Public-Key Encryption - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Encryption and Decryption

Public-Key Encryption

The most commonly used implementations of public-key encryption are based on
algorithms patented by RSA Data Security. Therefore, this section describes the RSA
approach to public-key encryption.
Public-key encryption (also called asymmetric encryption) involves a pair of keys—a
public key and a private key—associated with an entity that needs to authenticate its
identity electronically or to sign or encrypt data. Each public key is published, and the
corresponding private key is kept secret. (For more information about the way public keys
are published, see "Certificates and Authentication," which begins on page 774.") Data
encrypted with your public key can be decrypted only with your private key. Figure J-2
shows a simplified view of the way public-key encryption works.
Figure J-2 Public-Key Encryption
The scheme shown in Figure J-2 lets you freely distribute a public key, and only you will be
able to read data encrypted using this key. In general, to send encrypted data to someone,
you encrypt the data with that person's public key, and the person receiving the encrypted
data decrypts it with the corresponding private key.
Compared with symmetric-key encryption, public-key encryption requires more
computation and is therefore not always appropriate for large amounts of data. However,
it's possible to use public-key encryption to send a symmetric key, which can then be used
to encrypt additional data. This is the approach used by the SSL protocol.
As it happens, the reverse of the scheme shown in Figure J-2 also works: data encrypted
with your private key can be decrypted only with your public key. This would not be a
desirable way to encrypt sensitive data, however, because it means that anyone with your
public key, which is by definition published, could decrypt the data. Nevertheless,
private-key encryption is useful, because it means you can use your private key to sign data
with your digital signature—an important requirement for electronic commerce and other
commercial applications of cryptography. Client software such as Communicator can then
use your public key to confirm that the message was signed with your private key and that it
hasn't been tampered with since being signed. "Digital Signatures" (beginning on page 772)
and subsequent sections describe how this confirmation process works.
Appendix J Introduction to Public-Key Cryptography 771