Understanding Secure Communication: Encryption, Hashing, and Certificates
If you're diving into secure communications, you've likely heard terms like encryption, hashing, digital signatures, and certificates. These concepts are essential foundations of secure digital communication. In this blog, we'll clearly define each one, explain how they combine to provide robust security, and walk step-by-step through an example scenario.
Sender (You) Receiver (Your Friend)
------------ -----------------------
Generate keys & Certificate ↔️ CA ↔️ Generate keys & Certificate
│ │
│────── Your Public Key (Certificate) ────────────────▶ │
│ ◀─────────── Receiver's Public Key (Certificate)──────│
│ │
Create Message: "You are in danger" │
│ │
Hash Message │
│ │
Sign Hash (Your Private Key) │
│ │
Encrypt Message (Receiver's Public Key from Cert) │
│ │
Send Encrypted Message, Signature, Your Certificate ─────────▶│
│
Verify Sender's Certificate (CA Public Key)
│
Decrypt Message (Receiver's Private Key)
│
Decrypt Signature (Sender's Public Key from Cert)
│
Hash Decrypted Message
│
Compare Hashes (Integrity & Authenticity Confirmed)
Let's begin by understanding the concepts.
1. Encryption
Encryption transforms readable data ("plaintext") into unreadable data ("ciphertext"). It ensures confidentiality: only authorized individuals with the correct key can decrypt and read the message.
-
Symmetric Encryption: Uses the same key for encrypting and decrypting.
- Example: AES (Advanced Encryption Standard)
-
Asymmetric Encryption (Public-key cryptography): Uses two different but mathematically related keys:
- Public Key: Freely shared, used to encrypt messages.
- Private Key: Kept secret, used to decrypt messages.
- Examples: RSA, ECC (Elliptic Curve Cryptography)
2. Hashing
Hashing takes data of any length and produces a fixed-length "fingerprint" called a hash.
- Hashes are deterministic: same input produces the same hash.
- Hashes are irreversible: you can't derive original data from its hash.
- Used primarily for verifying data integrity.
- Examples: SHA-256, SHA-3.
3. Digital Signatures
A digital signature ensures the authenticity and integrity of digital documents or messages.
- Sender computes a hash of the message.
- Sender encrypts this hash using their private key (signing process).
- Receiver decrypts the signature using the sender's public key to verify authenticity and integrity.
A digital signature confirms:
- Authenticity (proof of sender identity)
- Integrity (message wasn't altered in transit)
4. Digital Certificates & Certificate Authorities (CA)
A digital certificate is a document that securely associates a public key with an identity (person, website, organization).
- Issued and digitally signed by a trusted entity called Certificate Authority (CA).
- Ensures that public keys belong to their stated owners.
Certificates include:
- Identity (name, domain, company)
- Public key of certificate holder
- Issuer details (CA)
- Digital signature from CA to verify authenticity
Communication Scenario with Certificates
Let's clearly outline the steps involved in securely exchanging messages using all these concepts. Consider two individuals—Sender (You) and Receiver (Your Friend)—who want confidential, authentic, and integral communication.
Step 1: Generate Key Pairs and Certificates (One-time Setup)
Each party performs these actions once.
- Generate key pairs (private and public):
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem
-
Request and obtain digital certificates from a CA:
- Create a Certificate Signing Request (CSR):
openssl req -new -key private_key.pem -out request.csr- Submit CSR to CA (Let's Encrypt, DigiCert, or Internal CA).
- CA verifies your identity and issues signed certificates.
Step 2: Sending an Encrypted and Signed Message
Sender wants to send the message: "You are in danger"
Hash the message (SHA-256):
SHA256("You are in danger")
Sign the hash with sender's private key (Digital Signature):
Signature = Encrypt(Hash, Sender_Private_Key)
Encrypt message with receiver's public key (from receiver's certificate):
Encrypted_Message = Encrypt("You are in danger", Receiver_Public_Key)
Sender transmits:
- Encrypted message
- Digital signature
- Sender’s certificate (contains public key and identity signed by CA)
Step 3: Receiving and Verifying the Message
Receiver does:
Verify sender's certificate using CA’s public key:
- Confirms authenticity of sender's public key.
Decrypt the message using receiver's private key:
Message = Decrypt(Encrypted_Message, Receiver_Private_Key)
Decrypt sender's signature using sender's public key (extracted from sender's verified certificate):
Sender_Hash = Decrypt(Signature, Sender_Public_Key)
Hash the decrypted message again:
Receiver_Hash = SHA256(Message)
Compare the hashes:
- Matching hashes confirm the message is authentic and unaltered.
Resources
- Use digital certificates and CA to establish secure trust in public keys.
- Never share your private keys: they're the foundation of your identity and security.
- Leverage existing trusted Certificate Authorities (Let’s Encrypt, DigiCert) or internal CAs for internal setups.
- Encryption and digital signatures complement each other—encryption provides confidentiality, while signatures ensure authenticity and integrity.