To manage and secure the connections and communications between their machines, which might range from traditional servers to cloud instances and containers, organizations need strong machine identity management. Machine identities employ cryptographic techniques to identify themselves, as opposed to human identities, which rely on usernames and passwords or biometric tools. While there are two types of encryption methods, symmetric and asymmetric, this article focuses on asymmetric or public key cryptography.
What is a public key?
In public key cryptography, a pair of cryptographic keys—a public key and a private key and an encryption algorithm are used.
A public key is a large numerical value that is utilized to encrypt data. The key may be produced by a piece of software, but it is most frequently provisioned by a trustworthy, designated Certificate Authority and made available to everyone via a publicly accessible repository or directory.
A certificate authority provides access to public keys by issuing digital certificates that verify the owner's identity and include the owner's public key. Using an asymmetric algorithm, public keys are generated together with their corresponding private keys. Rivest-Shamir-Adleman, Elliptic Curve Cryptography, and Digital Signature Algorithm are the most typical algorithms used to produce public keys.
What is the difference between a public key and a private key?
A public key is used to encrypt a message or validate a digital signature's authenticity. It is accompanied by a corresponding private key, which is only known by its owner. Private keys are used to decrypt messages encrypted with the associated public key, as well as to generate digital signatures. In other words, a public key prevents unauthorized access to data, while a private key is utilized to decrypt it.
A public key can be shared with anyone with whom an individual wishes to communicate and exchange data, but a private key is exclusive to the individual for whom it was generated and is never shared. The public key is often held on a public key infrastructure server and is used to securely encrypt data before it is transmitted over the internet.
How does a public key work?
In their 1978 work, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Ron Rivest, Adi Shamir, and Leonard Adleman used the well-known Alice and Bob example to describe public key encryption. In August 2013, Panayotis Vryonis provided an interesting example, which we will use to describe how public key cryptography works. You can find Vryonis’ article here.
Consider that Alice possesses a box. However, this box has a pretty unique lock. The three states of this lock are A (locked), B (unlocked), and C (locked). It also possesses two distinct keys, a public key and a private key. The first can only rotate in a clockwise direction (from A to B to C), while the second can only rotate counterclockwise (from C to B to A).
Alice chooses the first key that turns clockwise and keeps it to herself. This represents her private key. The second key, the one that rotates counterclockwise, is Alice's public key, and she makes hundreds of copies of it to distribute to everyone - friends, relatives, coworkers, everyone.
Figure 1: Public Key Cryptography. Image courtesy of Panayotis Vryonis.
If Bob wishes to send Alice a confidential document, he places it in the box and locks it with a copy of Alice's public key. Remember that her public key only rotates counterclockwise, thus Bob will lock the box by turning the key counterclockwise from C to B to A. Alice's private key is the only key capable of turning from A to B. With her secret key, Alice may open the trunk and access the sensitive document.
Symmetric cryptography vs asymmetric cryptography
At this point, it is essential to describe briefly the two primary types of cryptographic algorithms, symmetric and asymmetric. Symmetric key methods encrypt and decrypt information using a single key, whereas asymmetric or public key cryptography employs two keys: a public key to encrypt messages and a private key to decrypt them.
However, as we will examine shortly, those two cryptographic methods are being used together to reap the best of both worlds.
Application of public keys
Public key cryptography has many applications in everyday businesses, including the following:
This is the primary application of a public key to encrypt communications before transmission. A public key can be used by anybody to encrypt data, but only a person with the corresponding private key can decode the data. Since the public and private keys are mathematically related, they are used in conjunction to encrypt and decrypt data. The information will be unintelligible if anybody other than the owner of the private key attempts to decrypt it using the public key.
The use of public key encryption to generate digital signatures is also possible. The following procedures are followed to generate digital signatures:
- The sender identifies the file to be digitally signed.
- The document program on the computer of the sender computes a unique hash value for the contents of the file to be transmitted.
- The digital signature is generated by encrypting the hash value using the sender's private key.
- Together, the original file and digital signature are transmitted to the recipient.
- Using the sender's public key, the recipient decrypts the digital signature's hash.
- The computer of the recipient computes the original file's hash and compares it to the decrypted hash. If the two hashes are identical, the signature is validated. If the hashes do not match, the document has been modified or the signature is invalid.
Public key cryptography is incredibly beneficial for enabling safe Internet conversations (via HTTPS). The SSL/TLS certificate for a website contains the public key, whereas the private key is installed on the origin web server.
TLS handshakes use public key cryptography to authenticate the origin server's identity and exchange data necessary to generate session keys. A key exchange algorithm, such as RSA or Diffie-Hellman, employs the public-private key pair to agree upon session keys, which are then employed for symmetric encryption following the handshake. Symmetric encryption is favored since it is quicker and less computationally intensive.
Clients and servers can agree on fresh session keys for each communication session, making it impossible for malicious actors to decode communications even if they identify or steal a session key from a prior session.
Messaging applications, such as Signal or WhatsApp, employ end-to-end encryption to safeguard the confidentiality and privacy of user conversations and to authenticate users.
The Signal Protocol, invented by Open Whisper Systems, forms the cornerstone of end-to-end encryption. End-to-end encryption of messaging is implemented with both asymmetric and symmetric cryptography. Asymmetric encryption is used to initiate the encrypted interaction between two users, whereas symmetric encryption is utilized during the conversation. The WhatsApp Encryption Overview White Paper contains additional information.
The public keys of the client are registered with the application server once the application is installed on a user's smartphone. The private key is kept secret on the user's device and is not stored on the server. The client who wishes to establish a session obtains the recipient's public keys from the WhatsApp server. The initiator encrypts the first message and sends it to the recipient using these keys. This message provides the parameters required to generate a symmetric session key. The recipient decrypts the message with his own private key. The encrypted session must be recreated only when the device or application software is changed or reinstalled.
We are prepared to help with your business
Digital transformation is dependent on mastering both public and private TLS certificates for authentication and encryption of your applications and services. We need certificate authorities for public certificates but are often left to our own devices for the private certificates required by internal users and devices.
Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability.
Venafi Zero Touch PKI gives you:
- Complete policy control and delegated administration
- Automation for mixed IT environments using Venafi TLS Protect
- Active Directory and Autoenrollment integration
- Multiple options for migration of current PKI into new platform