Public Key Infrastructure
Public key infrastructure or public key encryption is a method for encrypting data with two separate and different keys. One of the keys, the public key, is published. Once data is encrypted by the public key, it can only be decrypted using the private key. Public key encryption is also referred to as public key cryptography. Public key encryption is also called asymmetric encryption since both keys are different. Private keys are used to decrypt messages created using the corresponding public key. Viewed simply, the public key secures the data from illegitimate use, and the private key makes it available and accessible. Public Key Encryption also enables non-repudiation. Non-repudiation prevents the sender of the data from claiming that the data was never sent. It also prevents the data from being modified.
The public key is a large numerical string used to encrypt data. Public keys are often automatically generated by software programs. A designated certificate authority may also provide them. The certificate authority generates digital certificates that enable proof of the owner’s identity. These digital certificates also contain the owner’s public key. A digital certificate cryptographically connects the ownership of a public key with the entity or organization that owns it.
The private key is used to both encrypt and decrypt the data. The encrypted data is generally shared by both the sending party and the receiving party. As noted earlier, the private key algorithm and process is usually faster. The private key must be kept secret and not public to any party other than the sending party and the receiving party.
The public key is used to encrypt data only. The private key must be used to decrypt the data. Any party can use the public key, but the private key can only be shared between the two principal parties, the sending party and the receiving party.
Several algorithms are used to generate public keys. They include:
- Rivest-Shamir-Adleman (RSA). The RSA algorithm is a collection of cryptographic algorithms that support public key encryption. RSA’s design was first released in 1980 by Ron Rivest, Adi Shamir, and Leonard Adleman, all of whom were associated with the Massachusetts Institute of Technology (MIT).
- Elliptic curve cryptography (ECC). ECC is a technique for encrypting data that relies on pairs of public and private keys to encrypt internet traffic. Elliptic-curve cryptography is mathematically based upon the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security. It also generally requires less power consumption, increased speed, and smaller chip size.
- Digital Signature Algorithm (DSA). The DSA is a Federal Information Processing Standard (FIPS) used for digital signatures. DSA is based upon the mathematical expression of modular exponentiation and discrete logarithm problems.
A key is a string of information that is used, in turn, to scramble messages or other data so that the content appears completely randomized. The key is typically a long string of alphanumeric characters.
Public key encryption is used to support secure communications over the Internet using HTTPS. A website’s SSL/TLS certificate contains a public key, and the private key is installed on the originating server. Initially proposed by the Internet Engineering Task Force (IETF) in 1999, Transport Layer Security (TLS) is generally used to encrypt data transmitted over the Internet. TLS is often applied to financial transactions, related data, personal correspondence, and more. TLX can also be used to encrypt other communications such as messaging apps, email, voice over IP, and more.
These are the critical components of public key encryption:
- Message Plain Text. The plain text message is provided to the encryption algorithm as INPUT.
- Cipher Text. The cipher text is the OUTPUT of the encryption algorithms. The encrypted Cipher Text message is not understandable.
- Encryption Algorithm. The encryption algorithm converts INPUT PLAIN TEXT into OUTPUT CIPHER TEXT.
- Public and Private Keys. One key in the pair (Private key – secret, and Public key – easily accessible by anyone) is used for encryption, and the other for decryption. A private key (Secret key) or Public Key (known to everyone) is used for encryption, and another is used for decryption
Risks associated with public key encryption include:
- Brute Force Attack. A brute force attack can compromise public key encryption. Brute force attacks are a process by which the threat actor submits numerous passwords to identify and guess the actual password.
- Man in the Middle Attack. A 3rd party can disrupt the public key communications and modify the public keys.
- Loss of Private Key. If the user loses their private key, then the process is susceptible to being broken by a threat actor.
In comparing symmetric and public key encryption, it is generally the case that public-key encryption requires more CPU cycles to support the algorithm calculations. In some environments with large amounts of data, the additional overhead of public key encryption can be a bit too much. One technique used to work around this is to utilize public key encryption to encrypt and transmit a symmetric key, which can, in turn, be used to encrypt additional data more efficiently.
Consequently, public-key encryption is not always appropriate for large amounts of data. However, it is possible to use public-key encryption to send a symmetric key, which you can then use to encrypt additional data.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.