Cryptography – Keys and Key Management

Cryptography is an ancient mathematical science originally used for military communications designed to conceal the contents of a messages should they fall into enemy hands. Recent developments in cryptography have added additional uses, including mechanisms for authenticating users on a network, ensuring the integrity of transmitted information, and preventing users from repudiating (rejecting ownership of) their transmitted messages.

Data that can be read and understood without any special measures is called plaintext or cleartext. The method of disguising plaintext in such a way as to hide its meaning and substance is called encryption. Encrypting plaintext results in unreadable gibberish called ciphertext. You use encryption to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting ciphertext to its original plaintext is called decryption.

With end-to-end encryption, one end of a communication encrypts the contents of a message on its local machine or device. That data is then transmitted as ciphertext to the intended recipient on the other end, who alone can decrypt and read it using the appropriate secret "keys."

Data can be encrypted in transit and/or at rest. Information sent from a browser to a website and vice versa is data "in transit." Information stored on a computer or on a server is data "at rest."

A key is a value that works with a cryptographic algorithm to produce a specific ciphertext. Measured in bits, keys are basically super big numbers. The bigger the key, the more secure the ciphertext.

Public key cryptography ()is an asymmetric scheme that uses a pair of keys for encryption — a public key, which encrypts data, and a corresponding private key, for decryption. Anyone with a copy of the public key can encrypt information that only someone with the private key can read.

A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact. In this way, public key digital signatures provide authentication and data integrity. A digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information.

A digital signature serves the same purpose as a handwritten signature and is nearly impossible to counterfeit. Moreover, it not only attests to the content of the information, it certifies the identity of the signer.

It should go without saying that key storage must be carefully and securely managed. Encryption key management means administering the full lifecycle of cryptographic keys. This includes generating, using, storing, archiving, and deleting keys, as well as limiting access to the keys physically, logically, and through user-role access.

As a general rule, the lifetime of a key is inversely proportional to the sensitivity of the data it protects. In other words, as data becomes more sensitive, the life of the key protecting it decreases (it's expiration period is reduced).

Token.io uses PKI to secure communications between the Token.io Cloud and its clients. Public keys are stored in the Token.io cloud and are publicly shared, requiring valid signatures to be exchanged. Private keys are never shared. Each Token.io API invocation is digitally signed by the caller using its private key(s). The Token.io Cloud and connected banks verify each API request generated by the Token.io TPP SDK using the caller’s public key.