The trick of public key encryption -- the best known approach is called RSA for the initials of its inventors -- is that one key can be used to scramble the data while a different, mathematically related, key is used to unscramble it. When you download a digitally signed program, the first thing your computer does is check the Web site's digital certificate. It then queries the CA that issues the certificate to make sure it's still valid and to obtain the public key.
This lengthy and highly technical primer provides a gentle yet thorough introduction to elliptical key cryptography (ECC), said to be ideal for resource-constrained systems because it provides more "security per bit" than other types of asymmetric cryptography. The paper is from Certicom, which markets Security Builder toolkits targeting various popular desktop, server, and embedded operating systems. Asymmetric cryptography is a marvellous technology. Its uses are many and varied.
Recent reports that the United States had broken codes used by the Iranian intelligence service have intrigued experts on cryptology because a modern cipher should be unbreakable. Four leading British experts told BBC News Online that the story, if true, points to an operating failure by the Iranians or a backdoor way in by the National Security Agency (NSA) - the American electronic intelligence organisation.
The first computer network in which communication is secured with quantum cryptography is up and running in Cambridge, Massachusetts.
Chip Elliott, leader of the quantum engineering team at BBN Technologies in Cambridge, sent the first packets of data across the Quantum Net (Qnet) on Thursday. The project is funded by the Pentagon's Defense Advanced Research Projects Agency.
The trust that PGP signatures generates can be deceptive, one researcher, a regular poster to the full-disclosure vulnerability mailing list, has discovered.
Gadi Evron, an information security researcher based in Israel, generally signs his posts to the list with his PGP signature, due to the fact that his email address is constantly used by spammers. Anyone who wants to verify an signed email is actually from the person claiming to send it, can do so.
What he did not reckon was that someone would try to use his PGP signature inside a spam email to impersonate him.