On 11.03.2010 22:11

Active cards: 1093558

Digital signatures: 28538070

Electronic authentications: 48262996

Sertifitseerimiskeskus

Arvutikaitse

EST | RUS

Encryption

What is encryption?

The purpose of file encryption is to make the data stored in the file unreadable for any unauthorised users.

It is possible to use symmetric and asymmetric encryption algorithms.

An encryption algorithm is a mathematical formula used for deciphering a data file. It can only be deciphered with an encryption key. When using the symmetric encryption technique, a file is encrypted and decrypted with the same secret key. Asymmetric encryption utilises different encryption and decryption keys, of which one is public and the other secret and held only by the specific user.

How is encryption carried out in DigiDoc?

In DigiDoc, a file is encrypted in two stages. First, the file is encrypted by means of a symmetric algorithm, for which a random key is generated (hereinafter referred to as the transport key). Then the transport key is encrypted by means of the addressee’s public key by using an asymmetric algorithm. In case there is more than one addressee, the transport key is encrypted separately with each addressee’s public key.

Encryption with the ID-card is first and foremost meant for secure transportation of files, and not so much for their long term safekeeping. This is so, because decryption with the ID-card requires a secret key which matches the authentication certificate and is stored ONLY on the user’s ID-card.

Decryption of files becomes impossible if the user loses his or her ID-card. It is similarly impossible to decrypt files that have been encrypted with an earlier certificate if the user has renewed the certificates of his or her ID-card, because issuing of new certificates also brings about generation of new secret and public keys.

Upon encryption of files, one should keep in mind that the decryption is only possible by the users of certificates listed as addressees.For this reason it is advisable for the encrypting user to add him- or herself as an addressee as well, just in case there is a need to reopen the file in the future.

There are four possibilities for finding addressees in the DigiDoc client program: from the computer’s certificate storage, from the catalogue of LDAP, from a file or from the ID-card.

The easiest way is to use the certificate that has been already stored in the certificate storage. In case it does not yet contain the necessary certificate, one can be found from the LDAP catalogue by searching for a personal identification code.

The third alternative is to load the certificate from the ID-card, which requires a computer with a card reader and the respective ID-card.

The fourth alternative is to load the certificate from a file, if the certificate has been sent to you by e-mail, for example.

The DigiDoc client saves the certificates that have been used for encryption in the “Other People” folder of the certificate storage, where they can be easily retrieved later.

Viimati uuendatud: 05.06.2007