Cryptography

Cryptographic Engines

cryptographic keys  are the basis for many cryptographic operations. In its simplest sense, a key is a long string of numbers -- not just any string of numbers, but a string of numbers that has very strict mathematical properties. The mathematical properties a key must have vary based on the cryptographic algorithms it is going to be used for, but there's an abstract (logical) set of properties all keys must have. It's this abstract set of properties that we'll see in the Java security package.

Then, when someone wants to send you some sensitive information, they can use your public key to encrypt  the data -- and, as long as you have kept your private key private, you'll be the only one who is actually able to decrypt the data. Similarly, when you want to send sensitive data to someone, all you need is their public key; when the data has been encrypted with the public key, you know that only the holder of the private key will be able to read what you've sent her.

In the area of digital signatures, this key ordering is reversed: you sign a document with your private key, and the recipient of the document needs your public key in order to verify the digital signature.

Message Digests

Conceptually, a message digest is a small sequence of bytes that is produced when a given set of data is passed through the message digest engine. Unlike other cryptographic engines, a message

digest engine does not always require a key to operate; some do, and some do not. A message digest engine takes a single stream of data as its input and produces a single output. We call the output a message digest (or simply a digest, or a hash), and we say that the digest represents the input data.

A digest is often provided with the data it represents; the recipient of the data then recalculates the digest to make sure that the data was not originally tampered with. But nothing in this scenario prevents someone from modifying both the original data and the digest since both are transmitted and since the calculation of the digest is a well-known operation requiring no key. However, secure message digests can be produced when you introduce a key into the mix; these types of digests are called message authentication codes.

Forging a digital signature requires access to the private key of the entity whose signature is being forged; this is yet another reason why it is important to keep your private keys private

And because they're based on key certificates, digital signatures have other properties, such as the fact that they can expire.

Digital signatures rely on two things: the ability to generate a message digest and the ability to encrypt that digest

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Clear text Data ------> Message Digest engine ------- > output(1233445454353) ------- > Digital Signature Engine + Private key -----> output Digital Signature [987988787798437543] 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note that encryption is performed on the digest and not on the data itself. In order to present this signature to  another entity, you must present the original data with it −− the signature is just a message digest, and, as we  mentioned earlier, you cannot reconstruct the input data from the message digest. 

Verifying a digital signature requires the same path; the message digest of the original data must be calculated. The signed digest is decrypted with the public key and if the decrypted digest matches the calculated digest, the signature is valid

Nothing prevents the signed data from being intercepted. So the data that accompanies the digital signature cannot be sensitive data; the digital signature only verifies that the message came from a particular entity and that the message was not altered in transit, but it does not actually protect that message from being read by anyone with access to it.