Cryptography is commonly employed to authenticate data, encode data, or encrypt/decrypt data in a manner that allows the data to be stored, accessed and/or transmitted in a controlled/secure manner. Cryptography is becoming more and more popular as computers and networks increase in number, size and complexity.
One basic form of cryptography is asymmetric encryption, which uses public-key encryption algorithms. Public-key algorithms typically employ two different keys (known as a key pair), namely, a public key and a private key. These two keys are typically derived from extremely large prime numbers making them mathematically related. However, it is practically impossible to derive one key from the other. As suggested by their names, the public key is made public, while the private key is kept private. Information (i.e., data) that is encrypted with either one of the keys can only be decrypted with the other one of the keys. Thus, for example, data encrypted with the private key can only be decrypted with the public key, and vice versa.
Since, public-key algorithms can be somewhat slow, particularly when encrypting large amounts of data, a digital signature can be used instead to digitally sign the data. A digital signature can be produced by passing the data through a specific one-way hashing algorithm. The hashing algorithm produces a much smaller message digest. As a result of the hashing algorithm, the message digest is a unique value that can essentially act as a “fingerprint” for the larger data file. Once a message digest is created, it can be encrypted, for example, using the private key and attached to the larger data file when it is sent or otherwise provided.
One problem associated with such cryptography techniques is that a third party might attempt to masquerade as one of the communicating parties, for example, by fraudulently holding out a public key that is represented to be one of the communicating parties public keys. Any messages or hashes that are intended for the communicating party and encrypted with the fraudulent public key could conceivably be decrypted with the accompanying private key by the third party.
To address this problem and others, a digital certificate can be employed by the communicating parties. A digital certificate is a credential issued by a trusted organization or entity called a certification authority (CA), such as, for example, VeriSign, Inc. This credential typically contains a public key and data that identifies the certificate's subject (i.e., the applicable communicating party). A certificate is usually issued by a CA only after the CA has verified the certificate's subject's identity and has confirmed that the public key included with the certificate belongs to that subject. The certificate may also include a digest of the certificate's contents that is signed with the private key of the CA to ensure that the certificate has not been altered or forged.
To further the mobility of users, portable devices, such as, for example, smart cards, can be used to authenticate that a user is allowed to access various resources or information. While some smart cards are configured to provide asymmetric encryption, other smart cards are limited, for example, by export regulations, to only provide digital signatures. In certain situations, therefore, smart cards that are limited to providing digital signatures are unable to support the necessary encryption-based authentication processes. Consequently, there is a need for improved methods and arrangements that can be implemented to allow signature-generating devices to support encryption-based authentication processes.