Public-Keys

What is public-key cryptography, and why is this important for patents?  If you need security for transmisison or storage of your data, then you need to know about some simple concepts.  Let’s start with some analogies.

Many homes have a mail slot in the front door.  Anyone who knows the street address of the home (which is published on the Internet and in the Yellow pages) can drop a letter through the mail slot.  Only someone who has a key to the home, however, can read the mail.  The home key is analogous to a “private key” and the street address is analogous to a “public key.”

In cryptography a “key” can be a short password “1234” for example, or a long arbitrary phrase “Peter Piper picked a peck of pickle peppers” as another example.  There are many programs (some are OpenSource such as GPGTools for Mac and GPG4Win for PC ) that will create “key-pairs” based upon your choice of a key.  For example, suppose you decide on a long key phrase “I’m a Yankee-Doodle Dandy” and use a key generator program to create a corresponding “public key”.  The public key itself will look like gibberish (perhaps something like "Wy12ReFTphenFgmSk”) but it will be mathematically infeasible (based on current technology) to find out what your private key is from the public key.  Even hackers for the NSA or FBI currently wouldn’t be able to do it.  So, you had best remember your long pass phrase, which is now your “private key."

Now comes the cool part.  The public key is posted to a very public “key server” which is hosted on the Internet.  MIT operates the biggest one, but there are several others.  Anyone can look up your public key.  Anyone.  With it they cannot figure out your private key, but they can use it to encrypt a message to you, which might then be sent to you (perhaps by email).  Since it is encrypted, no-one can intercept and open the message.  When you get it, however, using your private key (you do remember your long key phrase, right?) you can open and read the message.

So, once you set this all up, anyone can send you secret messages.  (”Meet me at midnight; Your Secret Admirer”)  And, you didn’t have to exhange secret keys!

But wait, suppose that the message from John says “My answer is Yes.”  How do you know that John sent the message?  Or if you are an attorney you will like this one; the message says “We accept your offer” but the opposiing counsel now says “we didn’t send that; anyone could have gotten your public key from MIT.”  Ah-ha! There is a variant of public-key cyptography called "digital signature" which almost guarantees that a signature is authentic, and provides non-repudiation.

When Bob sends Alice a message he can “sign” the message using his private key.  The actual private key doesn’t travel with the message, but using Bob's public key (which Alice can get from MIT, remember?) she can confirm that Bob sent the message.  Or Alice’s attorney can determine that Bob’s attorney is probably lying.

Good programs will integrate with your mail client so that you can sign outgoing emails and be advised whether incoming emails are signed.  Integrated programs should also be able to handle encryption and decryption for you.

Of course, if Alice gave away her private key then she had better revoke her public key and make a new one, or some mischief can result.

We are almost finished.  Alice and Bob might decide to insist that all signed communications come with a certificate from a Certificate Authority attesting that the public key is still valid.  There are many Certificate Authorities; some charge, some don’t.  Some companies issue their own certificates.  (In all cases, you will have to let your operating system know which certificates you trust)  And, there are many other reasons to use a certificate.  But, now you have an overall idea of public-key cryptography.

In case you were wondering, yes, if everyone used digital signatures THERE WOULD BE NO SPAM.  Just think about that.

`© Robert Rose 2015