The answer to all these questions lies in the mysterious and fascinating field of cryptography.
In this article, we are going to explore a specific kind of cryptography known as “Public Key Cryptography”, and how it is used for digital security.
But first let’s do a quick fundamental review of basic cryptography, the different types of cryptography, and the different problems cryptography is used to solve.
Cryptography allows us to protect our data by using complex algorithms to encrypt and decrypt messages, making sure only the intended recipients can read them.
But cryptography can do more than just keep our messages secret, it can also be used to verify identities and authenticity so we can be sure of who we are communicating with or that we are installing the right software application.
For example, TLS certificates ensure our browser is communicating only with the intended website, and not a hacker in the middle.
Cryptography can also be used as evidence that a certain action has been performed by a certain person.
This is how cryptography supports technology like cryptocurrency where financial transactions have to be secure.
Here is a brief summary of problems that cryptography solves:
- Confidentiality: Cryptography can ensure that only authorized parties can access data by encrypting it.
- Integrity: Cryptography can ensure that data has not been tampered with during transmission by using digital signatures and message authentication codes.
- Authentication: Cryptography can be used to verify the identity of a user or device by using digital certificates and Public Key Infrastructure (PKI).
- Access control: Cryptography can be used to control access to resources by ensuring that only authorized people can log in to a system.
Symmetric vs Asymmetric Encryption
Before we take a deep dive into Public Key Cryptography, we should first make sure we have a good understanding of the two main types of cryptography. Those are symmetric cryptography and asymmetric cryptography.
Public Key Cryptography is asymmetric cryptography, but let’s review the difference between the two.
Symmetric Cryptography (or Secret Key Cryptography)
It uses the same key for both encryption and decryption. That’s it, one secret key.
This means that anyone involved in the communication must have the same secret key. Symmetric crypto is great for sending private messages from one person to another or encrypting sensitive files or information because it is fast.
However, symmetric cryptography’s main drawback is that the same key must be shared among all parties involved, which can be a security risk. If everyone uses the same key, it can’t be used to identify who sent the message.
Examples of symmetric algorithms include AES and DES.
The Most Secure Encryption Software Uses AES KeysDid you know that the most secure password managers like 1Password and Zoho Vault use a 256-bit AES encryption key? Regardless of whether you want to secure your business or personal passwords, you’ll get military-grade protection from.
Asymmetric Cryptography (or Public Key Cryptography)
It uses a pair of keys, one for encryption and one for decryption.
Essentially one key is used to encrypt the information and its partner key is used to decrypt the information.
Asymmetric cryptography is not as fast as symmetric cryptography, but it does have other benefits that symmetric cryptography doesn’t.
For example, symmetric cryptography can be used to verify the identity of the sender, so the recipient knows the message came from the right source.
Examples of asymmetric algorithms include RSA and Elliptic Curve Cryptography (ECC).
So symmetric cryptography uses only one key and is good for bulk data encryption and decryption, and asymmetric cryptography uses key pairs and is good for secure key exchange and authentication. Amazing right?
Well, now that we have cleared up the basics, let’s take a deeper dive into Public Key Cryptography, and learn more about how it works, and its different use cases.
What is Public Key Cryptography?
So, we already know that Public Key Cryptography is a type of asymmetric cryptography.
There are two keys involved; one can be used to encrypt a message and the other can be used to decrypt the message.
In Public Key Cryptography, one key is known as the “Private Key” and the other is known as the “Public Key”.
In fact, either the Private Key or Public Key can be used to encrypt a message, and the matching partner key can be used to decrypt it.
Examples of Public Key Cryptography algorithms include RSA, and Elliptic Curve Cryptography (ECC).
RSA and ECC are essentially different algorithms used to create a matching pair of keys (one called the Public Key and the other called the Private Key) that can encrypt and decrypt data between each other. In most cases, the Public Key does not need to be protected.
It is supposed to be readily shared with others and is used for encrypting messages and sending them to the person who holds the Private Key.
So, the owner of the key pair will share the Public Key with the whole world. And the Private Key is… you guessed it… meant to be kept secret by the owner and used for decrypting messages encrypted with the matching Public Key.
