Quite separate from access security is confidentiality, that is, unauthorized third parties must not be able to read the data traffic. To this end, the data are encrypted. This sort of encryption process is exemplified by DES, AES, RC4, or Blowfish. Along with encryption, of course, there must also be a corresponding decryption on the receiving end, generally with the same key (a so-called symmetric encryption process). The problem naturally then arises, how the sender can give the key to the receiver for the first time—a simple transmission could very easily be read by a third party, who could then easily decrypt the data traffic.
In the simplest case, this problem is left to the user, that is, one simply assumes that the user can make the key known at both ends of the connection. In this case, we refer to pre-shared keys, or PSK.
More sophisticated processes come into play when the use of PSK is impractical, for instance in an HTTP connection established with SSL—in this case, the user can't retrieve a key from a remote web server quite so easily. In this case, so-called asymmetric encryption methods such as RSA can be used, that is, to decrypt the data, a different key is used than the one used to encrypt it, meaning that key pairs are used. Such methods are, however, much slower than symmetric encryption methods, which leads to a two-phase solution:
- The sender possesses an asymmetric key pair. It transmits the public part of the key pair, i.e. the key for encryption, to the receiver as a certificate, for example. Since this part of the key pair cannot be used for decryption, there are no misgivings with regard to security.
- The receiver selects any symmetrical key. This symmetrical key that is used both for encryption and for decryption, must now be securely transmitted to the sender. It is encrypted with the sender's public key and returned to the sender. The only way that the symmetrical key can be decrypted again is with the sender's private key. Potential eavesdroppers observing the key exchange cannot decrypt this information, and consequently the transmission of the symmetrical key is secure.
