A Brief Primer on Public-Key Cryptography

Security and encryption are getting a lot of press-time lately, thanks to some high-profile data breaches and some less-than-comforting revelations about how the NSA is accessing Americans' data. So, at Agency Fusion's team meeting this week it seemed pertinent to do a quick review of public-key cryptography, one of the core technologies underlying secure online communications.

Archaic, simple methods of encrypting messages (such as a decoder ring) use the exact same formula to encrypt every message. For example, shifting all letters of the alphabet by one (a=b, b=c, etc) will always require than an "a" in the original message is represented as a "b" in the encrypted message. Once the encryption method is discovered, all messages can be decrypted. The code has been cracked and is no longer secure.

Advanced encryption approaches, on the other hand, rely on the use of a secret "key" in addition to the encryption method. Keys are usually very-long, randomly-generated numbers which ensure that a message is scrambled in a unique, unpredictable way. Knowing the encryption method alone doesn't mean you can decrypt the message because the key made sure the resulting message was encrypted in an unpredictable manner (unpredictable without knowing the key).

Public-key cryptography involves two keys: a public key and a private key. These keys are used in combination to encrypt and decrypt messages, respectively. A public key is truly public as its name implies. Anyone can know this key and it isn't important who has the public key. The private key, on the other hand, is very secret and must never be shared.

Let's use an example: Assume I want to send you a secret message. To do this, I would use your public key to encrypt a message which I would then send to you. Because I encrypted the message with your public key, only your corresponding private key (which you're keeping very secure) can decrypt my secret message. You're the only one who can decrypt and read my secret message. Others may also know your public key, but your public key cannot be used to decrypt my secret message, so our communication is still secure. When one key is used to encrypt, the other key must be used to decrypt. Since I used your public key to encrypt, your public key won't work for decryption.

If you want to reply to my message securely, you'll follow the same steps and encrypt a message using my public key which then ensures that only I can decrypt the message using my private key.

Would I ever want to encrypt a message using my own private key? Yes. This can be useful in a scenario where I want to send a public message that can be verified to be truly from me and not from some impostor. I would encrypt the message, send or publish the message, and then anyone who wished to verify the authenticity of the message could use my public key (which is publicly available, remember?) to decrypt the message and be assured I am the sender. In this scenario I'm not trying to keep the message a secret, I'm using the keys for the purpose of assuring identity.

This last scenario illustrates, in part, the importance of SSL certificates for websites. A full explanation is beyond the scope of this brief post, but public-key cryptography allows you to be confident that the website you're about to purchase from really is Amazon.com and not some impostor. Amazon pays a third-party to verify that Amazon really is Amazon and then this third-party (called a Certificate Authority) issues Amazon a pair of keys for secure communication. When you type https://www.amazon.com in your browser, you're able to communicate with confidence because your browser knows that the Certificate Authority is trustworthy and has issued the keys to Amazon and only Amazon.

So, how easy is it to decrypt a message without having access to the appropriate key?

Public-key cryptography uses key-lengths (the keys are random numbers, remember?) that are usually 1024 or 2048 bits long; in other words, it's an enormous 307- or 617-digit number. For the sake of comparison, the number of water molecules in the Atlantic Ocean has just 41 digits. Attempting to correctly guess a key in order to decrypt a message with this level of encryption could take about six quadrillion (6,000,000,000,000,000) years.