Public Key Encryption: What Is Public Cryptography?
Public key encryption actually uses two sets of keys. One, the public key, is shared widely with anyone you might like to connect with in the future. The other, the private key, is closely protected and known only to you.
Algorithms develop the keys. While they're related to one another, they can't be used to decode one another. Someone who has your public key must do quite a bit of complicated hacking to determine even the rough contours of your private key.
Systems like this preserve both privacy and efficiency. You know your data is protected in transit and at rest. But you don't need lengthy setup conversations with another party to get a connection started.
Experts say it's critical for everyone to understand cryptography, especially if people within your organisation work from home. If you're not using public key encryption properly (or at all), you could be exposing your company to catastrophic risks.
What Is a Cryptographic Key?
We all use keys every day to open up mailboxes, trunks, and doors. Cryptographic keys also lock and unlock barriers to allow access. But unlike their physical counterparts, crypto keys are not made of metal. Instead, they consist of code.
A cryptographic key scrambles numbers and letters so they're unreadable by humans. Your original text (plaintext) moves through a key and takes a new form (cypher). A key undoes the process.
Several types of cryptographic keys exist.
Public: As the name implies, this type of key is widely available for anyone to see.
Private: This form of key is closely guarded and protected. Only you should know about it.
Hybrid: A combination of public/private keys is used in this complex system that is custom-made for very sensitive environments.
In the early days of computing, all companies used symmetric systems. Both parties needed copies of the same key to encrypt and decrypt data.
But as more companies came online and the need to communicate grew, tracking all of those keys became burdensome. In response, developers created asymmetric systems, like public key encryption. With this process, two parties need separate but related keys.
How Does Public Key Cryptography Work?
Two parties with related keys communicate via public key cryptography. One key encrypts the data, and the other decrypts it.
Let’s say Alice wants to send a message to Bob. An attacker, Tom, is listening. Alice:
Uses Bob’s public key to encrypt her message.
Sends it to Bob.
Waits for Bob to use his private key to decrypt it.
Because they’re public, Tom has access to both the ciphertext and Bob’s public key. However, Tom doesn’t know what Bob’s secret key is because Bob keeps it a secret.
What if Bob needs to verify that it was Alice that sent the message instead of Tom? This time, Alice:
Encrypts a message for Bob with two keys: Bob’s public key and her own private key.
Sends the message.
Waits for Bob to decrypt it using both his own private key and Alice’s public key.
Because only Alice’s private key could have encrypted a message that can be decrypted by her public key, and because Alice keeps her private key private, Bob knows that this message couldn’t have come from anyone else. This is called a digital signature.
In addition to digital signatures, public key encryption can be helpful for:
Secure web connections. A websites security certificate (or SSL/TSL certificate) contains a public key. Related private keys are installed on servers. The two parties have a "handshake" before data is transferred. Websites such as Google and SalesForce rely on this protocol.
Plenty of encryption methods exist. Should you rely on a public key system or lean on something else? Understanding the risks and benefits can help you make a smart decision.
Public key cryptography has three main benefits.
Confidentiality: Only authorised recipients can read encrypted messages.
Authenticity: Senders can digitally sign their messages, so recipients know that the note hasn't been altered in transit.
Non-repudiation: Senders can’t deny they wrote (or at least saw) the message contents later on.
These benefits have uncovered many applications for public key cryptography, from PGP and HTTPS to OIDC and WebAuthN. It’s also used for secure shell certificates, enabling admins to connect to servers everywhere without remembering their passwords.
But challenges do exist, including:
Vulnerability to brute force key search attacks. Super-fast computers with plenty of processing power can run extensive searches to find out the details of private keys. In theory, this could take mere minutes.
Vulnerability to man-in-the-middle attacks. A hacker can intercept a message, alter it, and fool the host computer into making an insecure connection. When that happens, a hacker can read through almost every message intended for your server.
Programming challenges. Public key cryptography can be difficult to understand and implement from scratch, but thankfully for developers, there are many libraries available to handle the heavy lifting. The famous Networking and Cryptography Library (NaCl) provides an API called the Box API, which makes handling public key cryptography simple.
Key management issues. A public key approach means you’ll need to make sure you’re thinking through how you’ll handle user training and acceptance, system administration, maintenance and key recovery.
Help From Okta
At Okta, we use public key encryption in our own systems to verify encrypted sessions for our users. We've also built an extensive suite of tools you can use to ensure that the right people in your organisation have the right permissions.
We can help you understand what encryption means and how it can help. We can also set up services for you. Contact us, and let’s get started.