what's the difference between public-key encryption and digital certificates?

1

I've been reading an article on IPsec and it continues to mention public key encryption and digital certificates to authenticate two networks (gateways) or hosts over a network. I know that public key encryption is where one host has a public key and when it sends IP packets to the other host, that host has a private key which is used to decode public key sent with packet, and therefore if it can decode it, then it is a secure connection. It seems that a digital certicate operates the same one. You register it with a certificate authority and they give you a public key and when you talk to other host, that host decodes public key and matches it with private key to ensure its secure. Why use public-key encryption? WHy not just use a digital certificate?

JohnMerlino

Posted 2014-09-06T18:26:26.860

Reputation: 257

As you say, a certificate comes from an authority. The authority confirms that your server is what it says it is on the network/Internet. That's all it does. Public key encryption is just a mechanism of securing "messages" (data). – Kinnectus – 2014-09-06T18:30:17.233

1@BigChris from what I read, certificate is more than that. It encapsulates the public key itself. – JohnMerlino – 2014-09-06T18:45:35.133

I'm unsure entirely whether it encapsulates or not, but I was just giving you the fundamental differences :) – Kinnectus – 2014-09-06T19:00:39.087

1There is no difference. A digital certificate uses public-key encryption. – Ramhound – 2014-09-06T21:44:32.750

Answers

4

Public-key encryption is a process. A certificate, meanwhile is a piece of information; it does nothing by itself. Therefore you can replace a public key with a certificate, but you cannot replace public-key encryption with a certificate.

Also, certificates are an extension of public keys; they carry a public key along with information about who owns it and who issued it. So saying "just use a certificate instead of a public key" is backwards.

Some protocols (like OpenPGP or TLS) use certificates because they make use of the information in certificates; usually for making sure that it's a "real" certificate and not just something made up on the spot. This is important not for encryption, but for authentication.

Other protocols (like IPSec or SSH) can use both – either manual configuration of public keys corresponding to each user & host, or automatic verification of certificates according to the names stored in them.

(In fact, public-key encryption is used very little in modern TLS or SSH. Remember that it's much slower than symmetric encryption, and therefore both ends just decide on a random symmetric key for the session, and use it to symmetric-encrypt the bulk of the data using AES or RC4 or such. In the past, one side would generate the session key, encrypt it with the public key of the other side, and send it over, where it would be decrypted using the private key. Now, however, both sides use DH or similar protocols to calculate the session key, and the only purpose of public keys is to authenticate the calculations sent by both sides.)

user1686

Posted 2014-09-06T18:26:26.860

Reputation: 283 655

Asked: 2014-09-06T18:26:26.860

Viewed: 685 times

Active: 2014-09-06T19:30:14.440