Authenticity in cryptography
This article is an addon to my earlier article “Integrity in cryptography”. Till now we have discussed about Confidentiality, Integrity. Now, let us discuss about the last piece of the puzzle i.e., authenticity. Authenticity is the act of proving one’s identity. Whenever we go to a website like Gmail or Facebook we are prompted to enter our username & password. By entering these credentials we are proving(more technically speaking… authenticating) ourselves with the server.
That is one form of Authentication aka Basic Authentication. There are other ways to authenticate and let's see how one can leverage the concepts we learned from the previous articles to achieve Authenticity. From the previous article, we now know about Asymmetric key encryption where we have 2 keys i.e., a public key & a private key. We also know the 2 important properties that come along with using Asymmetric key encryption. If you don't know what those are, here’s a quick recap. Any text/message encrypted using a key can only be decrypted using its opposite pair. For example, a text encrypted with a public key can only be decrypted with the corresponding private key and vice versa.
Now, using this knowledge let's take a real example. Let’s say there are 2 parties Alice and Bob who want to communicate with each other. For this purpose, both parties generate their own public & private key pair. The way they would communicate would look like this,
Alice sends a message to bob by encrypting it using his public key. In addition to this, she attaches a digital signature (as we discussed in the earlier article) using her own private key. Bob when received the message can use his own private key to decrypt the message sent by Alice and view its contents(This is possible because of the special property of the public-private key pair we discussed above). Since the message was encrypted using Bob’s public key, we are good. Now for the interesting part, how does bob know that this message was sent by Alice and not by some malicious attacker? This is where digital signature and the special property of public-private keys come into the picture. Since the digital signature was generated by Alice’s own private key. Anyone in the network including Bob can get her public key and then verify if they are able to decrypt the signature. If they are able to decrypt the signature then that means the digital signature was indeed generated by Alice. By this Alice can authenticate(prove her identity) to Bob.
Note: If bob wants to send a message to Alice, he does the same sequence of steps. (Just switch the words, Alice & Bob, in the example above)
This is how Authenticity is achieved in the data exchange between parties. This forms a basis for OIDC (Open ID Connect) using which industry-level applications achieve authentication.
