In recent years, many advances have been made in cryptographic technology and various approaches have been taken. The different approaches achieve varying levels of strength against cracking.
One type of encryption that is quite popular because of its strength and other features is public-key encryption.
Public-key encryption involves each party having two keys: one that is kept private to everyone but the owner and another that can be made very public. This other key can be placed on Web pages, sent in an e-mail message, given out on floppy disks, and so on. Messages (or data) are then encrypted using the private key of the sender plus the public key of the intended recipient. On the other end, the data can only be successfully decrypted using the opposite pair of the sender’s public key combined with the recipient’s private key.
This type of encryption achieves its high level of security at the expense of speed. It takes several orders of magnitude longer to encrypt and decrypt using public-key technology than using certain other forms of encryption algorithms. This is because public-key encryption usually involves much more bit-crunching to encrypt a given amount of plain text, as compared to symmetric-key encryption, for example.
The public-key approach provides a second, built-in feature, which is arguably just as important as encryption itself: the ability to “sign” encrypted data in such a way that the recipient can be certain that the decrypted message actually came from the individual whose public key was used in decrypting.
Because two keys are always used, it would be necessary for someone to steal one or the other private key before the thief could “forge” a public-key encrypted message that decrypts successfully using the recipient’s private key. Moreover, it is also possible to use the same encryption techniques to get the signature or “verified sender” benefit without needing to encrypt the information. This becomes useful in situations where neither party cares whether the information conveyed is made public. They are only interested in whether the message originated from whom it claims to, and whether the message was altered (accidentally or intentionally) while in transit.
Another popular form of encryption, called symmetric-key encryption, requires using the same key for both encrypting and decrypting. Obviously, this works only if the key used remains undisclosed to anyone but the sender and recipient.
This technique, while not as secure as public-key encryption, is significantly faster in operation—as much as a thousand or more times faster—than using the public-key technology. A disadvantage of the symmetric-key approach is that it requires that the key also be conveyed somehow from sender to recipient.
Because public-key algorithms provide extreme security (plus signatures) at the expense of speed, and symmetric algorithms provide speed at the expense of somewhat weaker security, another common approach is to use a combination of both techniques.
A symmetric encryption algorithm is used to encrypt the main body of plain text (or data), and then the symmetric key is encrypted using the stronger but slower public-key encryption. This public-key encrypted symmetric key can then be safely included along with the body of encrypted text (ciphertext), and allows the symmetric key to be retrieved by the recipient (or recipients) whose public keys were used to encrypt the sender’s symmetric key. This combines the benefits of faster encryption for the bulk of the information, with stronger encryption to safeguard the enclosed symmetric key, and also provides the benefit of a digital signature.
In order to safely include a key along with encrypted data, the key itself must encrypted. The crypto API permits doing this by built-in functionality that can export the encrypted key for you. This encrypted key is called a key blob.