Public Key Encryption

Although private key encryption is a secure way to keep information confidential, it can be a problem ensuring that the private key is transferred without being intercepted. Since the only foolproof way to exchange these private keys is in person, many people have turned to the use of public key encryption. In public key encryption, a public key and private key are used in combination to provide security to a message. The use of a public key encryption makes it much easier for people to communicate confidentially since it removes the need to exchange a private key before a message is sent.

In public key encryption, there is a public key that can be known to anyone, even an attacker. This public key is only used to encrypt messages, which can then be sent to the receiver securely. After the message is encrypted using the public key, a private key is used for decryption. Since only the person receiving the message has access to the private key, they can be assured that no one else will be able to decrypt the messages being sent.

One analogy of public key encryption involves mail being sent from one person to another securely. Imagine Alice wants to send a secure message to Bob, making sure that only Bob will be able to read this message. To do this, Alice asks Bob to send her his padlock through the mail. Alice then uses Bob’s padlock (public key) to lock the message, and sends it to Bob. Since Bob is the only one who has the (private) key to the padlock, he can be sure that no one else will be able to intercept Alice’s message.

Even though public key encryption eliminates the need to securely transfer private keys, it requires very large keys to encrypt and decrypt the data. This causes public key encryption to take much longer, and use more computing resources than symmetric encryption. Public key encryption is also less secure than symmetric encryption because all public key systems can hypothetically be cracked using brute force attacks. In order to combine the advantages of both systems, a hybrid encryption system called PGP (Pretty Good Protection) was created.

In PGP, a session key is added to the encryption process, adding another level of security. The session key is a unique key created every time you use PGP to encrypt data. When a message is sent using PGP, the plaintext is encrypted using the session key, creating the ciphertext. The session key is then encrypted using a public key and sent along with ciphertext to the receiver. When the message arrives, the private key is used to decrypt the session key, which is in turn used to decrypt the message. This system provides the speed of a private key system with the easy usability of public key encryption.

In my post about private key encryption, I discussed the keys used for encryption and decryption, and how long it would take for someone to brute force attack these keys. Although both types of encryption systems use keys, the types of keys used for each are very different. Even though a 56bit key in symmetric encryption can be broken in 250 days, the same 56bit key in the public key system can be cracked in a much shorter time. This means that public key encryption users much choose the proper key size depending on the amount of resources available, along with the amount of protection desired. A smaller key size could be used for less private information, while data such as credit card numbers should be handled with a much larger key. Users of public key encryption must always choose between better performance or better security.