Networking / Beginners

# Public-Private Key Cryptography

Asymmetric encryption and decryption algorithms rely on a technology called public-key cryptography, which works similarly to a safe deposit box at the bank: you need two keys to open the box, or at least multiple layers of security checks must be used. With public-key cryptography, you need two mathematical keys: a public one and a private one. Your public key can be published on a public web page, printed on a T-shirt, or posted on a billboard in the busiest part of town. Anyone who asks for it can have a copy. On the other hand, your private key must be protected to the best of your ability. This piece of information makes the data you want to encrypt truly secure.

Every public key/private key combination is unique. So the basic principle of public-private key cryptography is that data encrypted with the public key can be decrypted using only the private key. Furthermore, encrypting with the private key can serve as a digital signature.

The actual process of encrypting data and sending it from one person to the next requires several steps. We'll use the "Martin and Jack analogy" to go through the process one step at a time as they both try to communicate with one another in a secure manner. Figures below illustrate a simplified version of the actual process.

Notice that at no point was the secret (private) key sent over the network. Once the data was encrypted with Jack's public key and signed with Martin's private key, the only pair of keys that could decrypt and verify it were Jack's private key and Martin's public key. Thus, if someone intercepted the data in the middle of the transmission, he or she wouldn't be able to decrypt the data without the proper private keys.

To make things even more secure, asymmetric encryption algorithms encourage implementations to change the session key regularly through a randomly generated, symmetric key for encrypting the communication between the sender and the receiver. Using sessions keys ensures that the data stream gets encrypted differently every few minutes. So even if someone happened to figure out the key for a transmission, that miracle would be valid for only a few minutes, until the keys changed again.