{"id":541,"date":"2006-03-22T20:59:00","date_gmt":"2006-03-22T20:59:00","guid":{"rendered":"http:\/\/markwilson.me.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm"},"modified":"2007-03-09T14:58:36","modified_gmt":"2007-03-09T14:58:36","slug":"publicprivate-key-cryptography-in","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm","title":{"rendered":"Public\/private key cryptography in plain(ish) English"},"content":{"rendered":"<p><!--114302351635562259--><a href=\"http:\/\/en.wikipedia.org\/wiki\/Public_key_infrastructure\">Public key infrastructure<\/a> (PKI) is one of those things that sounds like a good idea, but which I can never get my head around. It seems to involve so many terms to get to grips with and so, when <a href=\"http:\/\/blogs.technet.com\/steve_lamb\/\">Steve Lamb<\/a> presented a &#8220;plain English&#8221; PKI session at Microsoft UK a few weeks back, I made sure that I was there.<\/p>\n<p>Steve explained that a PKI can be used to secure e-mail (signed\/encrypted messages), browsing (SSL authentication and encryption), code (authenticode), wireless network connectivity (PEAP and EAP-TLS), documents (rights management), networks (segmented with IPSec) and files (encrypted file system).<\/p>\n<p>Before looking at PKI, it&#8217;s necessary to understand two forms of cryptography &#8211; symmetric and asymmetric.  I described these last year in my <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2005\/08\/introduction-to-ipsec.htm\">introduction to IPSec<\/a> post.<\/p>\n<p>The important things to note about public key cryptography are that:<\/p>\n<ul>\n<li>Knowledge of the encryption key doesn&#8217;t give knowledge of the decryption key.<\/li>\n<li>The receiver of the information generates a pair of keys (either using a hardware security module or software) and publishes the private key in a directory.<\/li>\n<li>What one key does, the other undoes &#8211; contrary to many texts, the information is not always encrypted with the recipients public key.<\/li>\n<\/ul>\n<p>To some, this may sound like stating the obvious, but it is perfectly safe to publish a public key. In fact, that&#8217;s what a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Public_key_certificate\">public key certificate<\/a> does.<\/p>\n<p>Having understood how a PKI is an asymmetric key distribution mechanism, we need a trust model to ensure that the public key really does belong to who it says it does. What if I were to generate a set of keys and publish the public key as my manager&#8217;s public key? Other people could send him information but he wouldn&#8217;t be able to read it because he wouldn&#8217;t have the private key; however I would have it &#8211; effectively I could read messages that were intended for my manager.<\/p>\n<p>There are two potential methods to ensure that my manager&#8217;s public key really is his:<\/p>\n<ul>\n<li>One could call him or meet with him and verify the fingerprint (hash) of the key, but that would be time consuming and is potentially error-prone.<\/li>\n<li>Alternatively, one could employ a trusted third party to certify that the key really does belong to my manager by checking for a trusted digital signature on the key. The issue with this method is that the digital signature used to sign the key needs to be trusted too. Again, there are two methods of dealing with this:\n<ul>\n<li>A &#8220;web of trust&#8221; model, such as <a href=\"http:\/\/www.philzimmermann.com\/\">Phil Zimmermann<\/a>&#8216;s <a href=\"http:\/\/en.wikipedia.org\/wiki\/OpenPGP\">pretty good privacy<\/a> (PGP) &#8211; upon which the GNU privacy guard (GPG) on Linux systems was built &#8211; where individuals digitally sign one another&#8217;s keys (and implicitly trust keys signed by friends\/colleagues).<\/li>\n<\/ul>\n<ul>\n<li>A trusted authority and &#8220;path of trust&#8221; model, using <a href=\"http:\/\/en.wikipedia.org\/wiki\/Certificate_authority\">certificate authorities<\/a> (CAs), where everyone trusts the root CA (e.g. <a href=\"http:\/\/www.verisign.com\/\">VeriSign<\/a>, <a href=\"http:\/\/www.thawte.com\/\">Thawte<\/a>, etc.) and the CA digitally signs the keys of anyone whose credentials have been checked using it&#8217;s published methods (producing a certificate). One CA may nominate another CA and they would automatically be trusted too, building a hierarchy of trust.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Most CAs will have multiple classes of trust, depending on the checks which have been performed. The class of the trust would normally be included within the certificate and the different levels of checking should be published in a document known as a certificate practice statement.<\/p>\n<p>The analogy that I find useful here is one of writing and signing a cheque when paying for goods or services. I could write a cheque on any piece of paper, but the cheques that I write are trusted because they are written on <a href=\"http:\/\/www.firstdirect.com\/\">my bank<\/a>&#8216;s paper &#8211; that bank is effectively a trusted CA. When I opened my account the bank would have performed various background checks on me and they also hold a reference of my signature, which can be checked against my cheques if required.<\/p>\n<p>The padlock that indicates a secure website in most browsers also looks a bit like a handbag (UK English) or purse (US English)!  