Public key encryption: And they said it couldn't be done

Critics said it wouldn't work. They said it was too complicated. But now PKI, a technology that was once maligned, is protecting e-commerce transactions worldwide.

Anyone who has used a browser to buy a book from has made use of the public key encryption system. In fact, this two-key security system has become prevalent in buying on the Web.

Of the keys involved, one is there to authenticate the merchant while the other protects your credit card number. The basic idea is simple, but the execution is more involved.

Public key infrastructure (PKI) refers to all the machinery that the trusted public key encryption entity must maintain and protect.

This complex system is changing the face of e-commerce, making it more trustworthy than ever—a necessary movement for the survival of the dot com breed. But this complexity of PKI was almost its early downfall. The breadth of such a system had convinced early critics that the system would never be more than an academic curiosity—or the property of the government.

In this article, we’ll look at the history of this security technology, which, all in all, has proved its critics wrong.
This is the second of a two part series on PKI. In part one , we discussed how the technology works and the market for PKI vendors.
A skeptical start
Twenty-five years ago, when a young Stanford University computer science professor named Martin Hellman started talking about a new encryption scheme, his colleagues told him he was nuts.

“When this [public key encryption] was first proposed,” says Eric Holstege, chief technology officer with, an e-commerce outsource provider for digital goods in San Carlos, CA, “people said it would never work since it would be way too complicated to administer.”

Critics felt that if such a thing were possible, there was another group that would have created it.

“They said,” Hellman recalls, “‘The National Security Administration has a billion-dollar budget, so how can you hope to come up with anything they don’t already have? And if you do, they will just classify it.’”

Hellman ignored the sage advice and went on—with the aid of two students: Whitfield Diffie and Ralph Merkle—to create public key encryption, a method that turned out to be both new and highly successful outside the dark dungeons of national security.

The technique has spawned a new industry, that of the PKI vendor. It is, according to Abner Germanov, analyst with International Data Corp., still a fledgling industry, worth about $122.7 million in 1998. Germanov predicts it will be worth $1.3 billion by 2003. Firms such as VeriSign, Entrust Technologies, and Baltimore Technologies have built successful businesses on top of Hellman’s creation. It is difficult to imagine e-commerce today without it.

PKI basics
Hellman’s breakthrough insight was to separate the process of disguising a piece of data (encryption) from that of revealing it (decryption).

“Traditionally, ciphering was a symmetric process,” explains Holstege. “This means you use the same key to unscramble a message that you use to scramble it. The weakness here is that you must transmit the key with the message.”

Hellman designed a system that uses not one key but two: a public key that is available to everyone, and a private key that remains with a single party.

“It can be used in a number of ways,” says Hellman. “To send you a private message, for example, I could just look up your public key and scramble the message using that. Then I send it to you, and you can use your private key to unscramble it.”

The advantage to this system is that it is asymmetric. Anyone can encode a message, but only the one who is supposed to read it can do the decoding, since that requires the private key, known only to the recipient. And, since the private key does not need to travel, it stays nice and secure.

These key pairs are also commonly used for authentication. “This is where the digital signature comes in,” says Hellman. “In this case, you use the private key to scramble a piece of data that is the signature. Now anyone can decipher this since that is done with the public key. But only the private key holder can encode the right signature that verifies identity.”

The security of public key encryption does come at a price. The asymmetry of the model creates some real logistical problems. Key pairs and certificates that authenticate keys must be created and issued by a trusted entity, the certificate authority.

And the very existence of the industry, no matter how fledgling, must give Hellman at least some small measure of satisfaction. “When I first proposed public key cryptography, people said it was computationally unfeasible,” says Hellman. Now, as professor emeritus and board member of Confinity, a firm that leverages public key technology, Hellman can relax and watch his unfeasible creation flourish.

Mark Leon, originally from Austin, TX, now lives in San Rafael, CA, where he writes about business, technology, and science. He has also published three science fiction novels with Avon books.

Do you have plans to implement PKI in your company? Would you like to read more about this technology? Click here and let us know.

Editor's Picks

Free Newsletters, In your Inbox