So, public key encryption works because of these funny little math equations that are unidirectional – you can put a number into the equation and get a result, but you _can’t_ have the result, do the equation in reverse and get the original number back. The only way to get the original number back is to use a second equation that is capable of taking the result and giving you back the original number.

The specifics of how this works are beyond an ELI5 (and something I don’t fully understand, TBH).

So, public/private key encryption uses these equations to allow secure communications. You publish one of they two equations (the public key) and tell folks, “Use this key to encrypt your transmissions to me”. They then send you encrypted data from that key. You take that data and run it through the second equation, which you have kept to yourself (the private key) and decode it. This works because, thanks to those one-way equations, people can intercept the encrypted data and can’t do anything with it, even if they have the key that was used to encrypt it.

This also works in reverse – you can publish data encrypted with your private key and say, “Use this data to verify I am who I say I am” – since anyone can access the public key, they can decrypt the data packet and verify that you do in fact hold the private key for that pair and you are who you say you are. This is how browsers know when a fishing attack is going on – the fake website can’t produce the right data packet for the official public key.