Secured communications

Secured communications are important. If an application wants to send or receive messages from a financial, business, or personnel application on the web, it must be able to authenticate the origin of the message, ensure that no malicious application has altered the original message, and ensure that no third party application can intercept the message.

Suppose that a person named Georges wants to send a message to his bank to transfer some money on the Internet. In this scenario, he faces the following concerns:

  1. The privacy of the message, since it includes his account number and the transfer amount.
  2. The integrity of the message, since someone might try to modify the original message or substitute a different message in order to transfer the money to another account.
  3. The authentication of the message, since the bank must ensure that the message was sent from the right person.

Message privacy

To keep a message private, use a cryptographic algorithm - a technique that transforms a message into an encrypted form unreadable except by those it is intended for. Once it is in this form, the message may only be interpreted through the use of a secret key. There are two kinds of cryptography algorithms: symmetric and asymmetric.

Symmetric means the sender and the receiver of a message have to share the same key used to encrypt a clear message into an encrypted form, and then to decrypt it back into the original message. If that key is kept secret, nobody other than the sender and the receiver can read the message. However, the task of choosing a private key before communicating can be problematic.

Asymmetric means that there are two different keys working as a key-pair. One key is used to encrypt a message, and the second one is used to decrypt the encrypted message back into its original form. This solves the problem of key sharing in the symmetric cryptography algorithm, and makes it possible to receive secure messages, simply by publishing the key used to encrypt messages (the public key), and keeping secret the key used to decrypt messages (the private key). Anyone can encrypt a message using the public key, but only the owner of the private key can read it.

Important: The use of an asymmetric key-pair (public and private key), allows Georges to send private messages to his bank, simply by using the bank's public key to encrypt a message. Only the owner of the corresponding private key (the bank in this scenario) is able to read it.

Message integrity

To guarantee the integrity of a message, send a concise summary of the original message. The receiver of the message can create its own summary and compare it to the sender's summary. If they are similar, the message is considered intact, meaning that no third party has modified the original message.

Such a summary is called a message digest and is based on hash algorithms that produce a fixed-length representation of variable-length messages. Message digests are designed to make it very difficult (if not impossible) to determine the original message from a summary.

The message digest must be sent to the receiver in a secure way to assure the message integrity. This is achieved with a digital signature authenticating the sender and containing the sender's message digest.

Important: The use of message digests allows Georges' bank to verify that no one has modified the original message he sent.

Message authentication

To authenticate a message, add a digital signature to that message.

A digital signature is another message, created by encrypting the message digest, along with some other information, with the sender's private key. Anyone with the corresponding public key can decrypt the digital signature. If an application is able to decrypt it, it means the owner of the private key was able to encrypt it, proving that the message comes from this sender and not from someone else.

Once the sender has been authenticated, the receiver can compare the message digest integrated into the digital signature to the one it created from the message it receives, in order to check the message integrity.

Important: The use of digital signatures allows Georges' bank to verify that the message really comes from him.