Your Web server's Secure Sockets Layer (SSL) security feature utilizes a technique known as public key encryption to shield the session key from interception during transmission.

Public key algorithms use two different keys, a public key, and a private key. The private key is held privately by the owner of the key pair, and the public key distributed to anyone who requests it. If one key is used to encrypt a message, then the other key is required to decrypt the message.

Digital signatures and digital envelopes are produced using two different, but related processes. The process for creating a digital signature involves using the sender's private key, whereas the process of creating a digital envelope uses the intended recipient's public key.

Digital Signatures Authenticate Authorship

Digital signatures are used to confirm authorship, not to encrypt a message. The sender uses his or her private key to generate a digital signature string bundled with the message. Upon receipt of the message, the recipient uses the sender's public key to validate the signature. Because only the signer's public key can be used to verify the signature, the digital signature is proof that the message sender's identity is authentic.

Digital Envelopes Encrypt Messages

Digital envelopes are used to send private messages that can only be understood by a particular recipient. To create a digital envelope, the sender encrypts the message using the recipient's public key. The message can only be decrypted using the recipient's private key, so only the recipient will be able to understand the message.

You can configure your Web server's SSL security features to guarantee the integrity of your content, verify the identity of users, and encrypt network transmissions.

Your Web server requires a valid server certificate to establish SSL secure communications. Use the Key Manager utility to generate a certificate request file. If your aren't using Microsoft Certificate Server 1.0 to issue your server certificates, then a third-party CA must approve your application and issue your server certificate. You can either forward your request file to the authority or use Key Manager to deliver the request to an online authority. After you receive a server certificate file, use Key Manager to install it on your computer.

Data Encryption Techniques

Cryptography

Cryptography provides a set of techniques for encrypting data and messages so that they can be stored and transmitted securely. Cryptography can achieve secure communications even when the transmission medium—such as the Internet—is not trustworthy. Cryptography can also encrypt sensitive files so an intruder cannot understand them.

Encryption

  • When a message is encrypted, an encryption key used.
  • To decrypt the message, the corresponding decryption key must be used.
  • It is imperative to properly restrict access to the decryption key because anyone who possesses it will be able to decrypt all messages encrypted with the matching encryption key.

Public-Key Algorithms

Public-key algorithms use two different keys, a public key, and a private key. The private key is kept private to the owner of the key pair. The public key distributed to anyone who requests it, often through a digital certificate. If one key is used to encrypt a message, then the other key is required to decrypt the message.

Digital Signatures and Digital Envelopes

Digital signatures and digital envelopes are produced using two different, but related processes. The process for creating a digital signature involves using the sender's private key, whereas the process for creating a digital envelope uses the intended recipient's public key.

Digital Signatures

Digital signatures are used to confirm authorship, not to encrypt a message. The sender uses his or her private key to generate a digital signature string bundled with the message. Upon receipt of the message, the recipient uses the sender's public key to validate the signature. Because only the signer's public key can be used to validate the signature, the digital signature is proof that the message sender's identity is authentic.

Digital Envelopes

Digital envelopes are used to send private messages that can only be understood by a specific recipient. To create a digital envelope, the sender encrypts the message using the recipient's public key. The message can only be decrypted using the recipient's private key, so only the recipient will be able to understand the message.

Digital Certificates

Authenticity of Public Keys

  1. The use of digital signatures and envelopes assumes that the identity of the owner of the public key used to encrypt or decrypt a message is established beyond doubt.
  2. To guarantee the authenticity of public keys, Microsoft Certificate Server provides digital certificates as a secure method of exchanging public keys over a nonsecure network.

Certificate Authorities

A digital certificate is a set of data that completely identifies an entity, and is issued by a Certificate Authority (CA) only after that authority has verified the entity's identity. The data set includes the public cryptographic key tendered to the entity.

When the sender of a message signs the message with its private key. The recipient of the message can use the sender's public key (retrieved from the certificate either sent with the message or available elsewhere in the directory service) to verify that the sender is legitimate.

Certificate Revocation Lists

Certificates, like most real-world forms of identification, can expire and no longer be valid. The CA can also revoke them for other reasons. To handle the existence of invalid certificates, the CA maintains a Certificate Revocation List (CRL). The CRL is available to network users to determine a validity of any given certificate.

Private communication on the Internet using Encryption

Private communication on the Internet depends upon the ability to prevent anyone except the intended recipient from being able to read a message—even though anyone on the network might be able to intercept it.

The need for privacy and authentication over nonsecure networks requires some form of data encryption and decryption, otherwise known as cryptography, as part of a software security system. Cryptographic protocols employing certificates are designed to address these needs.

When a message is encrypted, an encryption key is used. To decrypt the message, the corresponding decryption key must be used. It is very important to properly restrict access to the decryption key because anyone who possesses it will be able to decrypt all messages that were encrypted with the matching encryption key.

Encryption is the process of scrambling information by applying a mathematical function in such a way that it is extremely difficult for anyone other than an intended recipient to retrieve the original information. Central to this process is a mathematical value, called a key, used to scramble the information in a unique and complex way.

Your Web server uses essentially the same encryption process to secure communication links with users. After establishing a secure link, a special session key is used by both your Web server and the user's Web browser to both encrypt and decrypt information. For example, when an authenticated user attempts to download a file from a Web site requiring a secure channel, your Web server uses a session key to encrypt the file and related HTTP headers. After receiving the encrypted file, the Web browser then uses a copy of the same session key to recover the file.

This method of encryption, although secure, has an inherent drawback. During the process of creating a secure link, a copy of the session key might be transmitted across an unsecured network. Therefore, a computer vandal intent on compromising the link need only intercept and steal the session key. To safeguard against this possibility, your Web server implements an additional method of encryption.

The use of digital signatures and envelopes assumes that the identity of the owner of the public key used to encrypt or decrypt a message is established beyond doubt.

A digital certificate is a set of data that completely identifies an entity, and is issued by a Certificate Authority (CA) only after that authority has verified the entity's identity. The data set includes the public cryptographic key tendered to the entity. When the sender of a message signs the message with his or her private key, the recipient of the message can use the sender's public key to verify that the sender is legitimate. The recipient retrieves the sender's public key from the certificate either sent with the message or available elsewhere in the directory service.