Understanding Cryptography Basics

In symmetric encryption, the same secret (also referred to as key) is used for both the encryption and decryption process. The sender and the recipient of the encrypted data must share the same key. The main advantage of symmetric encryption is its speed and efficiency. However, the challenge lies in securely sharing the secret key between the sender and the recipient.

A secure key exchange would already need an encrypted message. When thinking about the communication of two individuals, it might be an option for them to once meet in person and exchange the key. However, for modern internet communication, that's not a solution. Another technique is necessary. This is where asymmetric encryption comes into play.

Asymmetric encryption, also known as public key cryptography, uses a pair of different, but mathematically related keys for encryption and decryption: a public key and a private key.

• The public key is used for encryption (and verifying digital signatures). It can be distributed and shared with anyone.
• The private key is used for decryption (and creating digital signatures). It must be kept secret and only known to the owner.

Although the pair of keys relate mathematically to each other, it is computationally infeasible to derive one from the other.

The public key is used for the encryption of messages and only the corresponding private key allows the decryption of those messages. This is the main advantage of asymmetric encryption: The ability to securely exchange information without the need for a pre-shared secret key. It enables secure communication between parties who have never met before.

The public key can be shared with anyone because it can only be used for encrypting a message, but not for decrypting that message. That means, anyone knowing a person's public key can send encrypted messages to that person and only that person can decrypt the message. The security strongly depends on keeping the private key secret, otherwise a third party could decrypt the message as well.

However, asymmetric encryption is generally slower and computationally more intensive than symmetric encryption. That's why encrypted communication over the internet usually uses asymmetric encryption only at the beginning of a session, to securely exchange a pre-shared secret. This secret is then used for faster and more lightweight symmetric encryption.

This also applies to the HTTPS protocol, when a client establishes the connection to a server. The process of exchanging all the keys (and other information) is called TLS handshake. We'll learn more about the TLS handshake and server trust in the following lesson.

Digital signatures are cryptographic techniques used to verify the authenticity and integrity of digital documents, such as certificates or messages. They provide a way to ensure that the creator of a digital document is who they claim to be and that the document has not been tampered with.

A digital signature can be created for a document, or in other terms a document gets signed, by using a mathematical algorithm that generates a unique digital fingerprint, or hash, of the document, which is then encrypted using the creator's private key.

A hash is a fixed-length string of characters that uniquely represents the content of a document. It is not possible to calculate the original content from the hash. As soon as the content of the document changes slightly, the hash changes completely.

To verify a digital signature, the recipient of the document uses the creator's public key to decrypt the signature and obtain the document's hash. The recipient then independently calculates the hash of the document and compares it with the decrypted hash. If the two hashes match, it indicates that the document has not been altered and that the creator is authentic, meaning in possession of the matching private key.

We'll have a closer look at the usage of digital certificates for verifying the identity of servers and clients, and the maintenance of trust lists in the following lesson.

As we know from the video, a digital certificate, also known as a public key certificate or SSL/TLS certificate, is a digital document that verifies the authenticity of a website or entity on the Internet. It is issued by a trusted third-party organization, known as Certificate Authority (CA), after verifying the identity of the certificate holder. Digital certificates contain the name and the public key of the certificate holder, and additional information, such as the expiration date of the certificate and the digital signature of the CA. The public key is used for encrypting data and establishing secure communication channels, while the digital signature ensures the integrity and authenticity of the certificate.

Digital certificates can be stored in different file types supporting different capabilities, typically following the X.509 standard. Hence digital certificates are sometimes called X.509 certificates. The most commonly used file formats are as follows:

• PEM (Privacy Enhanced Mail) - Typical file extensions: .pem, .crt, .cer, .key

  The PEM format uses Base64 encoding to represent a certificate or private key in ASCII text format.

• DER (Distinguished Encoding Rules) / CER (Canonical Encoding Rules) - Typical file extensions: .der, .cer

  DER and CER are binary file formats used to store digital certificates. It is a more compact representation compared to PEM, as it does not use Base64 encoding.

• PKCS#12 (Public-Key Cryptography Standards) - Typical file extensions: .pfx, .p12

  PKCS#12 is a file format that can store multiple cryptographic objects, including digital certificates, private keys, and other related information. It is typically used for storing or transferring a private key together with the certificate and the chain. These files are usually encrypted and password-protected.

• JKS (Java Key Store): - Typical file extension: .jks

  The JKS file format is commonly used by Java-based applications. It can store private keys and certificates in a secure manner. These files are usually encrypted and password-protected.

As mentioned in the video, there are multiple (typically two) certificate authorities involved in establishing the certificate chain:

• The Intermediate Certificate Authority and
• the Root Certificate Authority.

A root CA is the highest level of authority in the certificate hierarchy. It is responsible for issuing and digitally signing the certificates of intermediate CAs, which in turn issue certificates to end entities such as websites, servers, or individuals.

The following screenshot shows the certificate viewer of a web browser for the website learning.sap.com. It shows the certificate chain with the intermediate CA in the middle and the root CA "DigiCert Global Root CA" at the top.

Root CAs are typically operated by trusted organizations, such as commercial certificate authorities or government entities. The digital signature of a root CA is embedded in the root certificate, which is distributed and trusted by web browsers and other software. This is necessary because root CAs don't have another CA above them. Hence, the certificate of a root CA is signed by the root CA itself. This is called a self-signed certificate.

As self-signed certificates cannot be verified by another CA, clients need to maintain trust lists, that contain the certificates of trusted CAs.

Web browsers, for instance, get shipped with a list of commonly known, trusted root CAs. In SAP solutions, these lists must be maintained by administrators and are often referred to as Trust Stores, Keystores , or Trust Lists.