Public-Key Technology
This topic describes the basic principles behind the public-key technology that is used to produce digital signatures and digital envelopes in SAP Systems.
Public and Private Keys
Characteristics of Public and Private Keys
The secret behind public-key technology lies in the relationship between two keys, a public key and a private key. The person or component that wants to "sign" owns these two keys. These two keys have the following characteristics:
● The keys are pairs; they belong together.
● You cannot obtain the private key from the public key.
● As the name suggests, the public key is to be made public. The owner of the keys distributes the public key as necessary. A recipient of a signed document needs to have knowledge of this key in order to verify the digital signature. Also, to send an encrypted document (digital envelope), the sender needs to know the recipient's public-key.
● The private key is to be kept secret. The owner of the keys uses the private key to generate his or her digital signature and to decrypt messages protected with a digital envelope. Therefore, the owner of the keys needs to make sure that no unauthorized person has access to his or her private key.
In the rest of the documentation, we refer to the owner of the keys as the signer and the piece of information to sign as a document.
Generating and Assigning Keys
To be able to sign digitally, the signer needs a pair of keys. Typically, you have your Web browser generate these keys. You then send the public key belonging to this key pair to a central instance called a Certification Authority (CA) to be signed. This step guarantees your ownership of the key pair. You can compare this to a central office that distributes identification cards. These keys then "belong" to the owner and can be used for identification purposes.
Using a Digital Signature
Signing a Document
Then, to sign a document, the signer uses his or her private key to create his or her digital signature. We describe this process in Digitally Signing a Digital Document.
The document, along with the signature, is passed on to the recipient.
Verifying a Digital Signature
The recipient of the document then uses the signer's public key to verify the signature and the integrity of the document (that it has not been changed since being signed). This is explained in Verifying a Digital Signature.
Using a Digital Envelope
Creating a Digital Envelope
To create a digital envelope, you use a secret message key to "wrap" the document in a secure "envelope". The recipient of the message also needs knowledge of this key to be able to decrypt the message. Therefore, you encrypt this message key using the recipient's public key and send it along with the document. See Creating a Digital Envelope.
"Opening" a Digital Envelope
The recipient of the document then uses his or her own private key to decrypt the secret key that was used to encrypt the document. He or she can then decrypt the document using this secret key. This is explained in "Opening" a Digital Envelope.
The Public-Key Certificate
The questions still arise: "How do you know which public key belongs to whom?" and "How do you obtain the signer's public key?"
The answers lie in the public-key certificate.
We have mentioned that the signer needs to have a pair of keys. We also mentioned that a central instance, called a CA, assigns these keys to the owner. The CA assigns these keys by issuing a digital certificate. This digital certificate contains the information needed to ensure that the public key belongs to the person indicated. For a detailed description, see Public-Key Certificate.
The signer distributes his or her public key by distributing his or her public-key certificate (for example, directly with an e-mail or by using X.500 Directory Services).
The recipient uses the information from the public-key certificate (namely the public key and which hash algorithm to use) to verify the signature of the signed document. The recipient also knows that this public key belongs to this person, because a CA has also signed the public-key certificate. (The recipient should also know of and trust this CA.) The recipient can also verify the validity of the CA's signature, because it's signature and it's public key are also included in the public-key certificate.
For more information, see:
● Digitally Signing a Digital Document
● Verifying a Digital Signature
● "Opening" a Digital Envelope