The Internet Explorer 6 version looks like this <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif?w=700&#038;ssl=1\" alt=\"Internet Explorer padlock\" border=\"0\" \/> and the Firefox 1.5 version is like this <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/images\/firefoxpadlock.gif?w=700&#038;ssl=1\" alt=\"Firefox padlock\" border=\"0\" \/>.  Steve Lamb has an analogy for users that I particularly like &#8211; &#8220;it&#8217;s safe to shop where you see the handbag&#8221;; however, it&#8217;s also important to note that the padlock (not really a handbag!) just means that SSL security is in use &#8211; it doesn&#8217;t mean that the site can automatically be trusted (it may be a phishing site) so it&#8217;s important to examine the certificate details by double clicking on the padlock.<\/p>\n<p>Each verification method has its own advantages and disadvantages &#8211; web of trust can be considered more &#8220;trustworthy&#8221;, but it&#8217;s time-consuming and not well understood by the general public &#8211; CAs, whilst easy to deploy and manage, can be considered to be the tools of &#8220;Big Brother&#8221; and they have to be trusted implicitly.<\/p>\n<p>Digital signatures work by calculating a short message digest (a hash) and encrypting this using the signatory&#8217;s private key, to provide a digital signature. The hash function should result in a unique output (although it&#8217;s theoretically possible that two messages could produce the same hash as a large volume of data is being represented by a smaller string) &#8211; the important point to note is that even the tiniest of changes will break the hash.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/images\/createdigitalsignature.png?w=700&#038;ssl=1\" alt=\"Creating a digital signature\" border=\"0\" \/><\/p>\n<p>Upon receipt, the recipient uses the signatory&#8217;s public key to decrypt the hash. Because the hash is generated using a one-way function, this cannot be expanded to access the data &#8211; instead, the data is transmitted with the signature and a new hash calculated by the recipient. If the two hashes match then the integrity of the message is proven. If not, then the message has almost certainly been tampered with (or at least damaged in transit).<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/images\/verifydigitalsignature.png?w=700&#038;ssl=1\" alt=\"Verifying a digital signature\" border=\"0\" \/><\/p>\n<p>Certificates are really just a method of publishing public keys (and guaranteeing their authenticity). The simplest certificate just contains information about the entity that is being certified to own a public key and the public key itself. The certificate is digitally signed by someone who is trusted &#8211; like a friend (for PGP) or a CA. Certificates are generally valid for a defined period (e.g. one year) and can be revoked using a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Certificate_revocation_list\">certificate revocation list<\/a> (CRL) or using the real-time equivalent, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Online_Certificate_Status_Protocol\">online certificate status protocol<\/a> (OCSP). If the CRL or OCSP cannot be accessed, then a certificate is considered invalid. Certificates are analogous to a traditional passport in that a passport is issued by a trusted authority (e.g. the <a href=\"http:\/\/www.ukpa.gov.uk\/\">UK passport agency<\/a>), is valid for a number of years and contains basic information about the holder as well as some form of identification (picture, signature, biometric data, etc.).<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/X.509\">X.509<\/a> is the standard used for certificates, with version 3 supporting application-specific extensions, (e.g. authentication with certificates &#8211; the process that a browser will follow before displaying the padlock symbol to indicate that SSL is in use &#8211; authenticating the server to the client). Whether or not this certificate is issued by an external CA or an organisational (internal) CA is really a matter of choice between the level of trust placed in the certificate and how much the website owner is prepared to pay for a certificate (it&#8217;s unlikely that an external certificate will be required for a secure intranet site, whilst one may be expected for a major e-commerce site).<\/p>\n<p>The SSL process works as follows:<\/p>\n<ol>\n<li>The browser (client) obtains the site (server) certificate.<\/li>\n<li>The digital signature is verified (so the client is sure that the public key really belongs to the site)<\/li>\n<li>To be sure that this is the actual site, not another site masquerading as the real site, the client challenges the server to encrypt a phrase. Because the server has the corresponding private key, it can encrypt the phrase and return it to the client.<\/li>\n<li>The client decrypts the phrase using the public key from the certificate &#8211; if the phrase matches the challenge, then the site is verified as authentic.<\/li>\n<\/ol>\n<p>Most certificates can be considered safe &#8211; i.e. there is no need to protect them heavily as they only contain publicly available information. The certificate can be stored anywhere &#8211; in a file, on a USB token, on a memory-only smartcard, even printed; however private keys (and certificates that include them) are extremely vulnerable, requiring protected storage within the operating system or on a smartcard with cryptographic functionality (see below). Windows 2000 Server and Windows Server 2003 include a CA which can be used to issue and store certificates, especially within a company that is just looking to secure its own data. The Windows Server 2003 CA even supports auto-enrollment (i.e. where a certificate request is processed automatically), but what if the administrators within an organisation are not considered trustworthy? In that case, an external CA may be the only choice.