Public key cryptography and private key cryptography refer to two different encryption schemes that serve two vastly different functions. In this article, we’ll give a quick overview of both, as well as what they’re used for.
Breaking Down Public Key and Private Key Cryptography
What is Private Key Cryptography?
Private key encryption is the original type of encryption. Dating back to the advent of cryptography, private key cryptosystems were the first and continue to be the most common. When using private key cryptography, both parties much each possess, or at least exchange the private key. The word “key” can be a bit misleading — the key itself is really just the cipher that’s used to scramble and unscramble the data being encrypted.
With an ancient cipher, like the Caesar cipher, the private key was simply a number that corresponded to the number each alphabetical character needed to be shifted. In current digital encryption schemes, the keys are now prohibitively difficult algorithms that no modern computer could ever efficiently crack.
The one thing that remains the same with all private key systems is that the same key can both encrypt and decrypt. Private key encryption is sometimes called symmetric encryption.
What is Private Key Cryptography Used for?
Public key cryptography, in the context of SSL/TLS, is used for the actual communication portion of the connection. Each party derives the key during the handshake and then uses it to both encrypt and decrypt all data that’s transmitted between them.
Private key encryption, or symmetric encryption, uses smaller keys that are easier to compute with. These still provide adequate computational hardness, but don’t tax the client and server as much to use. Especially at scale, this is extremely important and the biggest advantage of symmetric encryption.
What is Public Key Cryptography?
Public key cryptography is actually a fairly recent creation, dating back to 1973, it uses a public/private key pair. The keys are asymmetric, the public key is actually derived from the private key. It can be used to encrypt while the private key can be used to decrypt. The public key is also capable of verifying signatures left by the private key.
Public/Private key pairs are generally much larger than their symmetric counterparts. That’s because public key cryptography is kind of like the gatekeeper, it needs to be sufficiently robust to protect the website and the connections it’s making. Public key cryptography is primarily used for two things:
- Key Exchange
These are both performed during the handshake. They’re critical functions. A large key makes it harder to manipulate these functions. Once the public key cryptography is done the two parties have authenticated and exchanged keys. Now it’s simply a matter of actually communicating. The size of the key, though still plenty secure, can be reduced to increase performance.
What is Public Key Cryptography Used For?
As we just covered it handles authentication and key exchange. Public key cryptography was first developed as a mechanism to securely exchange an encryption key via an insecure channel. The first guys to nail it were Whitfield Diffie and Martin Hellman (with an assist from Ralph Merkle) — they created the eponymous Diffie-Hellman key exchange scheme.
Purchase a Wildcard SSL Certificate & Save Up to 73%!
We offer the best discount on all types of wildcard SSL Certificates with DV and OV validation. We offer wildcard certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL starting for as little as $52.95 per year.
Diffie-Hellman lacked authentication, though, and Ron Rivest, Adi Shamir and Leonard Adleman figured if you’re going to send an encryption key to someone, it might be good to make sure you know who that someone is. Thus, the birth of RSA, which could both securely pass the key and authenticate the entity it was passing it to.
Diffie-Hellman was later paired with digital signature algorithm (DSA) to create a key exchange/authentication combination — a variant of which has now replaced RSA in TLS 1.3.
Quickly, let’s go through how this works:
With RSA, there are two functions being performed simultaneously. The client first encrypts a bit of information using the public key and sends it to the server, which decrypts it using the private key. Both parties use that information to derive the session key (a symmetric, private key that will be used to communicate). When the client encrypts that data, the pre-master secret, it will also authenticate the server when it proves it has the corresponding private key to decrypt it with. Once this is complete, the two parties can begin communicating with the session key that was passed.
Nowadays in TLS 1.3, all key exchange has to be an ephemeral Diffie-Hellman family paired with Elliptic Curve DSA, also known as ECDSA. The way it handles key exchange actually doesn’t even count as public key encryption — the only public key cryptography involved is when the digital signature is verified.
Here’s how it works. With Diffie-Hellman, both parties exchange randomly generated bits of data. There’s a logarithmic function that takes place and both parties are able to use that data, despite passing it insecurely, to derive the same secure session key. No encryption takes place in its passing, as you see in RSA, hence it’s not technically public key encryption.
The part that is public key encryption comes with the digital signature — once the keys have been exchanged, the server takes the entire handshake, encrypts it with the private key, and digitally signs it. The client uses the public key to verify the signature, which proves key ownership and authenticates the server.
Voila! That’s private and public key cryptography explained.
If you haven’t already done so, get an SSL certificate for your website to facilitate a secure, encrypted connection for your users.
Purchase a DV SSL Certificate & Save Up to 88%!
We offer the best discount on all types of Domain Validation SSL Certificates (DV SSL). We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.45 per year.