Secure Servers and Encryption

Secure web servers use an encryption technique called Public/Private Key Cryptography. This same technique is used in the program PGP, available for free for personal use. Before using PGP and encryption you create two, uniquely related keys (actually they're very large numbers) - a Public key and a Private Key. What is encrypted with one key can only be decrypted with the other. You freely distribute your Public key to friends, customers, business associates, etc., but, your Private key is held by you, only.

Here's the interesting thing that can be done with these keys:

• A means of authentication. If you encrypt a message with your Private key and send it, the recipient can decrypt it (with your freely available Public key) and has confidence that you, and only you, were the author of the message. This is because you are the only one who can encrypt a message with your Private key.
• A means of private, encrypted communication. If anyone encrypts a message with your Public key and sends it to you, they have the confidence that you, and only you, will be able to read that message.

How does a Secure Server work?

In a browser, the data which is to be 'Posted' to a secure web server is encrypted with a public key and sent. The server then decrypts it with the Private key.

How does the browser know what the public key is?

It goes and asks a trusted third party or CA (Certificate Authority); Cape.Com registers your company's public key with either the CA Verisign or GeoTrust.

Every browser knows the public key for these CA's. Here's where things get dicey. When a browser requests the public key for www.yourcompany.com, it encrypts the query with the CA's public key and sends the request to the CA. The CA decrypts the message with its private key and turns around and sends the public key for www.yourcompany.com back to the browser. This message is encrypted with the CA's private key. The browser gets the response and decrypts it with its copy of the CA's public key, thus ensuring that the answer it received came from the CA and no one else.

What does Cape.Com do with data received by our Secure Servers?

Our cgi-bin scripts use PGP to take the data received, encrypt it with www.yourcompany.com's public key, and either store it in a log file or email it. For you to read the data, you decrypt it on your end using your private key. The private key is not stored on any machines which are connected to the Internet. In addition to being encrypted, log files are stored in a password protected ftp site. The fact that they're encrypted adds an additional layer of security.

What Do You Need on Your End?

A copy of PGP. If it's for personal use, you can get a copy for free. If you use it for commercial purposes, you need to buy a licensed copy for about $50.

Related Pages

Related Links