One of the big challenges to using asymmetric encryption is the fact that, well, if you're going to do a symmetric encryption, you're going to generate a public public keys will be read this time and a private key. So you're going to generate this key pair. Now, in this particular example, let's say that I'm a web server. And I own a company called Total seminars. And the website is www.pevs.com. And I want people to be able to buy stuff on my website.
So I want to set up a secure web server. So in the most simple world, what I would do is I would generate a public and private key pair, and anytime anybody logged into my website, I would automatically just send them this public key and then that way we can start a symmetric encryption. Well, that's a problem. That's a big problem. The problem with asymmetric encryption is the public key. If you get a public key from somebody and by the way when you log into a secure website, When you type in HTTPS, colon, backslash www.nba.com, you automatically get the public key sent from that website straight to your system.
Okay? So it's not like email where we'd have to send it via an email or anything like that. But the problem is, is do you as a person who is running a little web client? Do you know that this public key is for www.ebay.com? Yeah, it may say it up on the screen. But there's ways to get around that.
So the problem with asymmetric encryption is not the public private key that that works pretty much perfectly. The problem is in the key exchange, how do you know a Where did this public key come from? And be? Is it the person that you think it is? So there's two problems here. So in order to get around this, there's actually something really cool I want to tell you about.
And remember, we've said in previous episodes, that you always encrypt with the public key, and you decrypt with the private key and that's True, but I'm gonna let you in on a little secret. There is no difference between a public and a private key. I mean, they're different numbers. They're just binary strings. And they're different binary strings. But there's nothing special about the public key that it can only encrypt.
There's nothing special about the private key that only decrypt. When you generate a public private key pair. Either one of these could be the public key, just by convention, we pick a particular one. So again, the public and private key are just a string of ones and zeros. They're different strings, but they're just strings of ones and zeros. Anything you encrypt with this can be decrypted with this.
Anything you encrypted with this can be decrypted with this. Now, we never do that. We never never ever do that. The reason we don't do it, is because if we started to encrypt with both sides of this, there are ways that it can be hacked and naughty things happen. We don't want to ever do that. However, there are some cool things we can do.
Let me give you one example. So again, I'm going to go back to WWW dot Tolson calm, I generate a publication private key, you log into my website, got it. Now, what I'm going to do is I'm going to send you the public key, but I'm not going to send you the public key by itself. What I'm going to do is I'm going to take the webpage that you're on right now, whatever that webpage is, and I'm going to encrypt it encrypted with my private key. And then I'm going to send you a hash of that web page got the idea. So when I send you my public key, I'm not just going to use the public key, I'm going to literally take the entire web page, encrypt it with my private key, and then I'm going to make a hash out of it.
And I'm going to send you not only my public key but a hash of the page that you're on right now. What you can do is because you're getting that webpage to is with your public key, you can encrypt that entire webpage, it's the exact same page, hash it and compare the hash that I sent you with the hash that you've generated. And you now know Without any question whatsoever that whoever is associated with this private key has sent you the public key. Do you understand the power of that? It gives us a little bit of a tool that says, yep, whoever has this private key has sent me this public key. And we call that a digital signature.
A digital signature is just a hash. That's all it is. So if it's a web page, we hashed, we encrypt and hash the web page. If I'm sending you a public key for email encryption, whatever email that I'm sending you, at that moment, I'm going to go ahead and encrypt it and hash it. And whatever it is, we have now generated a digital signature. And a digital signature is nothing more than a hash of whatever chunk of data that happened to be looking at the encrypted chunk of data that says, This had to have come from this private key.
Well, that's great, but it's not complete. See, the problem that we run into now is that again, let's go back to my www dot total seven.com And so you go to www.opm.com. And you go and you want to start buying stuff and it kicks over into a secure web page. So boom, comes down the public key, boom comes down. My digital signature didn't really come from www.hsn.com. I mean, sure, it says wwe.com.
But I can beat that there are ways that I can spoof those addresses and fool you. But what if I stole somebody else's certificate? What if I stole a certificate from www.intel.com and pass that down? The problem you have now is that you can't say for sure that I, Mike Myers and the person or I total sem, calm and the person from which this public private key pair was generated. So to get around that, what we're going to do is you and I are going to shake hands, and before we start doing any business, we're going to agree on a third party. Let's say you and I both know my buddy Janell.
All right. So what I'm going to do is I'm going to go to Jeanette, and I'm going to say, hey, Janelle, I would like you. Because you and I know each other, we've been friends for 30 years, I want you. And by the way, you have one of my public keys, I have your public key, whatever. What I need you to do is generate your own digital signature, not based on this relationship here, but based on your in my relationship. And what I'd like to do is attach that digital signature to my public key along with my digital signature.
