7.5 Privacy
Privacy refers to the ability to send information in such a way that it cannot be read by unauthorized users. When privacy is implemented, Bart can still read the infograms, but they will all appear as garbled, unintelligible text, much like the user manuals you get with your operating system.
Privacy is usually accomplished with secret-key encryption. Ed and Gwen share a secret key that only they know about. Ed uses this key to encrypt data before he sends it. Gwen uses the same key to decrypt data after she receives it. To anybody in the middle, the data appears as garbled text.
This secret key is not either of their private keys. That would be a violation of the fortress trust rule. Instead, they share a temporary session key, a key that only the two of them know and that is valid only for a limited duration (probably minutes).
The trick is to exchange this secret key in such a way that even if Bart eavesdrops, he won't be able to read the key and thereby read the transmitted data. There are two ways that Ed and Gwen can exchange this secret key. The first way to share the key is as a side effect of the private-key algorithm. Remember, I said that one of the items in the Kerberos-like ticket is a session key. This session key is exactly the kind of secret key that Ed and Gwen need.
The other way to share the key is by using a public/private–key pair. In the public/private–key scheme, Ed creates a session key and encrypts it using Gwen's public key. He sends the encrypted session key to Gwen. Only Gwen's private key will decrypt the session key.
As I mentioned earlier, if Gwen is guarding a Web service or presentation fortress, she herself will not store her private key. It will instead be stored in a closely trusted sister fortress, guarded by Gail, as shown in Figure 7.4. Gwen trusts Gail's fortress to store her private key and decrypt information on her behalf. Gwen can then either ask Gail's fortress for the session key (if that does not introduce an unacceptable security risk) or have Gail's fortress do all encrypting and decrypting on her behalf.
Figure 7.4. Gwen's and Gail's Fortresses