Wednesday, May 14, 2008

Windows 2008 Understanding Private / Public Key Encryption


Microsoft Windows Server 2008 Resources and Reviews


Several encryption schemes for securing data transmission are in current use: private key

encryption, public key encryption, and combinations of the two. The set of these three

schemes and the technology and standards or protocols that surround them collectively

is known as the public key infrastructure (PKI). In Windows Server 2008, PKI is an integral

part of the operating system, especially in Active Directory. Windows Server 2008 has

implemented all three encryption key schemes and fully supports them with AD CS.


Private Key Encryption


Private key encryption, or symmetric cryptography (which is also what is used with file and

folder encryption, as previously discussed), is relatively old and uses a single key to both

encrypt and decrypt a message. This means that the key itself must be transferred from

sender to receiver. If this is done over the phone, the Internet, or even a courier service,

an unauthorized person simply needs to intercept the key transfer to get hold of the key

and decrypt the message. Private key encryption, though, has a major benefit in that it is

much faster (as much as 1,000 times faster) than the alternatives. Private key schemes are

therefore valuable in situations where you do not have to transfer the key or can do so

with security—for example, for personal use such as data encryption, as just discussed,

or sending information to someone that you first meet face to face. Several private key

encryption schemes are available with Windows Server 2008 for exchanging information.

If you are transferring information among Windows Server 2008 and Windows Vista

computers, Advanced Encryption Standard (AES) 128 will be used by default using a key

128 bits long. Within the same versions of Windows, AES-192 and AES-256 are also available

with respectively longer keys. For exchanges with older versions of Windows and

other operating systems, the default is to use 3DES (three-step encryption using the Data

Encryption Standard). The older DES using a 56-bit key is no longer felt to be secure.

Public Key Encryption


Public key encryption, or asymmetric cryptography, which was developed in the mid-

1970s, uses a pair of keys—a public key and a private key. The public key is publicly

known and transferred, and is used to encrypt a message. The private key never leaves

its creator and is used to decrypt the message. For two people to use this technique, each

generates both a public key and a private key, and then they openly exchange public

keys, not caring who gets a copy of it. Each person encrypts their message to the other

by using the other person's public key, and then sends the message. The message can be

decrypted and read only by using the private key held by the recipient. The public and

private keys use a mathematical algorithm that relates them to the encrypted message.

By use of other mathematical algorithms, it is fairly easy to generate key pairs, but with

only the public key, it is extremely difficult to generate the private key. The process of

public key encryption is relatively slow compared with private key encryption. Public

key encryption is best in open environments where the sender and recipient do not

know each other.


Combined Public and Private Key Encryption


Most encryption on the Internet actually is a combination of public and private key encryption

methods. The most common combination, Secure Sockets Layer (SSL), was developed

by Netscape to go between HTTP and TCP/IP. SSL provides a highly secure and

very fast means of both encryption and authentication.

Recall that private key encryption is very fast but has the problem of transferring

the key, whereas public key encryption is very secure but slow. If you were to begin a

secure transmission by using a public key to encrypt and send a private key, you could

then securely use the private key to quickly send any amount of data you wanted. This

is how SSL works. It uses a public key to send a randomly chosen private key, and in

so doing sets up a "secure socket" through which any amount of data can be quickly

encrypted, sent, and decrypted. After the SSL header has transferred the private key, all

information transferred in both directions during a given session—including the URL,

any request for a user ID and password, all HTTP web information, and any data entered

on a form—is automatically encrypted by the sender and automatically decrypted

by the recipient.

Several versions of SSL exist, with SSL version 3 being the one currently in common

use. SSL 3 is both more secure than, and offers improved authentication over, earlier


Another combination of public and private key methods is Transport Layer Security

(TLS), which is an open security standard similar to SSL 3. TLS, which was drafted by the

Internet Engineering Task Force (IETF), uses different encryption algorithms than SSL.

Otherwise, TSL is very similar to SSL and even has an option to revert to SSL if necessary.

Both SSL 3 and TLS have been proposed to the World Wide Web Consortium (W3C)

standards committee as security standards.


Uttang.. said...
This comment has been removed by the author.
Uttang.. said...

I am just laying my understanding of Combined public and private key encryption, correct me if i am wrong....

A secret key(private) is used to encrypt some data and that again is encrypted using a public key resulting in a ciphertext, the data is then transmitted . The receiver uses a private key to decrypt and also provides the secret key so the data is converted into plaintext..

Thanks !

SSL Encryption said...

This is an excellent post detailing the differences between public and private key encryption. I've been trying to brush up my own knowledge on SSL encryption for a job interview. Thank you Kaari for taking the time to write up this information.

electronic signature said...

Encryption is used to maintain security and data integrity.Public key encryption,Private key encryption or combination of both could be chosen depending on requirement at hand.

Windows 2008 Resources and Development

Windows 2008 Resources and Development
Windows 2008