Public-key systems are inefficient for encrypting large messages. The secret keys used in conventional cryptography are characteristically small. If conventional secret keys are viewed as a kind of message, the encrypting of these keys using a public-key algorithm would not place an unnecessary burden on the processing of a computer system. Thus, the joint use of conventional and public-key cryptography can be used to provide authentication, integrity, and secrecy in an efficient manner. The following example illustrates this idea. Note that for simplicity, the example does not include the distribution of the public key certificates.

An originator needs to send a signed, confidential message to a recipient. The originator first computes a digital signature as a function of the originator's private key and a digest of the plaintext message. Second, the originator generates a conventional secret key, and uses this key to transform the plaintext into ciphertext. Third, the originator encrypts the secret key using the recipient's public key. The originator finally appends the encrypted secret key and the digital signature to the ciphertext, and transmits the information to the recipient.

Upon receipt, the secret key is decrypted using the recipient's private key. The secret key is then used to decrypt the ciphertext. Once the plaintext is obtained, the recipient validates the message signature as a function of the signature and the originator's public key. Secrecy is guaranteed, because only the recipient's private key can be used to decrypt the secret key needed to decrypt the message. Integrity is guaranteed because the digital signature was generated using a digest of the original plaintext message. Finally, authentication is achieved, because the digital signature provides unforgeable evidence that the plaintext message was generated by the originator. The step-by-step processing of this example is illustrated in figure 11.7.

This scheme addresses the two disadvantages of a public-key system: performance, and the inability to send a message to multiple recipients. Performance degradation is minimized, because a conventional algorithm (e.g., DES) is used to encrypt the message. Only the encrypting of the secret key (e.g., the DES key) requires a public-key algorithm. If the message is transmitted to several recipients, the originator encrypts the secret key one time per recipient, using that recipient's public-key. For example, if a message is sent to five recipients, five different encryptions of the secret key would be appended to the message.

**Figure 11.7:** Joint Use of Conventional and Public-key Cryptography.

Fri Oct 7 16:17:21 EDT 1994