Protect Your Passwords With CryptographyMessages are not the only thing you should worry about. If you have a weak password, all data your device holds is in danger. You can generate a strong password and use password managers to encrypt and store them securely.
Using this concept, if two people in a conversation each have a pair of keys, they could theoretically just share their Public Keys with each other and effectively have a private two-way conversation.
As long as they keep their Private Keys secure and secret nobody will be able to decrypt the messages they share.
This is because the Public Key cannot be used to decrypt the message that it encrypts. In other words, Public Key Cryptography cannot work symmetrically.
However, in this scenario, there is another problem. How does the recipient know that the right person is sending them the message?
Well, you might think that the best way is to keep the Public Key secret too, and only share it with the intended sender.
For example, you could password encrypt it and email it to your communication partner, and that way you know only one person has it. But, that way is not very efficient.
On the modern Internet, we communicate with many many websites on a day-to-day basis and we don’t have time to secretly email our Public Keys to each website owner.
Instead, this problem is solved in a different way. Public Key Cryptography can use the Private Key to authenticate each party in the communication.
When the user wants to authenticate themselves, they will use their Private Key to create a digital signature and send that digital signature to the other party. The other party’s computer will then use the matching Public Key to verify the signature created by the Private Key. ‘
If the signature is valid, the system knows that the user must have used their Private Key to create it. Since the Private Key is kept secret, the signature must have been created by the legitimate owner of the Private Key.
This process allows secure authentication without the need to share a secret password or passphrase.
But what now? Is that it, problems solved? Well, no not really.
Now that two entities can successfully authenticate to each other, they can be sure that they are communicating with the right person and send secure messages to each other.
But, as we mentioned in the introduction, Public Key Cryptography is not very efficient. If we only used Public Key Cryptography to communicate, the Internet would be much slower.
So, instead of using Public Key Cryptography to communicate, it is just commonly used to create a shared symmetric key (aka secret key).
As we mentioned before, symmetric encryption is much faster for encryption and decryption. Magic! Now our Internet can be blazing fast again.
The process of creating this shared symmetric key is known as a “secure key exchange” or a “secure handshake”.
One example known as the “Diffie–Hellman key exchange” is famously used to secure Internet communications using TLS and is also a fundamental building block of many other secure communication protocols such as SSH, SFTP, IPSec IKE (Internet Key Exchange), WPA (Wi-Fi Protected Access), WPA2, and many VPN protocols such as OpenVPN.
In a Diffie-Hellman key exchange, Public Key Cryptography is used to exchange Public Keys between two entities.
The two parties then use a mathematical algorithm to generate a shared secret key in a way that the key is never actually transmitted between the two parties. They use their key pairs to generate the same key on both sides without sending it back and forth.
The important thing is that the shared secret key is established securely. Even if a passive eavesdropper intercepts the Public Key exchange, they will not be able to determine the shared secret key.
Is that it? Are we finished yet? This is starting to get complicated! No, there is one more important security problem to consider here.
Using Diffie-Hellman key exchange to communicate with Internet websites is vulnerable to active man-in-the-middle attacks. By itself, Diffie-Hellmen doesn’t authenticate or prove that either party is who they claim to be.
The handshake can happen between any two connecting parties. But, have no fear, Public Key Cryptography to the rescue again. Public Key Cryptography can also be used to create digital signatures to ensure the authenticity of the website you are visiting and perhaps sending your credit card number or other sensitive information to.
Here’s how you know you are connecting to a legitimate website and not some hacker-in-the-middle just pretending to be the website and sending you a Public Key.
Public Key Cryptography is used to validate the identity of a website domain through the use of digital certificates, also known as TLS certificates.
These certificates are issued by a trusted third-party called a certificate authority (CA). They can securely authenticate a website’s domain name (such as www.my-bank.com) using the website’s Public Key.
When your browser sees a valid TLS certificate for the domain displayed in the browser’s URL bar, it lets you know by showing you a locked padlock icon next to the URL.
You can go ahead and click on this lock to see the valid certificate information.
