Public Cryptography and Private Key - Public-key Cryptography

PUBLIC-KEY CRYPTOGRAPHY

Public-key, or asymmetric, cryptography involves two separate keys: both a private key maintained by a single entity and a public key available to any user over a network. A central authority, such as an online bank, broadcasts its public key, enabling any client to send encrypted messages to that destination. Only that original authority, however, can decrypt the communications using its private key, thereby securing the information from hackers and other unauthorized onlookers. Because the usage of these keys is spread over such a wide network of people, they typically contain a greater number of information bits to make the code more difficult to crack.

Because of its simple availability to large numbers of people, public-key encryption was considered the favored infrastructure for e-commerce in the early 2000s. Digital signature technology, for instance, relies on the public-key infrastructure. The 1999 passage of the Electronic Signatures in Global & National Commerce Act opened the floodgates for public-key cryptography as never before by creating legal parity between handwritten signatures and digital signatures. In turn, this was a major boon to a whole range of new and established forms of e-commerce, particularly in the financial services industries. The leading public-key encryption scheme used in e-commerce was Secure Sockets Layer (SSL), developed by Netscape but long supported by both Netscape and Microsoft browsers.

The primary vehicle by which transactions and messages are encrypted using public-key cryptography is the digital certificate. Digital certificates are issued by a central authority and contain the user's name and e-mail address, an expiration date, and the authority's name. Digital certificates are stored on the user's computer or, increasingly, on a smart card or a central server accessible over the Internet.

The complexity of the public-key infrastructure stems from the management of a hierarchy of different certificate authorities and central servers, along with the level of individual customization involved in using a digital certificate on a personal computer or smart card. But once a public-key infrastructure is in place and a sound key management system has been implemented, the rewards can be astounding, particularly for those e-commerce firms engaged in the transfer of massive amounts of sensitive information, as in online banking. In business-to-business operations, public-key cryptography also can lead to efficiency gains. With the security afforded by digital certificates, companies can allow each other mutual access to internal company network infrastructures, greatly streamlining the transaction processes between business partners.