Passport please. Identity control!
Today’s cryptography goes far beyond the protection of confidentiality and, in a smaller measure, integrity. In our virtual world you don’t really know who you are talking to.
If someone has intercepted your encrypted message and knows the key, he knows your plans. If he lets it pass to the addressee, he can tale you by surprise.
These two problems are at the source of the asymmetric cryptography, also called public key cryptography. What does that mean?
This cryptographic system uses a specific technology and an organization called ‘Public key Infrastructure (PKI)’, a term you probably have already heard.
Forget complex mathematics explanations. The idea is simple: you simultaneously create a pair of keys intimately and exclusively linked: you encrypt with one and decrypt with the other.
Hence, if one can decrypt with your public key, that means that only you had encrypted the message. Knowing the public key, it is technically impossible – even with considerable resources – to find the other.
It also works the other way around: if we send you a message encrypted with your public key, only you are able to decrypt it.
You keep one key for you – the private key – and you communicate the other – the public ley – either to those you want to secretly communicate, or in a database everybody can access.
What’s the use?
You are always totally sure of the identity of the sender or addressee of the message. They are authenticated … at the condition that the private key has been certified and correctly protected.
- What you encrypt with your private key is certified and these who decrypt it with your public key are certain it comes from you
- What you encrypt with someone’s public key can only be decrypted by the addressee’s private key. You are then certain that nobody else can read your message.
You link together the message with its date and time and compress is (hash) in a fixed-length document. You encrypt this with your private key and send it with the certificate that authenticates you. Your signature authenticates at the same time your identity and the content of the document.
The keys are created on your computer or on a specific terminal in an administration.
It is used, for example, for your bank transactions. Your bankcard authenticates you. The authentication has a very short lifetime, generally limited to the Internet communication. Depending on the system used by the bank, you must authenticate you to access your account and also for the transactions themselves.
The electronic signature has the same value than your hand-written signature if it has been certified. You can use it for all public actions.
Your keys are created during a visit to a public administration on a dedicated terminal, as soon as your identity has been verified and proven.
One speaks about “certificates” that has been certified by a trusted authority (and covered in cascade up to a national or international authority).
For the signature, we use registers published in a public database. The certificate has defined a validity period. In case of problem, compromise or any incident, your key is placed on list of ‘revoked keys’. You just need to create a new pair.
Dot. It’s not more complicated than that. Please consider that this authentication and signature mode gain new markets everyday. You’ll use it very soon – if it is not yet the case – on your tablets or smartphones for online shopping or your tax return. New applications are regularly launched.
As your mobile phone number is probably the most stable element in your life, it will be used to authenticate you. You hence should
1° avoid giving it to everybody (unless you have two numbers, a public one and a private one)
2° protect of your smartphone against theft of loss (unless you permanently control its access by a code and encrypt its content).
An informed user is worth two…
See you later, safer with your information.