Modern Cryptography Systems: A Hybrid Approach

In fact, a mixture of both public key and traditional symmetric cryptography is used in current cryptographic systems. The motivation for this is that public key encryption schemes are computationally concentrated versus their symmetric key counterparts. Because symmetric key cryptography is much faster for encrypting bulk data, modern cryptography systems naturally use public key cryptography to resolve the key distribution problem first, and then symmetric key cryptography is used to encrypt the bulk data.

Such a system is used by today's SSL protocol for securing Web transactions and by secure e-mail schemes such as Secure/Multipurpose Internet Mail Extensions (S/MIME) that are built into such products as Netscape Communicator and Microsoft Internet Explorer.

The Key Management Problem

Basic every cryptographic system is a set of realistic harms and questions concerning security, privacy, and in general self-belief in the underlying privacy features of the system. In principle, the techniques of asymmetric and symmetric cryptography are enough to resolve the security properties and questions previously described. For instance, today's Web browsers use the public key of a Web site in order to send credit card numbers over the Web. Likewise, one can protect access to files and data using a private symmetric key to scramble the information before saving it.

Though, in practice, each of these problems requires a "certified" public key in order to operate correctly with no third parties being able to interfere. This leads to a second set of questions. For instance, how can you be sure that the public key that your browser uses to send credit card information is in fact the right one for that Web site, and not a bogus one? And, how can you dependably communicate your public keys to your correspondents so that they can rely on it to send you encrypted communications?

What is desirable in order to address such concerns is the notion of a "secure binding" between a given entity that participates in a deal and the public key that is used to bootstrap secure communication with that entity using asymmetric public key cryptography. The next part of the chapter describes how a combination of digital signatures and X.509 digital certificates (which employ digital signatures), as well as SSL certificates, fulfills this role in e-commerce trust systems.