Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems

Public-key encryption for dummies

Send to colleague


As the world increasingly turns to electronic business, electronic credentials that prove identity are becoming a critical necessity. Much like a passport proves identity in the offline world, public-key infrastructure (PKI) delivers a way to prove identity in the online world.

PKI is fast becoming the cornerstone of information security technology for a large number of companies.

PKI ensures that people are who they say they are and also proves that documents haven't been tampered with, which is critical when conducting online transactions, such as placing orders or transferring money. Here's a simplified look at these state-of-the-art passports to the online world.

The magic of PKI occurs through the use of extremely long prime numbers, called keys. Two keys are involved - a private key, which only you have access to, and a public key, which can be accessed by anyone. The two keys work together, so a message scrambled with the private key can only be unscrambled with the public key and vice versa. The more digits in these keys, the more secure the process.

Just as you prove your identity through a handwritten signature offline, you use a digital signature to prove your identity online. But without seeing a person sign the document, how can you prove it's the right person?

This is where public-key cryptography comes in. A large piece of data set to be encoded - for instance, a document - is run through a complicated mathematical computation to generate a single large number, called a hash. The original data and the hash are inextricably linked. If either changes, the hash won't match and the message cannot be decoded.

To digitally sign a document, a hash is taken of the document and then signed with a user's (let's call him Bob) private key. Data scrambled with Bob's private key can only be unscrambled with Bob's public key. Any entity can verify the validity of the document by unscrambling the hash with Bob's public key and checking that against another hash computed from the received data.

If the hashes match, the data was not tampered with and Bob's digital signature is on it. But because I didn't watch Bob sign the document, I don't know that it wasn't signed by an imposter. This issue is solved because only Bob has his private key, and so he is the only one who could have signed the document.

How do I know I have the correct key to verify the signature? This is where the concept of trust enters the system, creating the need for a certificate authority to verify online identity.

The certificate authority is like an online passport bureau - a trusted entity that makes the PKI system work. The private key is securely generated by Bob, and after verifying Bob's identity, the certificate authority signs Bob's public key with its own private root key. The combination of Bob's public key and the signature of the certificate authority completes Bob's digital certificate.Bob's digital certificate is his online passport, validated by the certificate authority's watermark.

Let's look at how all this works together in a simple transaction. Bob wants to send Alice a confidential e-mail. Bob would use Alice's public key, stored in her certificate, to scramble the message. When Alice receives the message, she uses her private key to unscramble it. Because no one else possess Alice's private key, only she can unscramble the message.

The process is similar in complex transactions. Let's say Bob wants to let Alice order products from his Web site. When Alice is ready to buy, Bob requests that she prove her identity. Alice signs the order with her private key, which was issued by a certificate authority we'll call TrustCo. She then sends the package consisting of the order and the digital signature to Bob.

Bob needs to get Alice's and TrustCo's digital certificate to verify the signature. He validates Alice's certificate by verifying TrustCo's signature (remember TrustCo signs Alice's public key, thus forming the certificate), and then uses Alice's certificate to validate the signature on the order. If all those tests pass, Alice is actually Alice.

Like any security technology, digital signatures used in the PKI model aren't perfect. If the certificate authority's root key is stolen, then anyone can create digital certificates, which compromises the trust level of the certificate authority and makes all the certificates from that certificate authority null and void. Certificate authorities go to great lengths to keep their keys secure, including armored bunkers. Additionally, if Bob loses his private key, or if it's stolen, then anyone possessing the private key can pose as Bob.

More importantly, thousands of applications used throughout businesses need to be PKI-ready. Applications need to know how to ask Bob to sign data and how to validate the data using certificates. For PKI to become a widely used technology, it must become a transparent part of everyday software, so end users don't need to understand all the complexity behind keys, hashes and digital certificates.

Rothman is executive vice president of SHYM Technology, a software company that makes PKI wares. He can be reached at or

how it works


Tell us your thoughts on this article or the issues raised in it. We'll cc: the author and editors on all comments.


E-mail address:

Can we post your comments in an online forum on the topic?
Yes No

What did you think of this article?
Very useful Somewhat useful Not at all useful

Would you want to see:
More articles on this topic
Fewer articles on this topic

Thank you! When you click Submit, you'll be taken back to this article.


Tell us your thoughts on this article or the issues it raises.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.