This section will discus the main uses of PKE in the modern world. PKE is used in a variety of ways to securely transmit information across networks and the Internet. The uses discussed here are Secure Shell (SSH), Pretty Good Privacy (or PGP) for e-mail encryption, and secure web page transactions using the S-HTTP and SSL protocols. PKE is used in a number of other forms but those listed here show the diverse tasks PKE can be applied to.

Secure Shell⁵

A shell is a remote login session, which allow users to log into a computer/mainframe remotely (i.e. they don’t have to be at the actual machine to log in, just have a computer that is connected to that machine). Shells are particularly important in administering servers over a network as it allows the server administrators to solve problems quickly from outside the office without having to commute in if a problem arises. One of the first programs to perform this function was Telnet, which uses an unencrypted data stream to transmit data between the two machines and is still widely used today. However, this is insecure as anyone ‘listening’ to the data communication could get usernames, passwords, and any other data transmitted. This flaw became more evident and more problematic as the Internet grew. Now anyone in the world could potentially be listening in to your session on a remote machine. Out of this need grew Secure Shell, a remote login session protocol that, in part, uses PKE to encrypt transmitted data.

In SSH, the remote machine must have generated a public/private key pair. As soon as the connection is made, the server machine sends its public key to the client which is trying to gain access. The client then checks this public key against a list of known and trusted host keys. If the key is not found, the local user is warned as such, and is asked if they wish to allow this connection (and all future connections) to the server. This is to verify that the server is the desired machine and not another machine masquerading as the intended host. If the connection is allowed, and the local machine doesn’t have a PK pair (some Operating Systems don’t natively support PKE, and as such it is provided on a third-party software basis) the client machine generates a random session key, and sends this resultant key to the server. This session key is encrypted with the server’s public key and as such is secure. If the client has a PK pair, it instead sends its public key encrypted with the server’s public key.

PKE isn’t used to encrypt all of the data sent between the machines. Due to the large key length required in PKE this would create too much overhead and make the system very slow if used to encrypting and decrypting every packet sent. Rather, once the connection has been established, the machines communicate between each other using a symmetric key system. The system used is decided in the initial connection phase, as is the key for this encryption. Common encryption ciphers used for this include IDES and blowfish but SSH clients/servers are required to support 3DES in case other ciphers are not available.

At intervals during the transmissions a new key is decided using PKE. This increases security, decreasing the potential for eavesdroppers to spot patterns emerging in large amounts of transmitted data, and thus determine the symmetric key.

Secure Web Transactions⁶

Secure web page connections are increasingly needed in these days of e-commerce. Users providing personal information to web sites is at an all-time high, and it is only expected to grow. Because of this, two standards for secure web page connections have been implemented – SSL and S-HTTP.

SSL is the most widely-used protocol for secure web transmissions. Any page using SSL uses the https:// prefix instead of http://. The SSL protocol uses public key ciphering to encrypt the data being sent, in a similar way to SSH. Upon a connection being made, the server and the client exchange public keys, and then all data that is sent between the machines along that channel is encrypted using those public keys. Unlike SSH, where large amounts of data may be sent, SSL traffic is usually relatively small (up to a couple of dozen kilobytes in the majority of cases) due to it only being encrypted web pages with only a small amount of data attached. As such, all traffic can be encrypted using public key ciphering, rather than relying on a symmetric cipher. Since the amount of data is small the overheads of public key encryption aren’t of major consideration. Although SSL supports many forms of encryption, RSA public key encryption is the most-widely used.

S-HTTP is another standard for secure web page communication. Each S-HHTP page is either encrypted, or has a digital certificate, or both. S-HHTP also supports RSA public key encryption. The only major difference between S-HHTP and SSL is that S-HTTP allows the client to authenticate itself to the server, using either its own digital certificate, or another method (i.e. its public key) whereas SSL only allows the server to authenticate itself.

Pretty Good Privacy (PGP)⁷

Pretty Good Privacy is an open-source email encryption protocol, based upon PKE. It works on a three-level encryption model. Firstly, it compresses the e-mail, which is being transmitted. This not only makes the email smaller, so that it sends faster, but it also encrypts the data slightly, using the compression algorithm. PGP then generates a random session key, using the movements of your mouse and the keystrokes you made whilst typing the email. This is made using a fast, standard algorithm, which is known to all email clients with PGP installed, as is the compression/decompression algorithm. Then, this is encrypted with the recipient’s public key, and sent. When the email is received, the recipient decrypts it using their private key, the standard decryption algorithm and the decompression algorithm. Even if someone intercepted the email, they couldn’t decrypt it because they don’t know the recipient’s private key.

PGP can also use a method called digital signing to Encrypt Data. This is described in detail in the how PKE works section. In digital signing, instead of encrypting emails using the recipient’s public key, you encrypt it using your own private key. Then, when the recipient receives your email, they use your public key to decrypt it. This is not very secure as your public key is available to anyone, but it instead confirms that you sent the email (since only you know the private key used to encrypt the email in the first place). To combat this problem of insecurity, PGP combines both methods (again discussed in the how PKE works section). The sender’s public key is used to digitally sign the e-mail, and then the recipient’s public key is used to encrypt the mail securely. When this mail is received the recipient’s private key unlocks the strong layer of encryption and then the sender’s public key is used for verification.

Because encrypting the entire e-mail can create extremely large data objects (i.e. encrypted emails), PGP can use another technique, called one-way hashing. It takes an input (the email) and uses a hashing algorithm to create a unique, but fixed-length encryption, known as the message digest. This is encrypted using the sender’s private key, and is sent as the signature along with the unencrypted email. When the recipient receives the email, they decrypt the signature using the sender’s public key, and then apply the one-way hash to the email and check it against the now unencrypted message digest. If they match, then the email hasn’t been changed since it was originally sent. Note that this doesn’t necessarily mean that someone hasn’t intercepted and read the message, which was unencrypted. All this does is verify that the email was indeed sent by the sender, and has not been modified by any outside parties and as such is an alternative for encrypting the message with the senders private key but not for encrypting the message using both the sender’s private and the recipient’s public keys.

This shows the wide use of PKE in the digital community. It allows secure communication in large yet infrequent forms, such as e-mail as well as small frequent forms (such as SSH). This allows users to securely communicate with servers or other people by eliminating the problem caused by having to exchange a key.