(Public Key Cryptography|Asymmetric key algorithms)

> Software Security > Cryptography - Key

1 - About

Public key cryptography is a cryptographic system from the 70's that uses pairs of keys

It's also known as:

Public key cryptography is used by Internet standards, such as:

The public key cryptographic scheme is often used to exchange an on-the-fly symmetric key, which will only be used for the current session because it's much more performance efficient


3 - Concept

3.1 - Keypair

In public key cryptography, Two keys are used:

  • one public (that is public, everybody can read it)
  • one private (that is kept secret)

They are used for several usage.

See Key_generation. An Algorithm produce a keypair.

  • It selects a private key uniformly at random from a set of possible private keys.
  • Acceptable keypairs are created with the help of a large random number.

In short:

  • the public key is used for encryption or signature verification;
  • the private key is kept secret, decrypt and sign.

The keys are related mathematically, but the parameters are chosen so that calculating the private key from the public key is unfeasible.


3.2 - Public Key Authenticity

3.2.1 - PKI

A central problem with the use of public key cryptography is confidence/proof that a particular public key is authentic, in that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs through a certificate. See below.

3.2.2 - Certificate

To be able to tell a key's owner, public keys are enriched with attributes (such as names, addresses, and similar identifiers). This packed collection (public key and its attributes) is digitally signed by one or more supporters.

The resulting object model is called a certificate and is signed by a certificate authority (CA). This procedure is called the public key infrastructure (PKI). This is a hierarchical trust model.

The certificate has no role in the encryption. It's a signed document (by a trusted Certificate Authority (CA)) which, ensures that the party you are communicating with is whom you think.

3.3 - Public Key Distribution

4 - Usage

4.1 - Encryption

The goal of Public Key Encryption (PKE) is to ensure that the communication being sent is kept confidential (secrecy) during transit.

Public Key encryption procedure:

  • the recipient's public key encrypts the message (the sender of the message do it and he cannot decrypt the encrypted message)
  • the encrypted message is transmitted electronically to the receiver.
  • the recipient's private key decrypts the message (the receiver do it. Only the person who holds the matching private key can read the message).

An analogy to public key encryption is that of a locked mail box..

  • The public key is the mail slot. Anyone knowing the street address can go to the door and drop a written message.
  • The private key is the key. Only the person who possesses the key can open the mailbox and read the message.

A keypair is often used to exchange an on-the-fly symmetric key, which will only be used for the current session.


4.2 - Digital Signature

A digital signature is a mathematical scheme to prove a message came from a particular sender:

  • neither can anyone impersonate the sender
  • nor can the sender deny having sent the message.

Digital signature schemes can be used for:

5 - Procedure

Some public key algorithms provide:

To achieve both authentication and confidentiality, the sender should;

  • include the recipient's name in the message,
  • sign it using his private key (ie computes the digital signature for the message)
  • encrypt both the message and the signature using the recipient's public key.
  • sends the signature together with the message to the intended receiver.

6 - Management

7 - Application

Public key cryptography is often used to secure electronic communication over an open networked environment such as the Internet, without relying on a hidden or covert channel, even for key exchange.

Enveloped Public Key Encryption (EPKE) is often the method used when securing communication on an open networked environment such by making use of the;

  • Transport Layer Security (TLS)
  • or Secure Sockets Layer (SSL) protocols.

8 - Implementation

Implementations by chronological order

8.1 - RSA

RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems.

In 1973, a British cryptographer at the UK Government Communications Headquarters (GCHQ), Clifford Cocks implemented it.

8.2 - DH

8.3 - DSA

DSA keys (Digital Signature Algorithm) can only be used for signing and verifying, not for encryption.

9 - Lifecyle

9.1 - Revocation / replacement

All events requiring revocation or replacement of a public key can take a long time to take full effect with all who must be informed (i.e., all those users who possess that key). For this reason, systems that must react to events in real time (e.g., safety-critical systems or national security systems) should not use public key encryption without taking great care. See Public-key_cryptography#Relation_to_real_world_events

10 - Documentation / Reference