How Public Private Key Pairs Work in Cryptography: 5 Common … – Hashed Out by The SSL Store

admin on June 6, 2023 Leave a Comment

Step-by-step guides (with illustrations) showing how cryptographic key pairs work in five different public key infrastructure (PKI) scenarios.

We know private-public key pairs are used in a multitude of ways (encryption, authentication, digital signatures, etc.) within an IT environment. But the ways theyre used differ dramatically for each use case. This may leave you wondering: how exactly does it all work under the hood?

If youve ever wanted to know the specifics of each use case in how theyre used, heres an overview of the five different use cases.

Lets hash it out.

The short answer? Not always. Yes, in most use cases, a public key is used to encrypt data while its corresponding private key is used to decrypt secrets. However, there are exceptions when it comes to certain processes. Well break all of this down for you in the following sections, taking a look at five very common use cases:

When you visit a secure website using HTTPS, every connection starts with a process called a TLS handshake. This process involves using public key encryption (i.e., asymmetric encryption) to exchange sensitive information before switching to symmetric encryption for the rest of the session.

Why bother switching? Because symmetric encryption requires less computational power than public key encryption does. Even though were talking about minuscule amounts of time (i.e., milliseconds), its more efficient for at-scale data encryption (i.e., for larger organizations with higher web traffic).

To encrypt your websites connections, you need to have an SSL/TLS certificate installed on your server. It also requires the client and server to introduce themselves and exchange essential information to create a secure encrypted session. This back-and-forth process is called the TLS handshake, of which most browsers support two varieties TLS 1.2 (most common) and TLS 1.3.

Heres an overview of how the TLS 1.2 handshake process works:

When it comes to the TLS 1.3 handshake, the process differs somewhat, particularly regarding the key exchange process. The idea is to streamline everything into a single roundtrip.

But the basic concept stays the same: the public-private keypair is used to securely exchange a symmetric key thats used for the actual data encryption.

Lets consider the uses of public-private key pairs in software security. The process for securing code, software, executables, etc. involves the developer or publisher using a code signing certificate to add a digital signature to their software executable. This process uses cryptographic keys and functions (i.e., hashing and encryption) to authenticate the developer/publisher who created the asset and validate that the file or code hasnt been modified since it was signed.

Remember toward the beginning of this article we said that its not always the case that public keys encrypt and private keys decrypt? This is what we were referring to.

But what does this process look like in terms of how and when each key is used?

So, where does the public key come into play? During the software verification process that happens on the client end:

When we talk about document signing, were not talking about signing the electronic form of your handwritten signature. (That can be easily spoofed!) Instead, were referring to stamping your verifiable digital identity to a digital file (Word document, PDF, etc.) so people know its authentic and hasnt been altered.

Fun aside: A digital signature is a type of electronic signature, but not all types of electronic signatures are digital signatures. A little confused? Check out my former colleagues article if you want to learn more about the difference between electronic and digital signatures. Now, back to the main topic at hand

As youve probably now guessed, to digitally sign a document, you must have a document signing certificate. So, whats the role of the public and private key in this affair? Frankly, its similar to what the private key does in the code signing process we described moments ago:

Now, its time to shift gears and move on to signing email communications.

Email signing is a process that enables an email sender to prove that they sent the email and that the message didnt come from an imposter. This process uses an email signing certificate (also called a client authentication certificate), which they install onto their device or import to their email client.

So, what does this email signing process look like, and where does a public-private key pair fit into the equation?

Once the message is received:

To learn more about certificate-signed emails, check out our Hashed Out article that will walk you through how to import and use an S/MIME certificate in Outlook.

Email encryption is the process of randomly scrambling the contents of the email (words, images/graphics, attachments, etc.) to transform it into an unreadable form before the user hits the send button. However, what it doesnt encrypt is the email header information.

Encrypting an email is akin to sealing secret, coded messages inside a secure cargo container; this way, its safe from being viewed in transit or while sitting at the arrival location (while sitting on the email server). This is why its sometimes called end-to-end encryption because its protected from one endpoint to the other.

So, whats this process look like in terms of how the public-private key pair is used? Its time to shake things up a bit. (NOTE: Both the email recipient and sender must have an email signing certificate installed on their devices.)

Image caption: An illustration that demonstrates how email encryption works and how the public and private keys are used within that process.

Want to learn more about how to send encrypted emails? Weve got you covered in this article that walks you through the process on three major email platforms.

Although you dont need to know the intricacies of how public-private key pairs are used in public key cryptography, it certainly doesnt hurt to learn. Cryptographic keys are essential to everything relating to security on the internet. Whether its securing the sensitive data submitted to your website or protecting the confidentiality and integrity of your emails, documents, and files, public key cryptography couldnt exist without the security of your public-private key pair.

Public-private key pairs help to enable the following:

That last sentence brings us to our next point. Digital trust, the foundation of which is public key cryptography, is at the heart of internet security. If you cant trust that the identity of the website, software developer, document creator, or email sender is legitimate, then how can you trust that any data you send or receive from them is safe and can be trusted? You cant. This is why its crucial to keep your private keys secure.

We hope this article underscores the importance of securely managing and storing your private keys. By keeping those critical assets secure, youre preventing all of your (and your customers) sensitive data from falling into the wrong hands.

See the rest here:
How Public Private Key Pairs Work in Cryptography: 5 Common ... - Hashed Out by The SSL Store

Related Posts
Posted in Internet Security

Comments are closed.