When we talk about cryptography, it’s very common to think only of techniques for maintaining the secrecy of information. However, encryption can be used in many other situations. In this post we’ll look at applying asymmetric cryptography techniques to verify the origin of a message.
Asymmetric encryption
Initially, we need to say that one of the most striking features of asymmetric cryptography is the presence of a key pair, with one part public and the other private.
While the public part can be disclosed to all interested parties, the private part cannot. After all, it must be protected and kept secret by the entity that owns the pair, be it a person or a system. From the origin of a message to its final delivery
This key pair is something very special, because when one of the keys is used to encrypt data, only the partner key of the pair can be used in the reverse process.
And it is this characteristic that makes it possible for various cryptographic schemes to exist in communication between two entities.
Alice and Bob’s messages
To make it easier to understand, let’s use the classic analogy. It presupposes the existence of two users, Alice (A) and Bob (B), each with its own key pair.
Alice and Bob exchange letters (messages) with each other and each letter is placed in an envelope that has a special padlock, which, when closed with one of the keys, can only be opened with the pair’s partner key.
Note that since we have two pairs of keys, one for each user, we have a total of 4 keys that can be used to lock the envelope!
So which key should be used? Well, it depends on which security service you want to implement when sending this letter.
Asymmetric encryption for secrecy
If the desire is to guarantee the secrecy of the letter from the origin of a message, Alice must lock the padlock with Bob’s public key. In this way, the only key capable of opening it is the partner key, i.e. Bob’s private key.
Remember that Bob’s private key, by definition,must be known only to Bob. This way, only Bob can open the padlock on the envelope and take the letter out.
Asymmetric encryption for the origin
If she wants to verify the origin of a message or letter, Alice can lock the envelope using her private key. Thus, the only key that opens the envelope is the partnership key, i.e. Alice’s public key.
Remember that Alice’s public key, by definition, is public knowledge. This way, everyone could open the envelope using Alice’s public key.
Note that in this situation, although the letter is in a sealed envelope with a padlock, the contents are not secret. After all, anyone can open the lock on the envelope using Alice’s public key.
What is required is verification of the origin of the letter (or the sender’s authorship). In other words, for Bob to check if the letter came from Alice, all he has to do is open the padlock with her public key.
Note that in this situation, although the letter is in a sealed envelope with a padlock, the contents are not secret. After all, anyone can open the lock on the envelope using Alice’s public key.
What is required is verification of the origin of the letter (or the sender’s authorship). In other words, for Bob to check if the letter came from Alice, all he has to do is open the padlock with her public key.
 |
|
Symmetric encryption
It is interesting to note that the secrecy service could also be implemented with symmetric cryptography (that which has a single key). After all, it’s much faster.
It is therefore common to see security protocols that use hybrid schemes with symmetric and asymmetric cryptography to implement confidentiality, origin verification, authentication and irretrievability services, taking advantage of the benefits of each: the speed of symmetric cryptography and the flexibility of using asymmetric cryptography.
Finally, after all this explanation, at least one question remains open: how does Bob know for sure that he has a copy of Alice’s public key and how does Alice know for sure that she has Bob’s public key?
The way to trust someone’s public key is to get a copy of it from someone you trust. You need a mark on the key that says: “this is so-and-so’s public key”.
The combination of the entity’s public key and the entity’s identifying information is called a digital certificate, a topic for another post.
We’ve also written an article that may be of interest to you, as it talks about data encryption and its importance in the financial market, click here.
Subscribe to our newsletter and stay up to date with Eval news and technologies. Keep following our
blog content
and taking advantage of
our Linkedin profile
.
About Eval
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.
