TUTORIALS

 How to use Signer: Cryptography basics

As easy as 1, 2, 3...

Public/private keys, hash

Asymmetric cryptography is today the heart of the Internet public key infrastructure.

By now you have certainly heard of such terms as SSL, VPN and PKI. However enigmatic, these acronyms are all based on a very simple theory - also called "public key cryptography."

In asymmetric cryptography there are two types of keys:

• A public key known to all.
• A private key known only to the key owner.

This approach eliminates all the problems related to key distribution. Since public keys do not need to be hidden, you do not have to share a permanent secret with your partners (who you may not even know!).

The most commonly known and used public key algorithms are RSA and AlGamal (Diffie-Hellman). They both work on the assumption that any information ciphered by one key can only be deciphered by another one.

The system can only be broken by using brute force decoding, but the success of such an attack relies on the key length. The longer the key the more combinations - and thus the longer time to break it.
Actually, it has been calculated that even if one were to use all the computers on the planet, it would take up to a century to break a 1,024 bits-length RSA key.

Signatures & certificates

Hash algorithms are at the heart of signatures. We will see in this chapter how they are used to generate a digital signature and certificates.

A hash is a small, fixed-length value generated by a one-way function.
It has an interesting characteristic in that different sets of data will create different hash values. The hash (also know as the "message digest") is not reversible: it is not possible to determine the original message from it.

Hashes are ciphered using a private key to create a digital signature. This process (also known as "signing") gives the resulting data an "ownership" - as only the corresponding key can decipher it.
This is the main concept behind digital signatures: the ability to give a unique hash for any given piece of data and to assign it an owner.

But in modern cryptography it is also important to have information about who signed the data, and that's where certificates come to the rescue.

Certificates add information about the validity of a given public key. They usually have an expiration date and a certification chain, which is used to build trust relationships. We won't go too far into this topic as it can get really boring...

Along the certification chain lies the revocation list. Certificates usually expire when their dates expire, but sometimes it is necessary to have them cancelled earlier. This is what the revocation list is used for, and it requires a dynamic connection to the third-party entity. This is usually achieved using an HTTP Get.

X509, a standard certificates representation, is used in the whole industry.

We've seen in this chapter two important parts of modern cryptography:

1. Signatures: which is the process of building a unique hash for any chunk of data and giving it an ownership using a private key.
2. Certificates: which give information about a public key owner by adding information such as expiration date, parent trustee, serial numbers, etc., ...

Exchanging and protecting keys

You pretty much understood that the private key is very important and must be kept secret. Even a key stored on your hard drive might be at risk since anyone could steal it and sign using your digital identity.
For this reason, the industry developed a set of standards aimed at protecting your keys as well as helping key exchange.

PFX and PKCS12 are specifications of keystores protected by a password. They are used to store keys on the file system.

PKCS7 keystores only have public information (public key + certification chain) and are typically used to send a set of public keys to another party. Since all the information is public, they do not require a password.

Adobe came up with its own set of keystores called ADF and FDF, which bring little benefits from PKCS7 if taken out of the PDF context.