Public-Key/Asymmetric Cryptography Explained

Introduction

Public-key cryptography (also referred to as asymmetric cryptography) is possibly the most important security technology that you use every day but may never have heard of. The security of our entire modern online world is underpinned by this one concept; and yet the basics of it aren’t widely taught or even mentioned in most cases. In this article I’ll provide a clear and simple explanation of how this technology works and how it’s used in the real world.

Math Skills?

Many might assume that understanding this or any form of cryptography requires advanced mathematical knowledge. While it’s true that public-key cryptography relies on some advanced mathematical concepts (involving the factorization of large prime numbers), this work has already been done for us. Cryptographic algorithms and standards undergo years of testing by many different people before being accepted for mainstream use. Research into threats (such as quantum computing) – and new algorithms and standards to address those threats – are under constant development. Those of us who utilize cryptography in practice only need to stay up-to-date on which standards and applications are currently considered secure.

Symmetric (Private-Key) Cryptography

To understand asymmetric (public-key) cryptography, you must first be aware of the cryptography that came before it. Symmetric (private-key) cryptography was the only form of cryptography in existence from ancient times up until the mid 1970s. This encompassed many different types of ciphers and technologies, but the basic concept remained the same. A secret cipher, or key, is used by the sending party to encrypt information. That same key is then used by the receiving party to decrypt the message.

There is a significant weakness with this method; especially in the age of the Internet. The key must be securely exchanged between the parties who are encrypting and decrypting messages. The act of exchanging the key can provide many potential opportunities for that key to be compromised.

Bob & Alice

Cryptographic systems are often explained using the fictional characters Bob and Alice. Let’s say that Bob wants to send Alice a confidential message. However, their communications are being intercepted and read by Eve. (The “eavesdropper”.)

So how can Bob and Alice ensure that Eve cannot read their messages? This scenario assumes that they cannot meet in person to exchange a symmetric private key; and have no other secure channel to do so. Everything they send must go over the wire that Eve is monitoring. So if one of them sends a private key, Eve will simply intercept it and use it to decrypt any messages that were encrypted with it.

Asymmetric (Public-Key) Cryptography

Public-Key cryptography takes a fundamentally different approach. Instead of a single private key, a keypair is generated that consists of two keys; a public key and a private key. Data that is encrypted with one key can only be decrypted with the other key.

Encryption

With this, Bob can generate a keypair and send his public key to Alice while keeping his private key secure.

Alice can then use Bob’s public key to encrypt messages to send to him. Only Bob’s private key will be able to decrypt those messages.

Likewise, Alice can also generate a keypair and send her public key to Bob. Eve can intercept their public keys and their encrypted messages, but as long as their private keys are kept secure and out of her reach, she will never be able to decrypt those messages. This provides the security principle of confidentiality.

Digital Signing

Public-key cryptography has another valuable use case. The previous function can be reversed, and Bob can use his private key to encrypt data. What, might you ask, is the point of this? After all, Eve or anyone else who has obtained Bob’s public key could decrypt it.

But in doing this, anyone with Bob’s public key can verify that the encrypted data came from Bob; as only his private key could have encrypted that data. As long as Bob’s private key remains secure, he can create a digital signature that is impossible to forge. Typically this is done in tandem with a hash function. Bob can create a hash of a message and encrypt it; then send that encrypted hash alongside his message to Alice. This encrypted hash is the digital signature.

Alice can then decrypt that hash and run the same hashing algorithm on Bob’s message. If the hashes match, then she knows that the message came from Bob and that it was not intercepted and modified by Eve or anyone else. This provides the security principles of integrity, authentication, and non-repudiation.

If Bob and Alice both provide each other with their public keys, they can combine both of these functions and send each other messages that are both encrypted and signed.

Uses in Practice

The most obvious real-world use case that the Bob and Alice examples refer to is email. Much of the early software and standards were indeed made with email encryption in mind. However, that is only the tip of the iceberg when it comes to all of the various uses for public key encryption and signing. I cannot possibly list all of the use cases and software out there, but I will briefly describe some of the most common ones.

Email Security

Standards such as PGP and S/MIME allow you to encrypt and sign emails, not only to keep messages confidential, but also to provide verification of sender identity to protect against phishing attacks that try to impersonate a known contact.

Web Encryption

By far the most ubiquitous use of public key cryptography, websites present a public key in the form of a digital certificate that is used to both prove the authenticity of the website and establish secure, encrypted communication with it via the HTTPS protocol, which utilizes SSL/TLS. In the past most web traffic was transmitted over unencrypted HTTP; with only sensitive traffic such as financial transactions being encrypted with HTTPS. But now encrypted web traffic has become nearly universal.

VPNs

A Virtual Private Network (VPN) allows users to tunnel their web traffic over another network; namely the public internet. Technically a VPN does not have to use encryption when tunneling traffic over another network, but in today’s environment almost all VPNs feature encryption and are seen as an important security tool. See my article below for more details.

Code Signing

Public key cryptography is a critical tool used in software development to ensure that only trusted software is accepted and executed on a system. Developers use private keys to sign the executable binaries and scripts that they create, and their corresponding public keys are used by the operating system to verify them before they are allowed to run. Popular operating systems such as Windows and Android have strict code signing infrastructures in place to help protect their users from malicious software.

Document Signing

Documents have long used physical signatures as proof of identity and intent. As documents associated with important commerce and legal agreements become increasingly digitized, more advanced methods are required to verify authenticity. Fortunately, public key cryptography provides an ideal solution; allowing signatories to digitally sign important documents with private keys. Those digital signatures can then be verified with the corresponding public keys.

Key/Certificate Signing

Ironically, one of the most important uses of public key cryptography is to sign the public keys themselves! After all, to trust something that has been digitally signed with a keypair, you also must know whether you trust the keypair that was used to sign it. Therefore, a chain of trust must be established to determine your trust in public keys based on whether they have been signed with other keypairs that you already trust.

This can be done in a decentralized form such as with the Web of Trust used by PGP keys (see article below for details), or more commonly in a centralized form with Public Key Infrastructure (PKI) and digital certificates.