PKI – Public Key Infrastructure is based on a pair of complementary keys performing the operations of encryption or decryption, and is therefore also known as an asymmetrical cryptography. One key of the pair is called a “public” and the other one a “secret” key. The public key can openly be distributed while the secret key is kept hidden.
Encryption and decryption are performed by asymmetrical algorithms which are generally defined in such a way that they use a pair of keys of which either one can be used for cryptography. Should one key of the pair be used for encrypting the massage, then only the other key of the pair can be used for decrypting. However, it is common that the encrypting be done by the public key while decrypting with the secret key. In that way, anybody can encrypt a message by using a public key but the message can only be decrypted and read by the owner of a secret key.
Picture 1 Encryption and Decryption
Public keys, therefore, need to be available to the public. Additionally, users of the public keys need to be certain that the key truly belongs to the person claiming such a thing. For such purposes there are specialized institutions, confidential agencies (so called, certificate authorities) that are issuing certificates. Confidential agency warranties with a certificate that a public key is truly the property of a certain person.
Asymmetrical algorithm feature of being possible to do the encryption with one key and the successful decryption exclusively with the other key of the same pair has been used in the definition of the digital signature. The role of the digital signature is manifold:
authenticates the sender
keeps the integrity of the message
secures irrefutability
To digitally sign the message means to create a textual representation of the message (summary) and do the cryptography with a secret key. The summary of the message is created by applying some of the hash functions on the original message. There are several hash functions (MD5, SHA-1, SHA-256) but they all have three important characteristics in common:
For every input array of any length they produce an output array of the same, fixed length
There are no two different input arrays for which hash functions produce identical output arrays
It is extremely difficult (impossible in practice) to produce the input array from the output array.
Picture 2 Digital Signature
Once created digital signature is attached to the original message. Solely the signatory, the owner of the secret key, can then create such a digital signature. On the other hand, anybody who holds in their possession the public key of the signatory can verify the legitimacy of the digital signature. It is sufficient to compare the two summaries: the first which is attained by decrypting of the digital signature and the other which is obtained by applying of the hash functions to the original message. If these two summaries match, the digital signature is valid.
Picture 3: Verification of the Message Received Summary
