Symmetric / asymmetric cryptographiy

What is a public key (used in asymmetric cryptography)?

Public-key cryptography is a method used to securely send and exchange messages (authentication of the sender, guarantee of integrity and confidentiality). This technique is based on the principle of an “asymmetric key pair” consisting of encryption keys (encryption is the general term used for mathematical data encoding and decoding techniques). Each individual involved in a transaction has a “private key” and a “public key.” You mustn’t divulge your private key to anyone, but you can give your public key to all of your contacts, with no restrictions. The general principles of public key cryptography are described below:

– A message encoded with a private key can only be decoded using the associated public key
– Similarly, a message encoded with a public key can only be decoded using the associated private key
– A given public key can only be associated with a single private key (several different private keys cannot have the same public key as their complement)
– Likewise, a given private key can only be associated with a single public key (several different public keys cannot have the same private key as their complement)

What is a secret key (used in symmetric cryptography)?

Symmetric-key cryptography was widely used to encrypt confidential messages. Its use gradually declined following the arrival of public-key cryptography, even if the two techniques are very often used conjointly. In symmetric, or secret, key encryption, the same key is used to encrypt and decrypt a message. It is the exact same principle as the key to a door, which requires the same key to lock and unlock it.

The challenge is transmitting your secret key to the person with whom you want to communicate confidentially. This method has several drawbacks: whenever you need to exchange messages with several people, you must have as many secret keys as the number of persons with whom you wish to communicate, and store all of these secret keys in a highly secure manner. As a result, managing all of these secret keys rapidly becomes very complex, turning into a source of security risk.

What is the relationship between public keys and certificates?

The main issue with public-key cryptography (for message signing and encryption) is the probity, or integrity, of the public key received by a contact or retrieved from a shared directory. To send a confidential message to someone, you must use their public key, which requires you to be absolutely sure that the key is indeed theirs. Similarly, to verify that the message received was indeed sent and signed by you, your contacts need your public key.

The electronic certificate is an electronic document that associates the name of a person (private individual, legal entity, website, router…) with a public key. Like a traditional ID, which establishes the link between a face, a name and a handwritten signature, the certificate is used to establish the link between a public key and its owner (private individual or legal entity).

To use a person’s public key with a total peace of mind, the key must be certified by a Certificate Authority. Before delivering a certificate, the CA therefore uses various authentication procedures to ensure that the certificate requester is the person they claim to be, and is truly the owner of the public key to be certified. Thus, if end users trust the CA that issued the certificate and have a copy of its public key (to read the signature, the “official stamp” of the certificate received), they are assured of the legitimacy of the certificate and therefore of its public key.

IDNOMIC GUARANTEES YOUR SECURITY

What is a trusted third party?

A Trusted Third Party is an organization authorized to implement electronic signatures based on Public Key Infrastructure (PKI) architectures. It may also be a third party to whom a copy of the secret key of a public-key encryption system is entrusted.

What is the role of IDnomic regarding a CA?

IDnomic is a Trust Services Provider. We are in charge of the technical manufacturing of the certificate, on behalf of and following orders from the Certificate Authority through a technical outsourcing relationship. We are not responsible for defining the identity verification procedures that lead to the issuance of digital certificates, or for defining the conditions which, for instance, result in the revocation of the certificates issued by a company undergoing liquidation. IDnomic operates Public Key Infrastructures (PKI) for Certificate Authorities requesting this service, and lets these Certificate Authorities choose the methods by which they deliver, distribute and manage the digital certificates they deliver.

Is it possible to secure a fleet of mobile devices using a PKI?

A Public Key Infrastructure is a reputed and reliable security technology that organizations have been using for decades to authenticate users, machines and servers. Using a PKI for mobile devices means implementing an affordable and easy-to-deploy identity management solution for company devices and employees.

Digital certificates can be used on mobile devices to:

– Sign and encrypt email
– Authenticate email
– Authenticate users on VPNs and Wi-Fi networks

What is the difference between authentication, identification and permission?

Identifying means associating a physical person with their digital identity. Authenticating a person means verifying their identity. After the person has been identified and authenticated, their identity is associated with their permissions in order to determine whether they are authorized to access certain resources (applications, data) and, in certain cases, to allow them to perform online transactions.