Digital Envelope

A Digital Envelope is built using both symmetric key and asymmetric key cryptography. The bulk encryption is done with symmetric key, and a symmetric session key is sent securely using asymmetric key.

It really only provides privacy, but it also prevents tampering (not just detects it) since the content cannot be seen or modified without the symmetric session key. It doesn’t doesn’t guarantee delivery – a hacker could still delete or reroute a message (the message headers are not encrypted or signed). But only the intended recipient can open the message body or attachments.

Digital Signature and Digital Envelope are independent. A given message can use either, neither or both. If you use both, you digitally sign the entire message first and then all message components are encrypted in a single Digital Envelope.

Creating the Digital Envelope:

Alice (the sender) first generates a symmetric session key (SSK) using a cryptographic random number generator.

She then encrypts the message (M) with the a symmetric key algorithm (e.g. AES) and the SSK, producing the Encrypted Message (EM).

Then she encrypts the SSK with RSA and Bob’s public key (KPub), producing the Encrypted Session Key (ESK).

The Encrypted Message (EM) and Encrypted Session Key (ESK) are sent to Bob.

Opening the Digital Envelope:

Bob receives the Encrypted Message (EM) and Encrypted Session Key (ESK) from Alice.

He first decrypts the ESK using his own private key (KPriv) and RSA in decryption mode, producing the Recovered Session Key (SK’).

Then the Encrypted Message (EM) is decrypted using the selected symmetric key algorithm in decrypt mode (AES-1) and the recovered Session Key (SK’), producing the Recovered Message (M’)

Continue to Certificate Signing Request