Post three of what currently stands at a 4 part introduction to Public Key Infrastructure from my colleague Jason Wallace. Jason is laying the foundations to cover some ConfigMgr related certificatary (I know that's not really a word, but it's the end of a very long hot day and I need to amuse myself somehow)
Over to you Jason.
Thanks for bearing with me on this.
So, to recap, we know that there are two major forms of encryption - symmetric and asymmetric and we said that there are three goals of using encryption -
We have not really touched Integrity, so, before we look at how this all stitches together let's briefly look at hashing.
Hashing is unlike encryption as hashing does not alter the source data at all. What it in fact does is to generate something brand new which can sit alongside the data being hashed. The hash will be generated through a hashing algorithm which will always return a result of a known length but that would return a hash which is completely different if even only a single bit in the data being hashed is different. For example, if I were to hash a single byte file with MD5 then I would see a 128 bit result. If I were to hash 1 terabyte of data I would see a different 128 bit result. If either of the files were to change by the slightest bit then we'd see a totally different hash. With hashing, we can guarantee that what we have received is what was sent, thereby giving us integrity.
For example, if we hash the alphabet using the MD5 algorithm the output is:
If we hash the same string but capitalised, this time the hash string is totally different
Here we can see that even if the data is fundamentally the same but has changed in the most minute of ways, we still see a different hash!
Stitching it all together
This one should be easy by now. There are a number of options
Pretty much all we do with PKI is done using a combination of these technologies. It can become difficult to track whose keys are who's when we are, for example looking at embedding a hash, which was encrypted with your private key and then re-encrypted using my public key but it does pan out in the end. Remember that pretty much any solution that would involve a private key crossing the network is likely to be the wrong answer!
This post was contributed by Jason Wallace, a Premier Field Engineer with Microsoft Premier Field Engineering, UK