Public key cryptography, a synonym for asymmetric cryptography, is a clever cryptographic system that allows two parties to exchange encrypted information publicly without worry of interception.
Many cryptographic systems are symmetric. Two or more parties share a private key, then send encrypted messages to one another that require the private key to decrypt. The problem with symmetric key systems is that it’s difficult to share the private key between the parties without it being compromised.
Anything sent over the Internet is subject to being intercepted, so short of physically delivering the key, there’s always some chance that an unknown malicious actor also has your private key and can decrypt your info.
Asymmetric systems, like public key cryptography, use two pairs of public+private keys and some fancy math to neatly sidestep the issue of eavesdropping, so deciphering the message is impossible even if you manage to listen in on the conversation.
How Does Public Key Cryptography Work?
Instead of sharing a private key between the communicants that can decrypt the data that’s sent publicly, each party generates two keys for itself: one private and one public key.
The public key can be handed out to whoever; it doesn’t matter who has it or who knows it. By itself, a public key is useless. Its only purpose is to encrypt data that is sent back to the owner of the private key – who can then decrypt it with the key that only they have.
This works both ways – so both parties have a means of decrypting things that are sent to them. Sure, anyone could potentially steal the public key, but all they can do with it is encrypt info that can be unencrypted with the matching private key of the key pair.
Here’s an excellent video that illustrates the mechanics of public key cryptography in a visual way.
If you watched the whole video, you know that the mechanism for encryption isn’t as simple as a lock and key or mixing colors. It’s actually based on extremely large numbers that have very specific properties. The algorithm to generate the key is publicly known, which is how they can create key pairs, but without the seed number used to generate your private key, no one else can decrypt messages sent to you.
Applications of Public Key Cryptography
Of course, there are a lot of variations on public key cryptography and even more applications. Some of the more common uses are authentication and digital signatures.
One of the most secure methods of authentication is the digital certificate. Certificates are an authentication method that both ensures the identities of the parties involved (the digital signature) and removes the need to remember credentials (username and password). Both of those features rely on the asymmetric nature of public key cryptography.
Public key cryptography is also the basis for the network authentication method TLS (transport layer security). That ties in with SSL encryption (the ‘s’ in https) and is a crucial part of securing and encrypting the experience of browsing the Internet!
Vulnerabilities of Private Keys
As with all security, the weakest part of the system is always the human component.
Private keys are extremely secure by themselves, but they depend on people to stay that way. Anyone with physical access to a computer (and administrator privileges) can access that computer’s keystore.
The keystore contains all of the private keys that the computer might use, including those keys that are used for certificates. These can be lifted from the device fairly easily – there’s freely available software that enables you to export the contents of a keystore. Even easier is just taking a picture or writing down what you see. The private keys are matched with their application in plain text in the keystore.
Another potential flaw is users not being discerning enough to correctly identify phishing attempts. Classic email phishes or more advanced over-the-air credential theft (such as man-in-the-middle attacks) can also give hackers the access they need to compromise your keystore.
The common thread in all of these vulnerabilities is that the person responsible for the device is either uninformed of the dangers or not vigilant enough to protect against them.
Protecting Your Private Key
No matter how cryptographically secure you think you are, there’s always a degree of vulnerability. But you can remove the weakest link, humans, from the equation altogether.
The only way to ensure certificates can’t be lifted from a device is CertLock. CertLock is the industry’s only solution to ensuring that certificates stay on the device they were issued to. Want to learn more about keeping your network and certificates secure? Check out CertLock here.