<\/p>\n<p>Most organisations use more than one root key for signing certificates. This is because it does not scale well, can be difficult to manage responsibility for in a large organisation and is dangerous if the key is compromised. Instead, certificate hierarchies can be established, with a CA root certificate at the top, and multiple levels of CA within the organisation. Typically the root CA is installed, then taken offline once the subordinate CAs have been installed. Because the root is offline, it cannot be compromised, which is important because complete trust is placed in the root CA. With this model, validating a certificate possibly involves validating a path of trust &#8211; essentially this is just checking the digital signature but it may be necessary to walk the path of all subordinate CAs until the root is reached (or a subordinate that is explicitly trusted). Cross certification is also possible by exporting and importing certificate paths between CA hierarchies.<\/p>\n<p>The list of trusted root CAs increases with each Windows service pack. Some certificates can be obtained without payment, even those included in the list of Windows&#8217; trusted root CAs. Whilst these are as valid as any other certificate, they are unlikely to have undergone such stringent checks and so the level of trust that can be placed in them may not be deemed sufficient by some organisations. If this is a concern, then it can be cleared down from within the browser, using group policy or via a script &#8211; the only client impact will be a (possibly confusing) message asking if the certificate issuer should be added to the list of trusted authorities when a site is accessed.<\/p>\n<p>Smartcards are often perceived as a useful second factor for authentication purposes, but it&#8217;s useful to note that not all smartcards are equal. In fact, not all smartcards are smart! Some cards are really just a memory chip and are not recommended for storing a private key used to verify identity. More expensive smartcards are cryptographically enabled, meaning that the key never has to leave the smartcard, with all processing done on the smartcard chip. Additional protection can also be included (e.g. biometric measures) as well as self-destruction where the card is known to have been compromised.<\/p>\n<p>It&#8217;s worth noting that in the UK, organisations that encrypt data and do not have the means to decrypt it can fall foul of the regulation of investigatory powers (RIP) act (2000). There is an alternative &#8211; leaving the keys in escrow &#8211; but that is tantamount to leaving the keys with the government. Instead, the recommended practice for managed environments with encryption is to store keys in a location that is encrypted with the key recovery operator&#8217;s key &#8211; that way the keys can be recovered by an authorised user, if required.<\/p>\n<p>After attending Steve&#8217;s session, I came away feeling that maybe PKI is not so complex after all. Steve&#8217;s recommendations were to set up a test environment and investigate further; to minimise the scope of an initial implementation; and to read up on certificate practice and certificate practice statements (which should be viewed as being more important than the technology itself if defending the trustworthiness of a certificate in court).<\/p>\n<p>For anyone implementing PKI in a Microsoft infrastructure, there&#8217;s more <a href=\"http:\/\/www.microsoft.com\/pki\/\">information on PKI at the Microsoft website<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Public key infrastructure (PKI) is one of those things that sounds like a good idea, but which I can never get my head around. It seems to involve so many terms to get to grips with and so, when Steve Lamb presented a &#8220;plain English&#8221; PKI session at Microsoft UK a few weeks back, I &hellip; <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Public\/private key cryptography in plain(ish) English<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[],"tags":[43],"class_list":["post-541","post","type-post","status-publish","format-standard","hentry","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Public\/private key cryptography in plain(ish) English - markwilson.it<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Public\/private key cryptography in plain(ish) English - markwilson.it\" \/>\n<meta property=\"og:description\" content=\"Public key infrastructure (PKI) is one of those things that sounds like a good idea, but which I can never get my head around. It seems to involve so many terms to get to grips with and so, when Steve Lamb presented a &#8220;plain English&#8221; PKI session at Microsoft UK a few weeks back, I &hellip; Continue reading Public\/private key cryptography in plain(ish) English\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm\" \/>\n<meta property=\"og:site_name\" content=\"markwilson.it\" \/>\n<meta property=\"article:published_time\" content=\"2006-03-22T20:59:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2007-03-09T14:58:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif\" \/>\n<meta