Cryptography – Keys and Key Management

Cryptography is an ancient mathematical science originally used for military communications designed to conceal the contents of a messages should they fall into enemy hands. Recent developments in cryptography have added additional uses, including mechanisms for authenticating users on a network, ensuring the integrity of transmitted information, and preventing users from repudiating (rejecting ownership of) their transmitted messages.

Data that can be read and understood without any special measures is called plaintext or cleartext. The method of disguising plaintext in such a way as to hide its meaning and substance is called encryption. Encrypting plaintext results in unreadable gibberish called ciphertext. You use encryption to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting ciphertext to its original plaintext is called decryption.

With end-to-end encryption, one end of a communication encrypts the contents of a message on its local machine or device. That data is then transmitted as ciphertext to the intended recipient on the other end, who alone can decrypt and read it using the appropriate secret "keys."

Data can be encrypted in transit and/or at rest. Information sent from a browser to a website and vice versa is data "in transit." Information stored on a computer or on a server is data "at rest."

A key is a value that works with a cryptographic algorithm to produce a specific ciphertext. Measured in bits, keys are basically super big numbers. The bigger the key, the more secure the ciphertext.

Public key cryptography (PKIClosedPublic Key Infrastructure – set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. PKI binds public keys with the identity of an organization or individual. The binding is established through a process of registration and issuance of certificates by a certificate authority (CA).)is an asymmetric scheme that uses a pair of keys for encryption — a public key, which encrypts data, and a corresponding private key, for decryption. Anyone with a copy of the public key can encrypt information that only someone with the private key can read.

A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact. In this way, public key digital signatures provide authentication and data integrity. A digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information.

A digital signature serves the same purpose as a handwritten signature and is nearly impossible to counterfeit. Moreover, it not only attests to the content of the information, it certifies the identity of the signer.

It should go without saying that key storage must be carefully and securely managed. Encryption key management means administering the full lifecycle of cryptographic keys. This includes generating, using, storing, archiving, and deleting keys, as well as limiting access to the keys physically, logically, and through user-role access.

As a general rule, the lifetime of a key is inversely proportional to the sensitivity of the data it protects. In other words, as data becomes more sensitive, the life of the key protecting it decreases (it's expiration period is reduced).

Token uses PKI to secure communications between the Token CloudClosedFunctionality, data and resources running on physical and virtual servers maintained and controlled by Token, and accessed via an Internet connection. and its clients. Public keys are stored in the Token cloud and are publicly shared, requiring valid signatures to be exchanged. Private keys are never shared. Each Token APIClosedApplication Programming Interface – a set of definitions and protocols for building and integrating application software. APIs let your product or service communicate with other products and services without having to know how they’re implemented. invocation is digitally signed by the caller using its private key(s). The Token Cloud and connected banks verify each API request generated by the Token TPPClosedThird-Party Provider – an authorised online service provider introduced as part of Open Banking. TPPs exist outside of the account holder’s relationship with their bank but may be involved in transactions carried out by the user. SDKClosedSoftware Development Kit – the set of software tools and programs used by developers to create applications for the Token platform. Token's SDK includes libraries, documentation, code samples, processes, and guides that developers integrate into their own apps. using the caller’s public key.