More Crypto API

I want to get back to sharing some information I obtained by studying the documentation for Microsoft’s Crypto API. Public and private key pairs are used in asymmetric encryption. This encryption is a method where a different key is used to encrypt versus decrypt. It is much slower than symmetric encryption where the same key is used to encrypt/decrypt. The speed difference is on the order of being 1000 times slower. You do not want to use asymmetric encryption for a large amount of data.

There is often the need to sign a message that could be large. However you want this operation to happen quickly. The goal is to verify that the message was actually sent by the person, and that its contents were not modified en route to the recipient. The way this is done is that a hash is made of the message. Then this small hash is signed and sent encrypted. The rest of the message is not.

A hash has a fixed length that is small. For example it might be 128 or 160 bits long. The hash is sometimes called the digest. Creation of the hash is a one way function. That is, given some data you can create the hash. However you cannot reverse the process and generate the original data using the hash.

So to quickly sign a message, you add a signature string to the end of it. The potentially large message gets a hash generated for it. The hash is encrypted using the sender’s private key and included in the signature string. Recipients of the message can then decrypt the hash using the public key of the sender. The recipient generates another hash from the text of the message that was received. If the generated hash and the decrypted hash match, the recipient can be confident that the sender actually sent the message, and that the message arrived intact.

I like to think of the hash as a check sum that comes in handy for encryption. There is a whole lot more to the Crypto API. I will try to post some more article about it in the future.