Using various channels to reach its destination; your data travels through routers, fiber optic cables, and modems to reach its intended recipient. While your data travels on these data highways at astonishing speeds, malicious entities can access this data.
To solve this problem, you could send an encrypted version of your data using symmetric encryption, but how do you share the encryption key over an unsecured network with someone continually listening. This is where public-key encryption or asymmetric encryption comes into play. It allows users to transfer data over unsecured networks using two different keys — public and private key.
Public key cryptography can get a little complicated to understand for the uninitiated so let us look at an analogy to get a grasp of the basics. Say there are two people Bob and Alice who want to talk to one another, but John is continuously listening to their conversations.
To keep their conversations secret, Bob sends an open box to Alice with a unique lock which has two keys, namely a private key and a public key. This lock has a unique property; it can be locked using either one of the keys but to unlock it, the other key is required. Therefore Bob sends the public key with the box so that Alice can lock the box to prevent John from accessing their messages. Once Bob receives the box, he opens it using the private key to access the data.
There are a lot of public-key encryption algorithms out there but let us look at the RSA public-key encryption algorithm, which is one of the most popular asymmetric cryptographic algorithms.
Also read: What is AES Encryption? How does it work?
RSA encryption algorithm decoded
The RSA algorithm builds on the fact that every number has a unique prime factorisation. Another property of prime factorisation is that it is hard to calculate the prime factors that create the number as the size of the number increases. Now that we have a grasp of the basics, let us look at how it all works.
- Key generation: Each communicating entity generates three numbers. A private key for decrypting the message that is on the user’s system. A public key which is given to anyone who wants to send an encrypted message. An additional number N which is essential for both the encryption and decryption process. To generate these keys, each user picks two prime numbers. These numbers are random and need to be big enough and are selected using the Miller-Rabin test.
- Key distribution: The public key, alongwith the number N, is sent to anyone who wants to send an encrypted message to a user. Different applications use different ways for key distribution. In the case of HTTPS, SSL certificates are used for key distribution and authentication
- Encryption: The encryption uses a one-way function with a trapdoor which makes it easy for the sender to encrypt data but impossible for someone without the private key to decrypt. Once the sender has the public key, data is encrypted and sent to the receiver.
- Decryption: To decrypt the message, the receiver uses the private key and exploits the trapdoor in the one-way function to extract the data.
Pubic key encryption has a lot of computational overhead when compared to symmetric encryption. Due to this reason, both symmetric and asymmetric encryption are used symbiotically over the internet.
Also read: What is Lumen Privacy Monitor? How does it work?
Public key encryption and the Internet
Most of you might have seen the padlock sign next to the URL when you are browsing the Internet. This padlock shows that your connection with that particular website is secure and no malicious entity can get a hold of the data you exchange over this channel.
Public-key encryption is used to create this secure channel. Let us look at how HTTPS works over the Internet and prevents hackers from accessing private information.
Once a website gets a request that a client wants to connect to their server. The server sends its SSL certificate to the client. This certificate has the public key of the website and the digital signature of the certificate authority. This signature is encrypted by the certificate authorities private key and can be decrypted using the public key of the same. To make sure that the certificate is authentic and that you are communicating to the right website, your browser decrypts the signature using the public key of the certificate authority.
If the decryption is successful, your browser encrypts a random key using the public key and sends it to the server. The server then decrypts the message using its private key and uses it as a key to encrypt messages using symmetric encryption.
Also read: What is PGP encryption and OpenPGP? How do they work?
Is RSA secure enough?
When it comes to security, asymmetric encryption is not as secure as symmetric encryption and can be broken using brute force attacks, if not implemented correctly.
Due to the computational overhead of the RSA algorithm developers choose weak parameters to generate keys which makes them vulnerable to attacks like the Copperfield. Due to these weak implementations of RSA 1 in every 172 certificates have inadequate security and can be broken using GCD computation.