Public key encryption, also known as asymmetric encryption, is based on a public/private key pair – where the keys are mathematically linked, so that data encrypted with the public key can only be decrypted with the corresponding private key. X509 certificates use Public-Key encryption as an alternative to shared secrets (which are discussed in the Direct Trust pattern).

With Public Key encryption the sender converts the plaintext message into ciphertext by encrypting it with the public key in the message recipient’s X.509 certificate. The message recipient converts the ciphertext back into the plaintext message by decrypting it using the corresponding private key.

The diagram below demonstrates how Public Key encryption and decryption take place:

Figure 1

Public Key data encryption and decryption

By using Public Key encryption, a message sender has assurance that by encrypting the message with the recipient’s public key that only the recipient will be able to read the message.

While the public key can be distributed openly for use by a service authenticating a requestor, the private key in a key pair should be carefully guarded by the Subject, as it is used to prove the subject's identity.

As well as providing data confidentiality through encryption, the public key in the X.509 certificate can also be used to verify digital signatures created by a message sender. In this case, the private key of the message sender is used to create the digital signature, and the corresponding public key, found in the sender's X.509 certificate is used to verify the signature. Digital signatures are used assure the message recipient that the message originated from the identified sender and that the message contents have not been altered since they were signed by the sender.

Note: With Digital Signatures using Public Keys, the origin of the signed message can be traced to one party (either the requestor or the service). This differs from symmetric key protocols such as Kerberos, where a message can have been signed by either party.

Figure 2 shows the process of using public keys to sign a message:

 

 

 

 

 

Figure 2

Creation and verification of a digitial signature

For a more detailed description of data confidentiality, see the Data Confidentiality pattern. For more details on Digital Signatures, see the Data Origin Authentication pattern.

Microsoft Confidential. © 2005 Microsoft Corporation. All rights reserved. By using or providing feedback on these materials, you agree to the attached license agreement.