Public Key Infrastructure (PKI)

Public-key cryptography, also known as asymmetric cryptography, is a form of cryptographyin which the key used to encrypt a message differs from the key used to decrypt it.

In public key cryptography, a user has a pair of cryptographic keys—a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Incoming messages would have been encrypted with the recipient's public key and can only be decrypted with his corresponding private key. The keys are related mathematically, but the private key cannot be practically derived from the public key.

Conversely, secret key cryptography, also known as symmetric cryptography uses a single secret keyfor both encryption and decryption. To use symmetric cryptography for communication, both the sender & receiver would have to know the key beforehand, or it would have to be sent along with the message.

The two main branches of public key cryptography are:

Public key encryption— a message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used to ensure confidentiality.

Digital signatures— a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity.

Example 1:(Using PGP( ex: gnupgp)) - You send an encrypted message to Alice and Alice decrypts it

1. You say to PGP that it has to encrypt a message with the Alice's public key 'APK' PGP creates a new temporary secret key 'TSK' randomly

2. PGP encrypts the message by means of the temporary key 'TSK' (it uses IDEA, CAST or Triple-DES algorithms, which are symmetric systems)

3. PGP encrypts the temporary key 'TSK' by means of the Alice's public key 'APK' (it uses RSA or DSS/Diffie-Hellman algorithms, which are asymmetric systems). So this key become an encrypted key 'EK'

4. PGP sends both of them (the encrypted message and the key used to encrypt it) to the recipient Alice receives your message

5. She decrypts the encrypted key 'EK' by means of her private key 'APRIVK' (here PGP uses RSA or DSS/Diffie-Hellman algorithm). So the key become 'TSK' again

6. Now her copy of PGP 'knows' the temporary secret key 'TSK', so it can use it to decrypt the message.

Example2:Giving a .NET Assembly a Strong Name

When the compiler digitally signs an .NET assembly, it calculates a cryptographic digest of the contents of the assembly. A cryptographic digest is a fancy hash of your assembly's file contents. Let's call this cryptographic digest the compile-time digest of the assembly. The compiler encrypts the compile-time digest using the 1,024-bit private key from your public-private key pair file. The compiler then stores this encrypted compile-time digest into the assembly. Note that this all happens during development.

Sometime later, whenever the .NET loader loads an assembly with a strong name, the loader itself calculates a cryptographic digest of the contents of the assembly. Let's call this digest the runtime digest of the assembly. The loader then extracts the encrypted compile-time digest from the assembly, extracts the public key for the assembly from the assembly itself, and uses the public key to decrypt the previously encrypted compile time digest. The loader then compares the calculated runtime digest to the decrypted compile-time digest. When they are not equal, something or someone has modified the assembly since you compiled it; therefore, the runtime fails the assembly load operation.

Links:

http://www.codeguru.com/columns/experts/article.php/c4643