Understanding Asymmetric Key Cryptography
With sincere apologies to wherever I originally read some of the analogies I’ll use herein.
Breaking it down: Cryptography is the process of encrypting or decrypting “stuff”. Key in the context of “Key cryptography”, is the password or pass-thing (string of data) used to encrypt or decrypt data.
In symmetric key cryptography, the key used for encryption and the key used for decryption are the same. Think of it like a box. You can duplicate the keys to the box as much as you want. Anyone with a key can lock or unlock the box as they please.
In asymmetric key cryptography, things get really weird — and, awesome. Let’s say you have a box. This box has 2 key slots, and each takes a specific key (which can be duplicated). Whichever keyslot was used to lock the box, the other slot has to be used to unlock the box. So, if you lock the box with keyslot 1, you have to unlock the box with keyslot 2, and vice versa.
This allows for two really cool things — signing, and encryption. Everything relies around a “public” key, and a “private” key. Going off of the example above, assume that everyone in the world has a key to “keyslot 1”, and only I have a key to keyslot 2.
Let’s say I send you a message. How do you know it really came from me? Simple. I lock the message in a box, using my private key. Anyone can unlock that message, but since my public key unlocks it, anyone can be certain that it had to have been locked by my private key, which (hopefully) only I have.
This also is the basis on which the GPG/PGP “web of trust” is formed. Let’s say Joe knows Bob and Sally, but Bob and Sally don’t know each other. Joe “signs” Sally’s public key, and Joe “signs” Bob’s public key, indicating that he knows for sure that the private keys correspond to those people. Bob wants to send a message to Sally. Sally says “here’s my public key”, and while Bob doesn’t know Sally, Bob can look at Joe’s signature on the public key and know that Joe has verified that the key does belong to Sally.
Bob wants to send a message to Sally, so that only Sally can see it. One option for this (symmetric key crypto) is for Sally to tell Bob in person, “use this random password for messages to me”. But that’s a hassle. The other option is for Bob to know what Sally’s public key is, and encrypt messages using that. Then anyone can encrypt messages to Sally, and everyone can use the same key for that, because Sally is the only one with the private key.
GPG vs SSL
GPG keys and SSLs both use asymmetric cryptography.
GPG keys rely on “I’ve met this person, and I trust them to vet other keys they sign, so I’ll trust keys signed by this person, and keys signed in turn by those people”.
SSLs rely on “I trust these companies to vet the owners of domains, so I’ll trust SSLs signed by these companies private keys to properly represent the owners of the domain that they’re signed for. (In GPG crypto, signing is done to bind a real name and an email to a keypair. In SSL crypto, signing is done to bind a domain and optionally an organization to a keypair.)
Originally published at smartcard.guru on April 13, 2016.