How Does Public Key Cryptography Work?
Two parties with related keys communicate via public key cryptography. One key encrypts the data, and the other decrypts it.
Let’s say Alice wants to send a message to Bob. An attacker, Tom, is listening. Alice:
- Uses Bob’s public key to encrypt her message.
- Sends it to Bob.
- Waits for Bob to use his private key to decrypt it.
Because they’re public, Tom has access to both the ciphertext and Bob’s public key. However, Tom doesn’t know what Bob’s secret key is because Bob keeps it a secret.
What if Bob needs to verify that it was Alice that sent the message instead of Tom? This time, Alice:
- Encrypts a message for Bob with two keys: Bob’s public key and her own private key.
- Sends the message.
- Waits for Bob to decrypt it using both his own private key and Alice’s public key.
Because only Alice’s private key could have encrypted a message that can be decrypted by her public key, and because Alice keeps her private key private, Bob knows that this message couldn’t have come from anyone else. This is called a digital signature.
In addition to digital signatures, public key encryption can be helpful for:
- Secure web connections. A websites security certificate (or SSL/TSL certificate) contains a public key. Related private keys are installed on servers. The two parties have a "handshake" before data is transferred. Websites such as Google and SalesForce rely on this protocol.
- Bitcoin. This form of digital currency relies on public key cryptography for safety and security.
Weaknesses & Strengths of Public Keys
Plenty of encryption methods exist. Should you rely on a public key system or lean on something else? Understanding the risks and benefits can help you make a smart decision.
Public key cryptography has three main benefits.
- Confidentiality: Only authorized recipients can read encrypted messages.
- Authenticity: Senders can digitally sign their messages, so recipients know that the note hasn't been altered in transit.
- Non-repudiation: Senders can’t deny they wrote (or at least saw) the message contents later on.
These benefits have uncovered many applications for public key cryptography, from PGP and HTTPS to OIDC and WebAuthN. It’s also used for secure shell certificates, enabling admins to connect to servers everywhere without remembering their passwords.
But challenges do exist, including:
- Vulnerability to brute force key search attacks. Super-fast computers with plenty of processing power can run extensive searches to find out the details of private keys. In theory, this could take mere minutes.
- Vulnerability to man-in-the-middle attacks. A hacker can intercept a message, alter it, and fool the host computer into making an insecure connection. When that happens, a hacker can read through almost every message intended for your server.
- Programming challenges. Public key cryptography can be difficult to understand and implement from scratch, but thankfully for developers, there are many libraries available to handle the heavy lifting. The famous Networking and Cryptography Library (NaCl) provides an API called the Box API, which makes handling public key cryptography simple.
- Key management issues. A public key approach means you’ll need to make sure you’re thinking through how you’ll handle user training and acceptance, system administration, maintenance and key recovery.
Help From Okta
At Okta, we use public key encryption in our own systems to verify encrypted sessions for our users. We've also built an extensive suite of tools you can use to ensure that the right people in your organization have the right permissions.
We can help you understand what encryption means and how it can help. We can also set up services for you. Contact us, and let’s get started.
References
Why Cryptography Is a Key Cyber-Skill to Hone During Lockdown 2.0. (December 2020). ITProPortal.
What Makes the Bitcoin Blockchain Secure? (November 2020). Decrypt.
Symmetric Encryption Algorithms: Live Long and Encrypt. (November 2020). Security Boulevard.
Man-in-the-Middle Attacks: A Growing but Preventable Mobile Threat. (April 2020). Dark Reading.
IBM Cloud Gets Quantum-Resistant Cryptography. (November 2020). Silicon Angle.