Secure Communication
This week I studied secure communication. The internet provides many useful communication services, but hackers can easily intercept important messages. Apps must provide confidentiality by ensuring intercepted messages cannot be read. Hackers can also modify intercepted messages or even forge messages or headers. There must be ways to verify identities (authentication) and that messages have not been altered (integrity).
Confidentiality
Encryption enforces confidentiality. Plaintext messages are converted to encrypted versions known as ciphertext. A key and a message are passed into an encryption algorithm (RSA, for example) For encryption to work, the receiver must have a key to decrypt the message. Since it is not feasible for two random people on the internet to have the same (symmetric) key, a public key system was introduced to solve the problem. Every computer has a pair of keys: a public key and a private key, which are two halves of the same key (K+ and K-, respectively). If I want to send you a message, I will run your public key and my message through an encryption algorithm before I send it to you. You will then use your private key with the relevant decryption algorithm to read the message. While this does provide confidentiality, it does not include authentication: impersonation can occur.
Authentication and Integrity
To verify that a message has been received from a trusted sender, digital signatures can be used. Senders apply their private key to a message and receivers use the sender's public key to verify the signature. This also preserves message integrity because if the message has been altered, authentication will fail because the result of the private key and public key will not be the original message. Note that it can be computationally expensive to apply digital signatures to entire messages, so the digital signature can instead be applied to a message that has been passed through a hash function (like SHA-1 or MD5). The hashed version of the message would be used for authentication and integrity checks. To verify that a signature is real, certificate authorities may be referenced that bind public keys to specific, unique identities.
No comments:
Post a Comment