name=\"author\" content=\"Mark Wilson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:site\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm\"},\"author\":{\"name\":\"Mark Wilson\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"headline\":\"Public\\\/private key cryptography in plain(ish) English\",\"datePublished\":\"2006-03-22T20:59:00+00:00\",\"dateModified\":\"2007-03-09T14:58:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm\"},\"wordCount\":2064,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"image\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/iepadlock.gif\",\"keywords\":[\"Security\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm\",\"name\":\"Public\\\/private key cryptography in plain(ish) English - markwilson.it\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/iepadlock.gif\",\"datePublished\":\"2006-03-22T20:59:00+00:00\",\"dateModified\":\"2007-03-09T14:58:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#primaryimage\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/iepadlock.gif\",\"contentUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/iepadlock.gif\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2006\\\/03\\\/publicprivate-key-cryptography-in.htm#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Public\\\/private key cryptography in plain(ish) English\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/\",\"name\":\"markwilson.it\",\"description\":\"get-info -class technology | write-output &gt; \\\/dev\\\/web\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\",\"name\":\"Mark Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"width\":800,\"height\":800,\"caption\":\"Mark Wilson\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\"},\"description\":\"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.\",\"sameAs\":[\"http:\\\/\\\/www.markwilson.co.uk\\\/\",\"https:\\\/\\\/www.instagram.com\\\/markwilsonuk\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/markawilson\\\/\",\"https:\\\/\\\/x.com\\\/markwilsonit\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCWHlZCoHRTocdvtrOJ2IL4A\"],\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/author\\\/mark-wilson\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Public\/private key cryptography in plain(ish) English - markwilson.it","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm","og_locale":"en_GB","og_type":"article","og_title":"Public\/private key cryptography in plain(ish) English - markwilson.it","og_description":"Public key infrastructure (PKI) is one of those things that sounds like a good idea, but which I can never get my head around. It seems to involve so many terms to get to grips with and so, when Steve Lamb presented a &#8220;plain English&#8221; PKI session at Microsoft UK a few weeks back, I &hellip; Continue reading Public\/private key cryptography in plain(ish) English","og_url":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm","og_site_name":"markwilson.it","article_published_time":"2006-03-22T20:59:00+00:00","article_modified_time":"2007-03-09T14:58:36+00:00","og_image":[{"url":"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif","type":"","width":"","height":""}],"author":"Mark Wilson","twitter_card":"summary_large_image","twitter_creator":"@markwilsonit","twitter_site":"@markwilsonit","twitter_misc":{"Written by":"Mark Wilson","Estimated reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#article","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm"},"author":{"name":"Mark Wilson","@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"headline":"Public\/private key cryptography in plain(ish) English","datePublished":"2006-03-22T20:59:00+00:00","dateModified":"2007-03-09T14:58:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm"},"wordCount":2064,"commentCount":2,"publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"image":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#primaryimage"},"thumbnailUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif","keywords":["Security"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm","url":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm","name":"Public\/private key cryptography in plain(ish) English - markwilson.it","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#primaryimage"},"image":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#primaryimage"},"thumbnailUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif","datePublished":"2006-03-22T20:59:00+00:00","dateModified":"2007-03-09T14:58:36+00:00","breadcrumb":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#primaryimage","url":"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif","contentUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/iepadlock.gif"},{"@type":"BreadcrumbList","@id":"https:\/\/www.markwilson.co.uk\/blog\/2006\/03\/publicprivate-key-cryptography-in.htm#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.markwilson.co.uk\/blog"},{"@type":"ListItem","position":2,"name":"Public\/private key cryptography in plain(ish) English"}]},{"@type":"WebSite","@id":"https:\/\/www.markwilson.co.uk\/blog\/#website","url":"https:\/\/www.markwilson.co.uk\/blog\/","name":"markwilson.it","description":"get-info -class technology | write-output &gt; \/dev\/web","publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.markwilson.co.uk\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468","name":"Mark