Cryptography is a word which often strikes fear.

Fortunately, you don't need to be a mathematician to understand some basic fundamental concepts. Likewise, you don't need to be a mechanical engineer to drive a car.

An Enigma machine used during World War II - Photo by Christian Lendl

One of the most fundamental concepts of modern cryptography is asymmetric encryption, also called public key encryption.

At first, I was puzzled about this concept. How is it possible to have a key that is "public"? If someone gets the public key, can they decrypt the encrypted message?

Also, what's the problem it solves? Is symmetric encryption unreliable?

In this post, I answer those questions.

How does public encryption work?

After reading some articles, I realized I was thinking about the problem the other way around.

Who owns the public key encrypts a message, and only the private key owner can decrypt it.

If a bud guy intercepts the encrypted message, even if he got the public key, he can't decrypt it and get the original message.

For example:

Anna wants to send a secret message to Bob.

Anna encrypts the message using the public key and sends it to Bob.

Bob receives the message and decrypts it using his private key.

Anna + Public key ---> Encrypted Msg ---> Bob + Private key

Great, I got it! Then I thought, what if Bob wants to reply to Anna?

Two-way communication with the asymmetric cryptography

If Bob encrypted the message with the private key, Anna could descript it with her public key. But this way would be unsafe.

Bob + Private key ---> Encrypted Msg ---> Anna + Public key

As the name suggests, the public key is public, and everyone can get it and decrypt the message.

So how can Bob safely replies to Anna?

Using the same logic, Anna generates a new pair of private-public keys, keeps the private safe and gives Bob the public key.

Bob can then use Anna's public key to encrypt the message to reply safely to her.

Bob + Anna's public key ---> Encrypted Msg ---> Anna + Private key

In other words, two-way communication requires two private-public pairs of keys.

Digital signature

Let's go back for a second on this scenario:

Bob + Private key ---> Encrypted Msg ---> Anna + Public key

I've just said that Bob could reply using its private key to Anna, but this is unsafe because anyone can decrypt it using its public key. Even if the private key cannot be used to make a message secret, it has an important application: the "digital signature".

It allows Bob (the sender) to prove his identity and the message's authenticity. Likewise, Anna (the receiver) can also be sure about the authenticity of the sender and message.

Of course, it differs from what Anna and Bob wanted, but digital signatures have many crucial applications, for example: Email signing certificates or S/MIME (single/multi-purpose internet mail extension). Document signing Certificate (Word, PDF and other formats). Code signing certificate.

In general, Digital signatures can provide guarantees of the origin, identity, and status of a digital document.

Here is another point that was unclear to me.

What's the problem public-key encryption solves?

Before the public key technique, symmetric encryption was the only way to send secret messages.

If Anna wanted to send a secret message to Bob, they had to share a key to encrypt the message. Also, Bob could reply to Anna using the same key.

It sounds perfect, but this system has a weakness.

Safely exchanging the key is not an easy task. Anna and Bob must use a secure channel, but sometimes the available channel is unsafe, slow or unreliable (imagine by phone or postal service).

The key-exchange problem is the major drawback of the symmetric encryption, and public key encryption solves it smartly.

Public key encryption became prominent thanks to Rivest, Shamir and Adleman, the designer of the RSA Algorithm in 1977.

Many systems have adopted asymmetric encryption since then. Some examples are:

  • SSH (Secure Shell protocol). It allows a secure connection between two computers thanks to asymmetric encryption.
  • SSL/TLS (Secure Socket Layer/Transport Layer Security). Their job is to encrypt data streams between the client and server (transport layer).
  • GPG (Gnu Privacy Guard). Program for secure communication.
  • HTTPS (Hypertext Transfer Protocol Secure). It is the secure version of HTTP.

That's it for now. I hope this short post helped you to clarify some of the misconceptions about asymmetric encryption.