Organizations need machine identity management to oversee and secure the way their machines—which can be anything from physical servers to cloud instances and containers—connect and communicate with one another. Unlike human identities, which use usernames and passwords or biometric devices, machine identities use cryptographic methods to identify themselves. While there are two types of encryption methods, symmetric and asymmetric, this article focuses on asymmetric, or public key, encryption.

## Public key cryptography

Public key cryptography involves two cryptographic keys (i.e., a key pair) and an encryption algorithm. The algorithm for public key encryption uses a public key and a private key. In the context of securing data transmitted over the internet, the public key is used to encrypt the plaintext data, making it indecipherable, and the private, secret key is used to decrypt the same data. Public key encryption can be a secure cryptographic method because only the owner of the private key can decrypt the encrypted data. As long as the private key remains secret, the encrypted data remains safe.

## How does public key encryption work?

Public key encryption can be explained by the simple, well-known Alice and Bob example, provided by Ron Rivest, Adi Shamir, and Leonard Adleman in their 1978 paper, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. In August 2013, Panayotis Vryonis expanded the encryption example. In the examples, Alice and Bob are two users of a public-key cryptosystem. They use a trunk to exchange messages. The trunk has a lock that only Alice and Bob can access and two keys, a public key and a private key, referred to as a public-private key pair. While a typical lock only has two positions, locked and unlocked, the lock for public key cryptography has the following three positions.

- Locks on the left (position A)
- Unlocks in the middle (position B)
- Locks on the right (position C)

As for the two keys, the first one can only turn clockwise (from A to B to C) and the second one can only turn counterclockwise (from C to B to A). One key can only turn to the left side, while the other key can only turn to the right side. Both keys can lock the trunk, which includes the message, but the key that was used to lock the trunk (key #1) is not used to unlock it. Only the other key (key #2) of the public-private key pair can unlock it. For this example, the trunk represents the plaintext data that is scrambled during the process of encryption.

In the example, Alice shares her public key with family, friends and colleagues. She keeps her private key, which turns clockwise from A to B to C, a secret. Everyone who has her public key can turn the key counterclockwise from C to B to A.

*Figure 1: Public Key Encryption explained. Image courtesy of **Panayotis Vryonis*

If Bob wants to send Alice a sensitive document, he places the document in the trunk, and uses a copy of Alice’s public key to lock it. Remember, her public key only turns counterclockwise, so Bob will turn the key counterclockwise from C to B to A to lock the trunk. The only key that can turn from A to B is Alice’s private key, which she has kept a secret. Alice can unlock the trunk with her private key and read the sensitive document.

The primary takeaway for how public key encryption works is that data encrypted with the public key can only be decrypted with the private key, and data encrypted with the private key can only be decrypted with the public key.