3.4 PKI and business solutions 75
included in the latest versions of various web browsers from Netscape
and Microsoft. S/MIME is based on the RSA public-key cryptography
systems. See RFCs 2311 and 2312 for more information on S/MIME.
• MD2, MD4, and MD5 (MD stands for Message Digest)--A digest
is a computed value known as a hash. A hash creates a fixed-length
string from a block of data. The hash is created based on the content
of the message. Using a hash or message digest, a user will digitally
sign a message. This process will identify the person who sent and/or
created the message. MD2, MD4, and MD5 are hash functions cre-
ated by Ron Rivest of RSA, Inc. Each one will create a 128-bit digest.
MD2 is the slowest, MD4 the fastest. At the time of this writing, the
MD5 algorithm is the de facto hashing standard for digests. See
Internet RFCs 1319, 1320, and 1321 for more information.
• SHA-1 (secure hashing algorithm)~an NIST-sponsored hashing sys-
tem that has been adopted by the U.S. government. SHA-1 produces
a 160-bit hash, which is larger than the 128-bit hash and is slower
than MDS. One fact about all computed digests is that they are very
difficult to duplicate. Example: If you change one bit in message for
an existing MD5 digest, then up to half of the digest will change.
At this point you may be thinking, "My head hurts! MD2, RC2, RFCs!
160-bit hash! I'll never use all these things?" So before we delve any further
into this topic, let us take a break and address a few business concerns. We
will take a side trip~a three-hour tour, if you will.
PKI and business solutions
What will all this security do for your business and how will it keep it
secure? Let's look at several business scenarios.
• You are sending important messages to sales reps via the Internet to
different parts of the world. These sales reps travel extensively and
carry a laptop with them. How can you protect these messages from
• Vendors place orders into an Extranet. This Extranet will take the
orders and trigger an immediate shipment to the vendor. "But wait,"
the vendor says. "I did not order 10,000 horseshoes." How can you
prove the vendor actually ordered the horseshoes?
• Your business also sells horseshoes to customers who pay by credit
card. How can you keep the credit card information safe and secure
I Chapter 3