17 May 2021

Public and private keys

Let’s focus on the coolness that is public/private key cryptography. The basic idea of how it works is a clever one. The basic idea of cryptography is that you have a secret key. You use that to encode some information, which converts it from a readable form into garbage effectively. Making it look like random noise. You then transfer that to somebody else and then they can decrypt it and read the message. Anyone who’s listening in on your communication isn’t able to find out anything about the information that you’re communicating. You can do it intuitively,  especially if you’re doing the simple code something like a Caesar Cipher you may have used as a kid.

Caesar Cipher
Figure 1: Caesar Cipher (from https://en.wikipedia.org/wiki/Caesar_cipher)

A symmetric encryption

There’s one secret that you both have right, making this is a symmetric system. You’ve got a message (“Hello”) and it says hello, then you do some process to it to convert it using a key. This key is some secret piece of information, which then converts the message into nonsense (“XycGF”). Then you send this to the other person, and they decrypt it with a process. A kind of the same process in reverse, using the same key and then they get the message (“Hello”) back. It was once the only way that people did things.

The problem with a symmetric encryption

But it has a problem, which is you both need to know what this key is. If it’s two persons who want to communicate with one another privately, they have to agree on a key that nobody else is going to be able to guess. The key has to be shared with one another. An appointment might be made to meet in the park in secret and exchange envelopes for example. The kind of thing spies used to do. The problem with that is, firstly, it’s very inconvenient. Secondly, sometimes you can’t do it like that as you might be physically separated. You want to do something over the internet and maybe you’ve never met.

An asymmetric encryption

private & public key
Figure 2: private & public key (screenshot from the YouTube video)

The problem is: how do you send this key without just sending the key in the clear, as it was not encrypted. To share the key safely, a secure encrypted connection is needed. A secure encrypted connection can’t be established without a key. There’s a way of solving this problem, which is asymmetric encryption. What you do is you generate two keys,  let’s call them key A and key B. In an asymmetric system, you have two keys and then it’s the same as before. You’ve got your message that says “Hello”, you encrypted it with key A and then you get “Hello” again. The description, in this case, uses key B.

The working of the key pair

You can’t guess one key from the other. They’re linked in such a way that anything you encrypt with key A, can only being decrypted with key B. Anything you encrypt with key B can only be decrypted with key A. That means you work with two keys. You generate a pair of these keys, which is called a key pair. Then pick one of the keys and make it your public key. Publish it everywhere, for example on the end of all your emails or your forum posts. Or upload it to a key server, a specialized service system designed for storing securely people’s public keys. Basically, the idea is that the public key is everywhere in the world with your name on it.

The private key

The private key, the other key of this pair, is the one you keep absolutely secret. You can do some cool things with this once you have this system set up. Person A has a key pair and person B has a key pair. Both persons have one another’s public keys. If you want to send a message, person A doesn’t have to share anything with person B. Person A knows person’s B public key, uses it to encrypt something and then send it to person B. Person A knows person B can decrypt it because person B has their private key.

Authentic message

Then there’s another thing you can do with this. Imagine you encrypts something with your private key and then publish it. One might think what the point is of encrypting it with the private key. Because the public key is out there so anyone can decrypt it, so why bother encrypting it. But the fact that it can be decrypted with your public key, means that it must have been encrypted with your private key. This means it must have been you who made the message because only you have your private key. Cryptographically, you can be certain that it’s an authentic message sent by you.

Using the public and private key

The best thing is when both are done. Where person A encrypts something with its private key and then its public key, After that the message is then to person B. And if they communicate like this, they know that nobody else can read the message. They know that the messages come from one of them and not from an imposter. They also know that the message hasn’t been modified, because any modification to the message also requires the private and public key. That’s a great and secure system. They didn’t have to meet in the park in a shifty way and exchange any information. They could never have met.

Public and private key simplified

It needs to be made clear that this is a simplified explanation. People who understand cryptography can be quite upset. But this explanation is for people don’t use crypto, because it’s made too complicated. The core concept is simple and the basic isn’t difficult to use and everyone should use it. If you put an envelope in the post and when it’s been opened, people know it’s been opened. There are laws about this. When you communicate in the clear, you know anyone can know exactly what you’re sending. There’s no reason to allow that.