Editor’s note: Each Monday, technical writer Ed Crockett examines trends and issues in high tech, from the newest in wireless to how best to ensure network security. In these days of growing concern about identity theft and hacking of financial transactions, there are steps individuals and companies should be taking to enhance security.

Understanding some basic terminology is part of that job.

Browser-based security on your desktop is generally adequate for transactions between retailer and consumer, partly because losses are considered tolerable. But browser security … Secure Sockets Layer (SSL), for example … falls short of offering the depth of protection required for high-dollar and high-secrecy transactions online.

An alternative to consider is cryptography.

In the conduct of commerce over the Internet, three objectives must be met to protect the interests of transaction participants:

A. Sender verification

B. Content integrity

C. Non-repudiation … the ability to legally establish origin and receipt of a document.

The three objectives are achieved through today’s cryptographic technology, which creates a barrier that knows no known penetration.

Cryptography, keys, and hashing

Cryptography is mathematical. Specifically, it is that branch of applied mathematics that tries to make electronic information unintelligible to all except the intended recipient. The cryptographic technology most commonly used for Internet commerce today is RSA Public Key Cryptosystem, referred to as RSA throughout this article.

Named after its MIT creators Rivest, Shamir, and Adleman, RSA encryption involves calculations of two mathematically related public and private keys. The Private Key belonging to the message sender is used in the encryption process, while the sender’s Public Key is used, in conjunction with the receiver’s Private Key, to decrypt the message.

For the RSA method to work, both the sender and receiver must posses both a Public Key and a Private Key. The sender’s Public Key provides parameters … used with the recipient’s Private Key … to unscramble the message originally sent. The receiver must know the Private Key, but the Public Key is transmitted along with the encrypted message or document. Access to the encrypted document is achieved only when the receiver’s Private Key is the inverse of the sender’s Public Key.

Hashing (or the hash function) is an algorithm that generates a value based on the message being encrypted and the Private Key of the sender. This value, known as the message-digest, is then encrypted using the sender’s Private Key. The hashing process results in a digital signature, which is the basis for verification.

Digital signatures

A digital signature, then, is created in a two-step process. First, the message text is processed through a hash function, which produces a unique but condensed version of the original called the message-digest. Second, the message-digest is encrypted using the sender’s Private Key as a parameter.

Digital IDs … not to be confused with digital signatures … perform the role of the personal ID or employee badge. A Digital ID helps ensure that the person you are communicating with is indeed the person you believe you’re communicating and not some imposter who has stolen someone’s Private Key.

How can you be sure that a digital signature you received is valid? A third party verifier is needed for this, and companies, such as ViaCrypt, Entrust, and VeriSign have answered the call.

VeriSign, for example, plays the role of a trusted third party, which itself digitally signs Public Keys to verify their validity. Senders must attach a Digital ID when sending a message. The recipient first uses the Digital ID to verify the sender’s Public Key. Next, the recipient uses the Public Key to access the message (see the VeriSign link).

Certificates

A key pair (Public Key and its associated Private Key) does not inherently identify its owner. Certificates were established to bind a key pair to an individual. A trusted third party, such as one of those mentioned previously, issues an electronic certificate, which associates a key pair with a document author or signer. The certificate attests that the prospective signer named on the certificate holds the corresponding Private Key.

Simply put, RSA Public Key Cryptosystem offers the best technology known to be available today for securing transactions over the Internet. The prospect of deriving the Private Key from knowledge of the Public Key is considered by experts to be a “computationally infeasible” task.

“Computationally infeasible,” says the American Bar Association, “is a relative concept based on the value of the data protected, the computing overhead required to protect it, the length of time it needs to be protected, and the cost and time required to attack the data, with such factors assessed both currently and in the light of future technological advance.”

Here are some links for further information about digital security:

ABA: www.abanet.org/scitech/ec/isc/dsg-toc.html
O’Reilly publishing: http://www.verisign.com/docs/pk_intro.html