob get s ecr et key to Alice?
What if Alice is a double agent?
What if Alice, B ob, Char ley, & Dan. need to ex change mes s ages ? Need
n! keys

With s ingle- key cr yptogr aphy you have the pr oblems of how to s har e
the s ecr et key - - how does B ob get the s ecr et key to Alice s afely, and
of managing a lar ge number of s ecr et keys .
I f too many people s har e the s ame s ecr et key, then if even one of
them is bad, a mole, all mes s ages ar e compr omis ed. Or , if Alice, B ob
and Char lie all s har e the s ame s ecr et key, B ob could claim that Char lie
r eally s ent the mes s age. S o to avoid this , s ay all of us want to
communicate confidentially and ther e ar e about 20 of us in this r oom,
we would have to manage 20 factor ial keys - - this is a ver y ver y lar ge
number .

A B et t er m et h od : P u blic K ey Cr ypt ogr aph y

• B ob has two complimentar y keys
• What one key encr ypts , only the other key can decr ypt
• B ob keeps one key pr ivate (Pr ivate Key)
• B ob s har es the other key (Public Key)
• I f Alice needs to s end B ob a mes s age
• B ob s ends Alice a copy of his Public Key
• Alice encr ypts mes s age with B ob’s public key
• B ob decr ypts mes s age with his pr ivate key

5SafeScrypt Ltd Minimum System Requirements 5

Public key cr yptogr aphy s olves thes e pr oblems . Ever yone gets j us t
one unique “key pair ”, cons is ting of a PRI VAT E key that is kept s afe
and a PUB LI C key that can be s har ed fr eely. What one key does , the
other can undo. T he analogy might be that you us e one key to unlock
the s afe and put things in the s afe, but you need the other key to
unlock it to r emove its contents . B ecaus e anyone can get a copy of
the public key, the dis tr ibution pr oblem becomes a non- is s ue.

S ome ex amples of how this wor ks . B ob cr eates a digital s ignatur e

attached to his e- mail mes s age us ing his pr ivate key. T he r ecipients
know it r eally came fr om B ob becaus e only he could have s igned it
with his pr ivate key (s ince it is never s har ed or dis tr ibuted to anyone
els e).
Or , for s ending encr ypted e- mail, B ob can give Alice his public key
which s he us es to encr ypt a per s onal e- mail mes s age s he s ends to
B ob. B ob us es his pr ivate key to decr ypt and r ead it. Anyone can us e
B ob’s public key to encr ypt a mes s age to B ob, and feel confident that
only B ob can r ead it becaus e only he has the pr ivate key.

Advan t ages :
• B ob can dis tr ibute public key fr eely
• I f Alice is a double agent, s he can’t do any har m with B ob’s public
key
• B ob only needs one key pair , no matter how many people he
s peaks to
• B ob can digitally “s ign” mes s ages , by encr ypting with his pr ivate
key

B ob can s har e his public key with as many people as he likes . I t

does n’t matter what Alice does with it even if s he is a mole. I t’s only
good for encr ypting e- mail s ent to B ob and only B ob can r ead it.
S o in a r oom of 20 people, you only need 20 key pair s (not 20 factor ial
keys ) one for each per s on, and ever yone can communicate with
ever yone els e. T his s olves the key management pr oblem.

P r oblem :
• How does Alice r eally know that s he is us ing B ob’s public key

6SafeScrypt Ltd Minimum System Requirements 6

B ut this leaves us with one r emaining pr oblem. How does Alice know
s he r eally is us ing B ob’s public key and it is n’t s omeone pr etending to
be B ob?

T his is wher e a Cer tificate Author ity or CA comes into the pictur e.
Ver iS ign and S afeS cr ypt as its Pr incipal affiliate for I ndia ar e CAs . Jus t
as we tr us t a pas s por t office to is s ue your pas s por t, or VI S A to is s ue
cr edit car ds after doing the appr opr iate level of identity checking, a
cer tificate author ity is a tr us ted thir d par ty that is s ues digital
cer tificates and guar antees that the public key r eally belongs to a
s pecific per s on or entity. T hat’s what Ver iS ign / S afeS cr ypt does .

Cer tificate Author ity is a tr us ted thir d par ty s imilar to Pas s por t Office,
CPA
Cer tificate Author ities is s ue digital cer tificates .

A cer tificate contains the following:

• B ob’s public key
• B ob’s name, addr es s , other info
• Ex pir ation date & s er ial number
• T he cer tificate author ity’s name, etc.

A digital cer tificate is “s igned” with the Cer tificate Au thor ity’s pr ivate
key, to ens ur e authenticity and ever yone has CA’s public key

D igit al Cer t if icat es :

Digital Cer tificates or Digital I D is a kind of digital " pas s por t" or
" cr edential." T he Digital I D is the us er 's Public Key that has its elf been
" digitally s igned" by s omeone tr us ted to do s o, s uch as a CA or
Ver iS ign, I nc. T he following figur e pr es ents a pictor ial des cr iption of a
Digital I D.

7SafeScrypt Ltd Minimum System Requirements 7

Ever y time s omeone s ends a mes s age, they attach their Digital I D.
T he r ecipient of the mes s age fir s t us es the Digital I D to ver ify that the
author 's Public Key is authentic, then us es that Public Key to ver ify the
mes s age its elf. T his way, only one Public Key, that of the cer tifying
author ity, has to be centr ally s tor ed or widely publiciz ed, s ince then
ever yone els e can s imply tr ans mit their Public Key and valid Digital I D
with their mes s ages .

Us ing Digital I Ds , an authentication chain can be es tablis hed that

cor r es ponds to an or ganiz ational hier ar chy, allowing for convenient
Public Key r egis tr ation and cer tification in a dis tr ibuted envir onment.

P r ocedu r e f or S ecu r e E lect r on ic T r an s act ion :

• B efor e s ending a s ecr et mes s age- - as k to s ee the other par ty’s
cer tificate- - ex tr act their public key
• When s igning a document- encr ypt us ing your pr ivate key, and s end
encr ypted document plus your cer tificate
• B efor e tr us ting a document, ver ify s ignatur e us ing the s ender ’s
cer tificate
• B efor e doing anything with a cer tificate, be s ur e you tr us t the
Cer tificate Author ity who is s ued it

8SafeScrypt Ltd Minimum System Requirements 8

I n s ummar y, for electr onic tr ans actions or communications , you can
check the r ecipient’s public key s o you know who you ar e r eally
s ending a mes s age to. T hen you can digitally s ign your document or
mes s age with your pr ivate key and s end your cer tificate with it. T he
r ecipient can then check your cer tificate to be s ur e the mes s age r eally
came fr om you.

And it is impor tant of cour s e that you tr us t the CA who is s ued the
cer tificate, j us t as we tr us t VI S A or the pas s por t office. T he
advantage of having a cer tificate that chains up to Ver iS ign is that all
the lates t br ows er s will automatically r ecogniz e and tr us t Ver iS ign or
Ver iS ign T r us t Networ k cer tificates .

I n this way us ing Digital Cer tificates all the challenges of S ecur ity for
e- commer ce can be met with.

F or F u r t h er I n f or m at ion ...
S af eS cr ypt L t d.
6 6 7 -6 6 8 K es h ava T ow er s ,
1 1 t h Main ,
Jayan agar 4 t h B lock,

Bangalore – 560011, India

P h on e N o: + 9 1 -8 0 -6 5 5 5 1 0 4
F ax : + 9 1 -8 0 -6 5 5 5 3 0 0
E -m ail: s af eex im @ s af es cr ypt .com

9SafeScrypt Ltd Minimum System Requirements 9