Tech Talk

By

William Dan Terry

Director of Technology, NetPubs International

IP News (Internet Edition) Spring 1997

On a Cryptographic Diet:
Out of the Puzzle Palace and Into Your Office

It used to be that cryptography was a relatively unheard of and arcane field limited to some mathematicians and secretive government entities. Now it's covered in the news with some frequency, particularly as it applies to electronic material and the Internet.

Two things are responsible for this occurrence: the readily available, ever-increasing computing power, and the need to protect communications and electronic material in a globally connected, predominantly collaborative communications medium called the Internet.

With the increased use of the Internet for presenting intellectual property and commerce, industry and individuals are turning to cryptography for protection.

Cryptographic protection of communications is becoming more prevalent, though invisibly, to most users. This is happening most notably on the Web with Web servers and Web browsers managing the cryptographic aspects of the message traffic. While the technology developers build these features into communications, users and originators of intellectual property will be actively participating in protecting their words and materials by means other than straight communications security like this. Such security can ensure the privacy of the message between sender and recipient but it doesn't ensure the authenticity of the sender or recipient nor the integrity of the original material.

To back up a step, cryptography is the means of rendering cleartext (directly usable material) into cyphertext (material in an unusable form) and back. This is accomplished by processing the cleartext or cyphertext using a cryptographic algorithm and a key. By using cryptography it is possible to provide for privacy, integrity, and authenticity. Cryptographic algorithms fall into two categories: secret key and public key. (There are other names for these, but I won't cloud the discussion with nomenclature.) The underpinnings of these may stay hidden, but names like PGP, RSA, DES, IDEA, MD5, and BLOWFISH will start becoming tools for publishers that are separate from communications level security.

Secret key algorithms use a key that can be used for both encryption and decryption. For this reason the key must remain secret only to those who have authority to access the material. Therefore, the key must be distributed to all parties involved before use. Secret key algorithms tend to be faster than public key ones.

Public key algorithms actually use a pair of keys, one of which is private to the owner and one of which is published publicly, making secret key distribution unnecessary. Each key can be used to encrypt cleartext and the other key of the pair can be used to decrypt the cyphertext. For example, if an originator encrypts cleartext using her private key, then anyone decrypting the cyphertext with the originator's public key (the only key that will successfully decrypt the material) will be assured of the originator's identity. Now, if the originator re-encrypts the cyphertext using the public key belonging to the intended recipient before sending it, only the intended recipient will be able to decrypt the material. Both privacy and authenticity have been ensured with no secret key distribution headaches.

Still seem esoteric to the publishing world? While a variety of different uses are still being worked out, the following is one simplified possibility. A customer wishes to purchase an article from a publisher. I'll pass over the financial transaction and go on straight to document delivery. The publisher encrypts the article with its private key. This guarantees that the source of the article is the publisher, thereby ensuring the integrity of the material. The cyphertext is re-encrypted with the buyer's public key and sent via email. This ensures that only the purchaser can make use of the material. If this type of transaction becomes the norm, software tools would surface that automate the process, making it a very simple process for the publisher.

Another way to achieve the same goal would be to encrypt the article using key "A" with secret key encryption because this tends to be faster, and then to use public key encryption just to encrypt the key "A". The encrypted key and article would then be sent via email to the purchaser.

Another area in which cryptography will play a large role is in guaranteeing the integrity of material. This is done with something known as a digital signature. The digital signature is used when privacy is not an issue. So the route a digital signature takes is to create a unique "finger print" of the document and then encrypt that using public key encryption. This guarantees the integrity of the document and the authenticity of the source.

The finger print is created using something known as a hash function. A hash function is an algorithm that takes an input, like a document, digests it, and produces a hash number, which has a high probability of being unique and is always reproducible. A cryptographic quality hash function has an extremely high probability of being unique and makes it impossible to recover the original input from the hash number. This hash number is then used to verify the integrity of the document.

The public key encryption of the hash number ensures the authenticity of the source and the integrity of the hash number itself. The user would decrypt the digital signature, which recovers the hash number. The document would be processed with the same hash function and the hash number produced would be compared to the hash number recovered from the digital signature. These will be the same if the document is truly the same. Et voila, document integrity verification.

How the standard uses will eventually be used is yet to be seen, but cryptography will become an office tool for publishers. An understanding of the basics will be useful in making the most of this tool.

IP News Spring 1997 Table of Contents IP News Title Page
http://www.lodestonesystems.com/doc/IPNews.html ©1997, NetPubs International