Client's portal

UNDERSTANDING THE BASICS OF PUBLIC KEY CRYPTOGRAPHY

Public key cryptography, or asymmetric cryptography, is an encryption method that makes use of advanced mathematics to produce a set of public and private keys. As an essential component of modern cryptosystems, applications and protocols, asymmetric cryptography assists in safeguarding the authenticity and protecting the confidentiality of data exchanges over insecure networks such as the internet.

Symmetric and asymmetric encryption

Encryption is a central concept in cryptography. Through encryption, a message or information is encoded in a format that cannot be understood by an interceptor.

In symmetrical encryption, the same key is used to both encrypt and decrypt electronic communication. It follows that all parties involved have to exchange the key utilized in the encryption process so that it can also be used to decrypt the information. As the number of participants increase, finding secure channels for key exchanges becomes more difficult, necessitating frequent key changes. Furthermore, if the information is to be kept secure from other users, separate keys would be required for each pair of users.

By contrast, in asymmetric encryption, the key utilised to encrypt the message is different from the key performing decryption. A pair of private and public key is used to protect data during transmission.

Private and public key pair

A private and a public key pair are uniquely mathematically related and any information encrypted using a public key may only be decrypted by its corresponding private key, and vice versa.

A sender transmitting sensitive data to a receiver would encrypt the data using the receiver’s public key. The encrypted data can only be decrypted to its original form by the use of the receiver’s private key.

Security of the public key is not required. It can be passed over the internet or made available to everyone via a publicly accessible repository. The private key, on the other hand, has to remain confidential to its respective owner.

While the public key is created from and linked with the private key through a mathematical algorithm, it is nearly impossible to compute a private key from a public key, thus maintaining its security.

RSA algorithm

RSA (Rivest-Shamir-Adleman) is the most widely used asymmetric algorithm. It derives its security from the computational difficulty of factoring the product of very large prime numbers.

Prime numbers have the unique property in that they have only one factor other than 1. Factoring a number means breaking that number into smaller numbers that can be multiplied together to get the original number. For instance, the first few prime numbers are 2, 3, 5, 7, 11, 13, 17 and 19. The factors of 91 are 7 and 13 given that 7*13 = 91.

Solving 91 = a*b is much more time consuming than 7*13 = x. The difficulty is compounded in the case of very large prime numbers. Starting from the product of two very large prime numbers as used in cryptography, it would take the fastest computer years to derive the factors, given the size of the number and the fact there can only be one correct answer (a unique combination of two prime factors).

There is currently no fast algorithm to factorise an integer into its prime factors and mathematicians and computer scientists have so far been unable to find a more efficient way of factoring a large number than by simply trying every possible combination (dividing by 2, then by 3, then by 5, and so forth). 

In this example, two very large secret prime numbers may be used as private key, with the public key being represented by the product number. It is computationally infeasible to derive the private key from the public key. Hence, public keys can be shared freely.

Digital signature

An important aspect of public key cryptography is its ability to create a digital signature which can provide assurances as to the sender’s identity and the status of an electronic document or transaction, as well as acknowledging informed consent by the signatory. 

Assuming that the private key remains secret, digitally signing a message with one’s private key conveys to the recipient that:

  • The message is authentic, deriving from the particular person holding the private key;
  • The message has not been tampered in transit since any change would need to be signed again with the private key.

Given that the signatory is the only person with access to the private key, the message cannot subsequently be repudiated.

Public key fingerprint for key authentication

The possibility exists for parties to an electronic exchange being tricked into using the public key of a wrong person. For instance, in a ‘man-in-the middle’ attack, the attacker would intercept the message containing the public key of the sender, forge the message, and transmit the attacker’s own public key to the intended receiver. To counter this, a public key fingerprint can be used to authenticate a much larger public key. 

The public key fingerprint is a short sequence of data created by applying a cryptographic hash function to the public key. The hash function is an algorithm that associates data of arbitrary size to a data structure that compactly stores units of data. 

The owner of the public key would be asked for his or her public key fingerprint over a trusted channel (such as over the phone or in person), and this trusted fingerprint can then be matched against the fingerprint of the public key.

Security of the private key

It should be apparent that the private key would need to be kept very secure. Any accidental destruction of the private key would render the user unable to decrypt messages. Theft of the private key, either through physical access to the private key or through computer malware, would allow others to impersonate the user and read the user’s encrypted messages.

DTOS provides valuable insights and value-added services to businesses and individuals with regard to their evolving present and future needs. Should you have any query in relation to the topic covered and require any assistance, please do not hesitate to contact us. We shall be pleased to assist you.

Fred Yeung Sik Yuen CPA FCCA CGMA MBA

Published on 10 February 2020

Client Risk Assessment​

• Digitalised Client Screening, profiling and enhanced due
diligence

FATCA/CRS Reporting​

Assistance to comply with US Foreign Account Tax
Compliance Act (FATCA) & OECD Common Reporting
Standards (CRS):


• Apply the prescribed due diligence rules and completing the
‘Self-Certification’ exercise;


• Design and implement internal processes and procedures to
ensure compliance under FATCA/CRS;


• Assist in compiling, assessing, validating and reporting the
reportable information under FATCA/CRS to the competent
authorities in XML format.

Independent compliance audit​

• Run an independent onsite AML / CFT audit


• Run a Consultancy and Project Development programme

Training and Refresher Courses

• AML / CFT Risk Management

• Data Protection Framework

• Legal and Regulatory Updates