If the certificate is not valid, you will see a broken lock that is usually colored red to get your attention. In this case, don’t connect! You might be the victim of a hacker-in-the-middle offering you a rogue certificate.
How does it work?
When you visit a website, your browser will initiate a TLS handshake with the website’s server. During this process, the server will present its digital certificate to the browser. The browser is able to verify the certificate because every modern browser has the Public Keys of all trusted CAs built right into them.
So, your browser checks that the website’s certificate has been digitally signed by a trusted CA and that it is still valid (i.e. it hasn’t expired). Only then will the browser and website use the website’s Public Key from the certificate to securely create a shared symmetric secret key (also known as a session key), using a Diffie-Hellman key exchange.
The resulting shared secret key will then be used to encrypt all further communication between the browser and website, ensuring that the communication is private and cannot be intercepted or tampered with.
Phew! That’s the whole story!
Other Use Cases For Public Key Cryptography
So, as we have learned, Public Key Cryptography is a powerful tool that is widely used to secure Internet communications using TLS certificates.
However, it also has other interesting uses.
One of these is ensuring the authenticity of software you download from the Internet and another is protecting cryptocurrency wallets from fraudulent transactions or hacking attempts.
Let’s learn about these other interesting use cases too!
Public Key Cryptography is also used in digital signatures that are used to verify the integrity of software applications to ensure they are the authentic version.
In these authentication schemes, the Private Key is used to sign a document and the corresponding Public Key is used to verify the signature.
When a software developer wants to create a digital signature for their software, they first generate a pair of Public and Private Keys. They then use their Private Key to create a digital signature of the software by running a cryptographic hash function on the software and encrypting the resulting hash with their Private Key. The digital signature is then included with the software package.
When a user wants to verify the authenticity of the software, they first run the same cryptographic hash function on the software package to generate a new hash. They then use the developer’s Public Key to decrypt the digital signature included with the software.
If the decrypted signature matches the new hash generated by the user, the signature is verified, and the user can be confident that the software is authentic and has not been modified by a hacker.
Only the developer who has the Private Key can create a valid signature for the software. Any modification of the digitally signed software will result in the signature being invalidated, making it easy for the user to detect if the software has been tampered with.
Secure Cryptocurrency Transactions
Cryptocurrency has fascinated the world since 2008 when Bitcoin was first released. It’s amazing how you can now easily send money to anyone in the world without needing to go through your bank.
It’s also amazing that the technology that supports Bitcoin and other cryptocurrencies can remain secure even though all the transactions are publicly available data.
This is because Public Key Cryptography is used to verify transactions using digital signatures. Stolen crypto-cash does happen, but not because of a failure of Public Key Cryptography.
Stolen Bitcoins happen when someone hacks into your online crypto-exchange account or steals your wallet’s Private Key. So don’t let that happen. Use secure passwords!
Each Bitcoin wallet has a pair of Public and Private Keys. The Public Key is used as the user account number (called an address), and the Private Key is used to sign transactions.
When a user wants to send Bitcoins to another user, they create a transaction containing the recipient’s address, the amount of Bitcoins being sent, the Public Key, and a digital signature created with their Private Key.
The digital signature is created by taking the transaction details, running a cryptographic hash function on them, and encrypting the resulting hash with the sender’s Private Key. The digital signature is then included with the transaction and broadcast to the network.
To verify the transaction, the Bitcoin nodes use the sender’s Public Key to decrypt the digital signature and verify the decrypted hash by hashing the transaction details independently themselves.
If the two hashes match, the signature could only have been created with the user’s Private Key, and the transaction is considered valid.
This process ensures that only the user who has the Private Key corresponding to the sender’s address can create a valid signature for the transaction and that any attempt to tamper with the transaction will result in an invalid signature, making it easy for the network to detect.
So, there you have it.
Public Key Cryptography is a form of asymmetric encryption that has many use cases such as authenticating websites, software applications, and cryptocurrency transactions.
Since it’s not the fastest form of encryption on the block, Public Key Cryptography also supports the secure exchange of shared secret keys (also known as a symmetric key or session key) through the Diffie-Hellman key exchange.
This system ensures that the Internet is both private and fast.