Public key infrastructure technologies are the foundation of our modern encryption. In this video, you’ll learn about symmetric encryption, asymmetric encryption, key pair generation, and more.
The term public key infrastructure is a very broad term in cryptography, but it commonly refers to policies and procedures, this might also include hardware and software, that is responsible for creating, distributing, managing, storing, revoking, and performing other processes associated with digital certificates. Although that seems relatively straightforward, even in the smallest of companies, this can involve a great deal of planning and a lot of decisions that have to be made about the encryption and methods that you use within your company.
You might also hear the term PKI used as a way to associate a certificate to people or devices. This is usually in conjunction with a Certificate Authority, or CA. And it’s generally based around how you may be able to trust that a particular user or a particular device is really who they say they are.
Before we get into the details of public key encryption, let’s first start with symmetric encryption. As this name implies, symmetric encryption means that any time you’re performing a decryption of some information, you’re using the same key that was used to originally encrypt that information.
In the movies, we often refer to this single secret key being shown as something inside of a suitcase, and that suitcase is fastened to the delivery person with a pair of handcuffs. This ensures that no one else can gain access to that symmetric key, which is very important because if you have the symmetric key, you’re able to decrypt anything that was originally encrypted with that same key.
Sometimes, you’ll hear about this process of symmetric encryption being described as a secret key algorithm, where that symmetric key is that one secret key. You might also hear this referred to as a shared secret because the same key is used for both the encryption and the decryption process. So you have to share the key if you expect someone else to be able to decrypt that data.
As you might already be thinking, if you have to provide this secret key to every single person who needs to decrypt the data, then you’re probably going to have a scalability problem. Once you get above 10 individuals or devices, it now becomes very difficult to not only share the keys between all of these different people but also manage which keys happen to go with which person or which device.
As you dive deeper into the world of cryptography, you’ll notice though that we still use symmetric encryption quite a bit. And the reason is that it’s very fast. It has very little overhead as compared to something like asymmetric encryption. So we usually are using both. We’re using asymmetric encryption to perform some functions and symmetric encryption for others.
So if symmetric encryption is encrypting and decrypting with the same key, asymmetric encryption is encrypting and decrypting with two different keys. These two keys that we use, the one for encryption and the other key for decryption, are two keys that are mathematically related. In fact, we create both of these keys at the same time during the same process. And that provides that mathematical relationship between those two keys.
This means once you’ve created these two mathematically created keys, you then assign one of them as being the private key and the other one as being the public key. As the name implies, the private key is the one that only one person or one device would have access to. No one else has access to this private key. The public key, however, can be seen and used by anyone. The public key, just as that name implies, can be available to the public.
If you’ve never used asymmetric cryptography before, this next part may not seem intuitive, but this is what adds the power and the magic to performing asymmetric cryptography. Everyone who has the public key can encrypt data and send it to you by using that public key. The private key that you have is the only key that can decrypt any of that data encrypted with the public key.
For example, there may be a number of different individuals that are encrypting data using your public key and sending you that information. If any of those individuals happens to gain access to this information that’s encrypted, they would not be able to decrypt it with the public key, because the only key that can decrypt it is the private key, and you’re the only one that owns the private key.
Another important consideration is although both the public and private key are mathematically related, you can’t derive one key by simply looking at or owning another key. Because of the math associated with the creation of these public and private keys, there’s no way to reverse engineer the private key, even if you happen to have the public key. And that is one of the big benefits of public key cryptography.
If you’ve ever used an application that takes advantage of asymmetric encryption, such as PGP or GPG, you’ve gone through the process of creating your public private key pair. This process of creating a public and private key is something that occurs simultaneously, and it usually involves a lot of randomization, a combination of very large prime numbers, and a lot of cryptography behind the scenes.
If you’re creating these keys as an individual, this is usually a process you only have to go through once at the very beginning. And from that point going forward, you have your private key and your public key. So in the case of Alice, she’s creating or generating a new pair of keys. The key-generation process usually only takes a few moments. And it outputs two separate keys. One of those keys it identifies as the public key. And it labels the other key the private key.
At this point, we can distribute our public key to our friends. We can post it on our website or attach it to our social media pages. We would then take the private key, save it locally, and make sure that it is protected. Very often, we would assign a password to a private key so that you had to know the password to gain access. This adds another level of protection, just in case a third party happens to come across or gain access to our private key.
So now that Alice has created a public and a private key, she’s made the public key available to everyone. There is a friend of hers named Bob who would like to send Alice an encrypted message. Bob starts on his laptop by writing the message that we’ll refer to as this plaintext that says, “Hello, Alice.” And he has Alice’s public key because, as the public key, it’s available for anyone to use.
This goes into your asymmetric encryption software, which then creates the ciphertext. This is the combination of the plaintext and Alice’s public key. At this point, this ciphertext can be sent to Alice and can be viewed, effectively, by anyone. There’s no way to decrypt this information without the private key. Even if somebody gains access to the ciphertext and they gain access to the public key, they still would not be able to somehow reverse engineer the plaintext.
Now that Bob’s created the ciphertext, Bob can send that over to Alice. Alice sees that this is encrypted data and uses her private key to decrypt the ciphertext. At that point, we’re back to the plaintext. And as you can see, it is identical to the plain text that Bob originally sent. When you’re dealing with a single person who happens to have their own public and private key pair, it’s up to the individual to manage those. And at some time in the future, if you need to decrypt the information, that individual simply goes to their private key and decrypts anything that may still be encrypted on their system.
But when you’re working in an environment with hundreds or thousands of users, and each of these users has their own public and private key pair, you may need some way to manage that very large amount of data. This may be a third party, where you hand over private keys, and they maintain those private keys until you happen to need them. Or perhaps you’re performing your own key escrow. Once everybody creates their keys, you can store the keys locally.
And if that user happens to leave the company or move to a different department, you’ll still have the private keys SO that you can decrypt everything they’ve been working on. This is something commonly seen when you need to provide some way to decrypt data even if you’re not the person that originally encrypted that information. For example, as we mentioned earlier, a user may leave the organization, but we still need access to all of their encrypted data. Or it may be a government agency that is working with a partner, and both of those organizations need to decrypt data that may have been encrypted as part of this project.
Handing your private key off to someone else to be able to manage the process may seem a little controversial. But in some cases, it’s required in order to maintain uptime and availability of all of your organization’s data.