Confidentiality refers to the desire that data only be read by the intended recipient. The science of keeping data transmissions confidential is called cryptography, and involves the following concepts:

• Encryption � the transformation of data into an unreadable form
• Decryption � the transformation of data back into a readable form, i.e. the reverse of encryption
• Algorithm � a complex, mathematical formula used for performing data encryption and decryption
• Key � a secret, random numerical value that is used by an algorithm to encrypt and/or decrypt data

Algorithms are standard sets of rules that govern key-based encryption, and are publicly known. Two of the most widely-used are the Data Encryption Standard (DES), developed by IBM, and RSA, developed by RSA Data Security, a subsidiary of Security Dynamics (NASDAQ: SDTI). Knowing which algorithm has been used to encrypt a file is not sufficient to perform decryption � the key must be known as well.
Therefore, secure file transfer requires that the key be kept secret from everybody except the intended recipient.

Three basic methods of cryptography are used for secure file transfer. In the descriptions below, the terms �sender� and �recipient� are used to denote the two sides performing encryption and decryption, respectively, but in practice, the processes are handled by software and are transparent to the users (both the sender and the recipient).

Symmetric Cryptography

In symmetric cryptography, a single key is used for both encryption and decryption. The encrypted file is sent to the recipient along with the symmetric key. The recipient uses the symmetric key to decrypt the file. DES is a symmetric encryption algorithm.

The problem with symmetric cryptography is that the encrypted file and the key are both sent over the Internet. Consequently, a third party that has intercepted the transmissions has the ability to decrypt the data.

Public Key (Asymmetric) Cryptography

Asymmetric cryptography solves this problem by using two keys: one for encryption, called the �public� key, and the other for decryption, the �private� key. Any party wishing to send and receive data �owns� a unique pair of keys. The �owner's� public key is made available to all parties that need to send data to the �owner� (i.e. the recipient).
That key is used by the sender to encrypt data, but it cannot be used to decrypt the same data. Only the recipient's private key can decrypt this data. Therefore, the recipient can ensure that transmissions remain confidential by carefully guarding his private key. RSA is the most commonly-used public key encryption algorithm.
Public key encryption is more secure than symmetric key encryption. However, it requires the use of much larger keys, and therefore more computation and more time.

Hybrid Public and Symmetric Key Encryption

A hybrid technique was developed to combine the security of public key encryption with the efficiency of symmetric encryption.
Data is encrypted using a symmetric key. The symmetric key is then encrypted using the recipient's public key. Both the encrypted data and the encrypted symmetric key are sent from the sender to the recipient. The recipient's private key is then used to decrypt the symmetric key, and the symmetric key to decrypt the data. The public/private key pairs used to encrypt the symmetric key are typically �owned� by the two parties (see Digital Certificates, below). The symmetric key is usually �session-specific� � generated specifically for the given transmission using a mathematically-based random number generator. This is the most common method of cryptography in use today.

Message Integrity � Digital Signatures

Message integrity � using digital signatures � involves verifying that a transmission has not been altered while in transit. By using public/private key pairs, digital signatures allow both sides to confirm the transaction so that neither party can repudiate it.
A digital signature consists of a unique, mathematically-derived fingerprint of the message itself (known as a one-way hash), encrypted with the sender's private key. The signature is attached to the message, and decrypted by the recipient using the sender's public key. If the fingerprint matches the document, then the recipient is assured that the message arrived the same way it left the sender and that it was "signed" with the sender's unique private key.

Authentication � Digital Certificates and Certification Authorities

Authentication addresses each party's desire to verify the physical identity of the other. Digital signatures indicate only that the person with the associated private key sent the message. Authentication also uses public/private key pairs, but adds an element of reality to the bits and bytes.

Certification Authorities (CAs) are trusted organizations that verify the actual identity of each party. They then issue each party a digital certificate composed of three parts � the owner's public key, a unique digital signature, and an "electronic ID card" containing information about the owner and an expiration date. The digital signature consists of a fingerprint of the electronic ID card, encrypted with the owner's private key. When the certificate is sent to another party, the public key (contained in the certificate) decrypts the signature, confirming the electronic ID card and the identity of the owner. This certificate is typically signed by the certification authority as well, authenticating the certificate itself. Certificates are standardized under the X.509 protocol developed by the ISO Authentication Framework.
Obviously, each party places implicit trust in the CA, which has verified the identity of the certificate owners and manages the certificates.