Excerpted from InformIT.
The PKI service of integrity may employ one of two techniques. First, a digital signature, while it serves the purpose of providing authenticity
The second technique that can be employed for integrity is a Message Authentication Code, or MAC. This technique typically uses a symmetric block cipher (for example, DES-CBC-MAC [FIPS113]) or a cryptographic hash function (for example, HMAC-SHA-1 [RFC2104]). Although these are both symmetric solutions (as opposed to public-key solutions), it is important to note that they are both keyed mechanisms; in particular, they depend on a key that must be shared between the sender of the integrity-protected data and the "consumer" (for example, receiver) of the integrity-protected data. In some environments, the shared key can be derived from a PKI (see IPsec [RFC2401, RFC2411] for example).
The PKI service of integrity for this second technique, then, is that of putting in place the mechanisms to achieve this key sharing when necessary. If Alice wants to send to Bob some integrity-protected data and Bob has an encryption public key, Alice can employ the following sequence of steps:
- Generate a fresh symmetric key.
- Use the symmetric key to generate a MAC for the data.
- Encrypt the symmetric key for Bob using his encryption public key.
- Send the data to Bob along with the encrypted key.
Alternatively, if Bob has a key exchange public key (such as a Diffie-Hellman public key), Alice can instead use the following procedure:
- Use Bob's key-exchange public key in combination with her key-exchange private key to generate a symmetric key.
- MAC the data using that symmetric key.
- Send the data to Bob along with her public key certificate.
Bob can then regenerate the symmetric key using Alice's public key and his own private key to verify the integrity of the data.
If a digital signature is not used to provide data integrity, a good cryptographic MAC function is required.
Read the rest of this tip on InformIT. You have to register there, but it's free.
Did you like this tip? Like or hate it, why not let us know? E-mail to sound off, or visit our tips page to rate this and other tips, or submit one of your own.
Related BookPKI: A Wiley Tech Brief
By Tom Austin
This is a plain-language tutorial on the most important security technology for Internet applications.
This was first published in March 2001