Understanding digital identities

This page provides information about cryptographic methods for signatures and encryption. Permanent Link:

Asymmetric cryptography

Symmetric means: You encrypt something with a password and decrypt it with the same password. This is impractical when more than two parties want to exchange information. Additionally, you have to meet physically once to agree on a shared secret password.

Asymmetric cryptography works differently:

• A mathematically linked key pair--private key and a public key--is generated for person A.
• The private key is kept secret by Person A. Whoever has this key is capable of signing mails in the name of person A or decrypt their messages.
• The public key will be made as public as possible. Everyone who has this key and is certain this key belongs to A can check signatures for their validity and is able to send A encrypted messages.
• A person B can send encrypted emails to A as soon as they know for sure what A's public key is.
• Problem: How do you know for sure if a certain key really belongs to A?

Solution:

• There is a public key of a notary C--a central trustworthy authority.
• The public key is hard-coded into each program in need of a trust infrastructure, for instance email program or browser.
• Whoever needs a digital identity lets C sign a data record containing
  • full name and email address (C checks the information with help of a government-issued id),
  • current time and expiration date,
  • contact details of C,
  • and other information.
• This signed data record is a certificate, whose validity can be checked by anyone's program knowing notary C's public key.
• A certificate combined with the private key is a digital identity--saved in a file it is called PKCS12.