Public-Key Technology
This topic describes the basic principles behind the public-key technology that is used to produce digital signatures and digital envelopes in SAP Systems.
Public and Private Keys
Characteristics of Public and Private Keys
The secret behind public-key technology lies in the relationship between two keys, a public key and a private key. The person or component that wants to "sign" owns these two keys. These two keys have the following characteristics:
In the rest of the documentation, we refer to the owner of the keys as the signer and the piece of information to sign as a document.
Generating and Assigning Keys
To be able to sign digitally, the signer needs a pair of keys. A central instance, called a Certification Authority (CA), generates these keys and assigns them to the owner. You can compare this to a central office that distributes identification cards. These keys then "belong" to the owner and can be used for identification purposes.
As an alternative method to receiving your keys, you can generate them yourself and then send your public key to the CA to be certified.
Using a Digital Signature
Signing a Document
Then, to sign a document, the signer uses his or her private key to create his or her digital signature. We describe this process in
Digitally Signing a Digital Document.The document, along with the signature, is passed on to the recipient.
Verifying a Digital Signature
The recipient of the document then uses the signer's public key to verify the signature and the integrity of the document (that it has not been changed since being signed). This is explained in
Verifying a Digital Signature.Using a Digital Envelope
Creating a Digital Envelope
To create a digital envelope, you use a secret message key to "wrap" the document in a secure "envelope". The recipient of the message also needs knowledge of this key to be able to decrypt the message. Therefore, you encrypt this message key using the recipient's public key and send it along with the document. See
Creating a Digital Envelope."Opening" a Digital Envelope
The recipient of the document then uses his or her own private key to encrypt the secret key that was used to encrypt the document. He or she can then decrypt the document using this secret key. This is explained in
"Opening" a Digital Envelope.The Public-Key Certificate
The questions still arise: "How do you know which public key belongs to whom?" and "How do you obtain the signer's public key?"
The answers lie in the public-key certificate.
We have mentioned that the signer needs to have a pair of keys. We also mentioned that a central instance, called a CA, assigns these keys to the owner. The CA assigns these keys by issuing a digital certificate. This digital certificate contains the information needed to ensure that the public key belongs to the person indicated. For a detailed description, see
Public-Key Certificate.The signer distributes his or her public key by distributing his or her public-key certificate (for example, directly with an e-mail or by using X.500 Directory Services).
The recipient uses the information from the public-key certificate (namely the public key and which hash algorithm to use) to verify the signature of the signed document. The recipient also knows that this public key belongs to this person, because a CA has also signed the public-key certificate. (The recipient should also know of and trust this CA.) The recipient can also verify the validity of the CA's signature, because it's signature and it's public key are also included in the public-key certificate.
For more information, see: