Why would you use something like PGP if you have to send your encryption key unencrypted to the party you are sending to? And if you leave this key out on something like Twitter for example, couldn’t law enforcement or a third party if they gained access to the other persons email still read the contents of the encrypted email by using this key? Doesn’t this defeate the purpose of using encryption?
In: Technology
ELI5 –
It’s confusing because we say “key”, but when you get a public key from someone, you’re really receiving their “padlock”
You write your message then lock the padlock around it.
Now only the person you sent the message to can open it.
You can make tons of copies of this padlock and give them to anyone who wants to write a message only you can read, and you can get a copy of the padlock for anyone you want to write a message to.
First of all, those keys always come in pairs.
Normally you’d already have the *public key* of the recipient and encrypt your message with that. This key is not secret. The recipient can then use their secret matching *private key* to decrypt your message. For them to answer, they’d need your public key from anywhere, your website for example.
You can also encrypt your message with your private key, which means everybody can decrypt it with your public key. Now they know for sure the message was encrypted by you.
asymetric encryption isnt like a normal lock and key. you can better think of it as a code lock with 2 codes. however one code can only lock it and the other only unlock it.
now if you want to to send someone a locked box, you can take the lock and use the locking code to lock it. this code would be the public key. everyone knows it and can use it to lock anthing meant for you. because the public code can only lock and not unlock its fine that every one knows it because even if they get the box, they cant open it. now if you get the box, you can use your private unlock code to open the box.
in reality its a bit more complex, but this is basicly how it works
Imagine a door with a small door in it.
The big and small door both have separate locks. You share the key to the small door with everyone you want to communicate with, so when they want to send you something they come to the small door and open the lock and push whatever they need to inside but the door is designed in such a way that things can only go in but not out.
The second key, which is to the big door is yours and yours only. So when you want to check you got, you come and open it and access whatever is inside.
I hope this makes it easy to understand.
You are looking at it backwards.
Here’s how it goes.
You want to send someone a encrypted message. You ask them to send you a public key and you use that to encrypt the message you send them. Only they have the private key and only the private key can decrypt the message.
If you want them to send you an encrypted message, you can’t use the same keys form before, they don’t work in reverse, so you need to create a public/private key pair and send them the public key. And any messages they send back encrypted with that key can only be opened with your private key.
If anyone gets the public keys all they can do is encrypt messages. And only the person with the private key can decrypt them.
I use YOUR public key to encrypt a message that only YOU can read with your private key.
You use MY public key to encrypt a message that only I can read with my private key.
We just sent each other totally secret messages. Nobody else could intercept them, even though our public keys are totally public and sent in the clear.
This is a key difference between *symmetric encryption* amd *asymmetric encryption*. Symmetric encryption works like you say; there is one key used for both encryption and decryption. If someone has the key, they can encrypt new messages or decrypt old ones at will.
Asymmetric encryption works differently. There are two keys, and messages encrypted with one key can only be decrypted. If I have an encrypted message and the key that was used to enceypt it, I can’t do very much.
Public-key encryption is a kind of asymmetric encryption where you take one of these keys and call it “public”, amd call the other one “private”. Usually it doesn’t matter which key is public, as long as you are consistent about it, so key-generating software will just pick one and label it “public” for convenience. You take your public key and share it around as widely as possible, but you keep the private key a secret. This lets you do a couple of neat things.
Let’s say that you encrypt a message with your secret key. Anyone who has your public key can decrypt the message. As you point out, this is not very useful for secrecy, because anyone with your public key can decrypt it. But it’s actually useful for something else: the fact that your public key worked to decrypt the message proves that you, and only you, could have encrypted it (because only you have that key). This is called *signing* a message, and it lies at the heart of many authentication systems today.
But again, that is not very useful for secrecy. So how *do* we send a secret message with pubkic-key cryptography? The answer is that we don’t use our private key: we use *the other person’s* public key. That way, only their private key can decrypt the message. Since only they have that key, this provides secrecy. This is also why you have to share your public key: other people need it in order to send secret messages to you.
If you encrypt your message using your private key, anyone who knows your public key can decrypt and read your message. That means anyone can read your message – your message is not secret.
If you encrypt your message using another person’s public key, only those who know their private key can decrypt and read it. Presuming the other person has successfully kept control of their private key, then only the intended recipient can read your message – your message is secret.
When would you want to encrypt your message using your private key? When you need to prove the message was really sent by you. Suppose the encrypted message can be decrypted into a coherent plain text using your public key. In that case, the text must have been encrypted using the matching private key, which – presumably – only you know and control.
You would encrypt with both your private key and recipient’s public key in order to ensure that only the intended recepient can read the message and to prove to the recipient that it was you who originated the message, and not an imposter.
For using your private key as proof that the message was sent by you to function legally, there has to be an institution of mutual trust and a mechanism to keep the private key secret. The role of the institution of mutual trust is to keep a dictionary of people and their public keys, not unlike a public telephone book. A mechanism to keep the private key secret is usually a device designed and manufactured to a standard (i.e. a “qualified” device) that safely stores a private key and offers encryption service using that stored private key. An example of such a device is a smart card. If the two criteria are met, then you have what is called an undeniable qualified electronic signature.
Institution of mutual trust can be established by law or by a contract between two parties wishing to use digital signatures.
Latest Answers