Industry Canada, Government of Canada
Skip all menusSkip first menu
Français Contact Us Help Search Canada Site
Home Site Map What's New About Us Registration
Go to Industry Canada's ‘Programs and Services — by Subject’ Page SME Direct Technology and Operations Security Security Solutions
Information for Success
Clean, Lean and Green
Human Resources
Technology and Operations
Tutorial
What is e-Business?
The Value of e-Business
Technology Guide
e-Commerce Marketplaces
Production and Distribution
Security
e-Business Security
Key Security Concerns
Security Needs
Security Solutions
Resources
Privacy
Legal Issues
Glossary
Sales and Marketing
Finance
Innovation and Competition
Management and Business Assessment
Federal Guidance
 
Site Map

SME Direct

Security Solutions: Encryption

Security Solutions

Encryption is part of a larger process of encoding and decoding messages to keep information secure. This process, though commonly called encryption, is more correctly called cryptography, is the use of mathematical transformations to protect data.

Cryptography is primarily a software-based solution and, in most cases, should not include significant hardware costs. It is a key tool in protecting privacy as it allows only authorized parties to view the data. Encryption is also used to ensure data integrity, as it protects data from being modified or corrupted.

Key Elements in Cryptography

There are the four essential elements in cryptography:

  • Encryption: the process of encoding the data — transforming the plain text or an original message into "cipher text", which is unintelligible.
  • Decryption: the process of decoding the data — transforming the cipher text back to plain text or the original message, thereby making it understandable again.
  • Algorithm: the mathematical formula applied to the message that both encrypts and decrypts the data.
  • Key: a particular code that, when applied to an algorithm, encrypts and decrypts the data in a way that allows the data to be traced to a particular person or company.

Private and Public Key Encryption

In traditional cryptography, the same key is used to both encrypt and decrypt a communication. This is known as "private key" encryption. It is a symmetrical system because both encoding and decoding parties have the same key. The challenge is in giving the recipient the key to decode the message safely. To meet this challenge, public key systems were developed. They use two separate keys, one public and one private. This has proven to be well suited to Internet use, as it avoids the difficulty of transmitting the symmetrical key securely. The public key can be published and distributed widely with no need to expose the private key.

Public Key Encryption

In public key or asymmetrical cryptography, one key is made public, and the other is held in private. Data encrypted with a public key can only be decrypted using the private key. The standard procedure for this type of encryption is:

  • The intended recipient generates a public and private key.
  • The intended recipient transmits their public key to the sender.
  • The sender encrypts and transmits a document to the intended recipient using the public key.
  • The intended recipient decrypts the document with their matching private key.

The public key can be publicly distributed at will, often by posting it to Web sites, placing it in a central network directory or emailing it to potential users. The private key is held in confidence and protected by its owner.

For practical purposes, if the encrypted document is intercepted, the code can't be cracked. While, in theory, the code could be cracked, in reality the hardware and time required to crack a 512-bit encrypted code is so great that it is not feasible. The level of encryption should be proportional to the sensitivity of the data.

Implementing Encryption

Companies wishing to use public key encryption systems can purchase key generation software and certificate management servers, or outsource these functions to a vendor. Outsourcing may be the fastest to set up and the most cost-effective solution for smaller organizations. Purchasing a server may be most appealing for large Intranet applications because it avoids per-certificate charges and may provide more flexibility in managing directory-based access for employees.

Certificate Authority

The use of the public key encryption ensures privacy and data integrity. No one can read or tamper with the message en route or in storage until it is decrypted. But there is one other important step in the use of public key encryption: authentication. The person using a public key wants to be certain that the person with whom they want to communicate is holding the private key.

Authentication is done by having public/private key pairs registered with a Certificate Authority who, like a notary public in the paper world, bears the responsibility for verifying that a certain public key belongs to a specific individual, and issues a digital certificate to that effect.

Web users wishing to use public key encryption can obtain key pairs for general use and register them by visiting the Web site of a certificate authority then following their online procedure. Generally, there is no cost for personal use, but there is a fee for the administration of certificates for commercial purposes. Users may require several certificates, for example, one issued in association with a credit card for secure purchases on the Internet, one for a Web browser, one for signing and securing email, and another for logging in to a company network. There is software, such as digital wallets and browser plug-ins, for managing digital certificates and key pairs.
Created: 2006-10-16
Updated: 2007-08-10
Top of Page
Top of Page
 Important Notices