12.4 Encrypting Transactions with PKCS and SMIME

12.4 Encrypting Transactions with PKCS and S/MIME

The signing process encrypts the hash of the data, not the data itself. Section 12.3 on page 439 did not cover encrypting general-purpose data, but the technologies are similar. Public and private keys are typically used in conjunction with secret keys to send encrypted messages, as secret-key algorithms encrypt and decrypt data much more quickly than public-key algorithms do. The PKCS standards also specify how to package encrypted data in a uniform fashion for interoperability.

For example, to send an encrypted message, the sender or the sender's application would generate a unique secret key for the transaction, encrypt the message with the secret key, and encrypt the secret key with the recipient's public key before sending the encrypted message and encrypted secret key to the recipient. The recipient decrypts the encrypted secret key with the recipient's private key and uses the decrypted secret key to decrypt the message. Someone other than the intended recipient who captures the encrypted message could not decrypt the message, as only the intended recipient holds the private key that can be used to unlock the encrypted secret key. Could the original message have been encrypted with the recipient's public key, forgoing the secret key altogether? Yes, but as mentioned earlier, secret keys are much faster at encrypting and decrypting bulk data.

With PKCS and S/MIME, senders can encrypt a message as a one-step operation. Alternatively, senders could combine the signing and encryption process to create a message that is first signed by the sender and then encrypted before being sent to the intended recipients.