Wilson","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","url":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","width":800,"height":800,"caption":"Mark Wilson"},"logo":{"@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1"},"description":"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.","sameAs":["http:\/\/www.markwilson.co.uk\/","https:\/\/www.instagram.com\/markwilsonuk\/","https:\/\/www.linkedin.com\/in\/markawilson\/","https:\/\/x.com\/markwilsonit","https:\/\/www.youtube.com\/channel\/UCWHlZCoHRTocdvtrOJ2IL4A"],"url":"https:\/\/www.markwilson.co.uk\/blog\/author\/mark-wilson"}]}},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":700,"url":"https:\/\/www.markwilson.co.uk\/blog\/2006\/04\/putting-pki-into-practice.htm","url_meta":{"origin":541,"position":0},"title":"Putting PKI into practice","author":"Mark Wilson","date":"Sunday 9 April 2006","format":false,"excerpt":"Recently, I blogged about public\/private key cryptography in plain(ish) English. That post was based on a session which I saw Microsoft UK's Steve Lamb present. A couple of weeks back, I saw the follow-up session, where Steve put some of this into practice, securing websites, e-mail and files. Before looking\u2026","rel":"","context":"In \"Microsoft Windows\"","block_context":{"text":"Microsoft Windows","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/windows"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":263,"url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/08\/introduction-to-ipsec.htm","url_meta":{"origin":541,"position":1},"title":"An introduction to IPSec","author":"Mark Wilson","date":"Tuesday 30 August 2005","format":false,"excerpt":"I've been meaning to write something about Internet protocol security (IPSec) ever since I heard Steve Lamb talk about it a few months back but Owen Cutajar blogged about Steve Friedl's Illustrated Guide to IPSec a few days back which gives a much better description than I ever will! Steve's\u2026","rel":"","context":"In \"Security\"","block_context":{"text":"Security","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/security"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":303,"url":"https:\/\/www.markwilson.co.uk\/blog\/2006\/06\/making-sense-of-public-key.htm","url_meta":{"origin":541,"position":2},"title":"Making sense of public key infrastructure","author":"Mark Wilson","date":"Friday 30 June 2006","format":false,"excerpt":"I've written a bit on this blog previously in an attempt to demystify public key infrastructure (PKI) but a fellow contributor to the Microsoft Industry Insiders blog, Adrian Beasley, has written an extensive article entitled make sense of public key infrastructure, which could be very useful for anyone trying to\u2026","rel":"","context":"In \"Security\"","block_context":{"text":"Security","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/security"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5614,"url":"https:\/\/www.markwilson.co.uk\/blog\/2015\/05\/public-key-infrastructure-explained.htm","url_meta":{"origin":541,"position":3},"title":"Public key infrastructure explained","author":"Mark Wilson","date":"Wednesday 6 May 2015","format":false,"excerpt":"Last week, I was attending a presentation skills course where we had to give an impromptu presentation (well, we had an hour to prepare) on a topic of our choice. \u00a0One of my colleagues, Richard Butler, gave his talk on public key infrastructure (PKI) and Richard was the first person\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/www.markwilson.co.uk\/blog\/topic\/technology"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1162,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/08\/microsoft-infrastructure-architecture-considerations-part-3-controlling-network-access.htm","url_meta":{"origin":541,"position":4},"title":"Microsoft infrastructure architecture considerations: part 3 (controlling network access)","author":"Mark Wilson","date":"Thursday 21 August 2008","format":false,"excerpt":"Continuing the series of posts on the architectural considerations for designing a predominantly-Microsoft IT infrastructure, based on the MCS Talks: Enterprise Infrastructure series, in this post, I\u00e2\u20ac\u2122ll look at some of the considerations for controlling access to the network. Although network access control (NAC) has been around for a few\u2026","rel":"","context":"In \"Architecture\"","block_context":{"text":"Architecture","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/architecture"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":660,"url":"https:\/\/www.markwilson.co.uk\/blog\/2006\/11\/office-groove-2007-overview.htm","url_meta":{"origin":541,"position":5},"title":"Office Groove 2007 overview","author":"Mark Wilson","date":"Thursday 30 November 2006","format":false,"excerpt":"At the risk of annoying yet more people at Microsoft after my comments in this week's Computer Weekly, last night I attended what was probably the worst Microsoft event I've ever been to. To be fair to Microsoft, they are kind of pre-occupied this week... some sort of big launch\u2026","rel":"","context":"In \"Microsoft Office\"","block_context":{"text":"Microsoft Office","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/office"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=541"}],"version-history":[{"count":0,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/541\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}