So what we've done now is we have a public key, and this public key says, Well, my my public key, then we have a digital signature, which guarantees that whoever actually owns that private key is associated that public key. And then we have a third party that says, yep, I guarantee well, as much as money in law will allow that. This is Mike Myers, and it's the www dot Tolson website, and it is okay. So this all sounds pretty good. But we don't ever send public keys by themselves. We don't send piles of keys with all these digital signatures, I guess with email, we could make three attachments or something.
What we do instead is we generate something called a digital certificate. A digital certificate is a document. It's like a Word document. It's like a halfway filled in Word document and you use you fill in the blank spots. And if you send anybody a public key, you don't send a public key by itself. It's never done.
You send a certificate. And inside that certificate is going to be my public key. It's going to have me make sure I get the right one. It's going to have my digital signature, knowing that it came from my key pair. And it's going to have the third party that you and I trust that says Yep, this is really Mike Myers. Now, what's important is that you and I don't generate our certificates we can, and we'll talk about that in the next episode.
But what we normally do is we go to a third party we go, would you create me a certificate, and that person knows us in some fashion. We have met with them, they know my company, whatever it is, and they will and they already have my public key. So if they don't, I can hand it to them, give them a public key, give them my digital signature. And then they will generate a certificate, it's the actual process of generating certificate is trivially easy. You can do it any copy of Linux, any copy of Microsoft Windows, and you can generate the certificate, they'll generate the certificate. But what they do that makes it important and good and amazing, is that they add their third party digital signature that says, Good.
And that's where the challenge comes in. Oh, and by the way, once I have this certificate, I can pass it out to anybody. I can take the certificate, put it into my web server. And anytime anybody logs into my web server and wants to go secure, boom, they automatically get a copy. I can, if I want to do this for email, I can take this certificate embedded into any email, not an encrypted email, just a regular email, go, Hey, here's my certificate, we pass out certificates like crazy, because this is how we move public keys. Okay?
The trick here is, who do you trust? Because the whole power of a certificate is that we have people that we trust, well, that the two sides of this equation trust and say, Yep, this is somebody I'm going to trust and do business with. So there's really three ways to do trust. The first way to do trust is to generate a certificate on your own. Forget the third party just make your own certificates easy enough to do and that's called an unsigned certificate. unsigned certificates are fantastic.
As long as both people understand that there is no third party vouching for you. We use unsigned certificates here, total seminars, I have some in house web servers, and people want to access them. We all know each other, I mean, you can't even get to this web server unless you're an employee of mine. So unsigned web servers there are very common and they work fine. But only if you have some other form of trust, like you work for me. Other than that, you've got two other choices, web of trust, and pk.
So let's start with web of trust, I got a little graphic for you to show you how that works. So here's me, and I want to get a certificate. Now in order for me to get a certificate. In this particular situation, this web of trust, we don't have a particular authority. So what I have to do is find other people who are using this type of certificate. So here's a couple of people I know and I can get them to sign my certificate.
Now, depending on how this is done, and you see this with email, a lot of times you almost never see some web browsers. What will happen is that I will have to probably call this person on the phone, I might have to send them a photocopy of my drive. license, it really just depends on how rigorous a particular Web of Trust is. And now these web address can grow. So let's make this a little bit bigger. And over time, with a web of trust, you end up having a fairly complicated setup, where you have a lot of people who trust each other.
Web of Trust works beautifully as a trust model for certificates, but it has some problems. The big problem to Web of Trust is that it requires a lot of people doing a lot of work, to administer and make this happen. There's very little the Web of Trust that's in essence, automated, you've got to work hard to keep it up and going. That's why Web of Trust has never really taken off. It's had its moments for email certificates. It's had its moments for, believe it or not even hard drives, encryption and stuff like that.
But if you really want to do trust with certificates, the right way, you do something thing called public key infrastructure. public key infrastructure is a hierarchical method that starts off with root servers up at the top intermediate servers and goes down to users. So there's always a boss at the top. Let me show you how this works. public key infrastructure is based on the idea of a hierarchy. At the top of this hierarchy are what we call the certificate authorities.
The certificate authority is an organization that pretty much just issued certificates. These are usually big companies. Probably the most famous is VeriSign, but thought it would be another name that comes to mind. There's just a few hundred of these and these organizations simply based on the full faith and credit of your and my trust in them, generate certificates that everybody knows and recognizes. Now, if we have a lot of people who are going to the certificate authorities, the challenge that we run into Is that they can get kind of busy. So normally what we'll do is between us the users of those certificates, and the certificate authorities, our intermediate certificate authorities who are only there to take the load off of the certificate authority themselves.
So basically, we have a nice little hierarchy like this. pk is the way we do the internet. If you're going to be dealing with certificates on the internet, particularly in an e commerce way, you're going to be dealing with PK AI, and anybody who's ever set up a website that actually uses HTTPS realizes that you got to go to people like VeriSign and Florida and folks like that. In fact, the whole idea of PK AI is pretty complicated. It's fascinating, but we need to get some more depth to it. And in order for us to really, really understand and wrap our minds around PK AI, I'm going to save it for the next episode.
See you there.