Public Key vs Private Key

Security

In public key cryptography, also known as asymmetric encryption, there are two key words to consider and distinguish: public key and private key. Since public key cryptography helps you to recognise and encrypt your interactions with people you know or don’t know over the internet, you can interact safely with them. This method necessitates the use of both a public and private key.

But what is the difference between a public and a private key? What are the gaps between them and why do they matter? In this post, we’ll discuss the differences between public and private keys, as well as their positions in data privacy and identity verification.

Public Key vs Private Key: The Differences Between Them

Encryption is the process of translating plaintext data into gibberish so that no one else can decipher, decode, or change it without a special key. A key is a long sequence of unpredictably random characters. When you encrypt and decrypt data using the same key, you’re using symmetric encryption.
Asymmetric encryption, on the other hand, is when you use two different keys, one to encrypt data and the other to decrypt it (public key encryption). The public key (encryption key) and the private key are the two keys (decryption key). In public key cryptography, there are two distinct keys, as we stated earlier. Consider a vault of two different keys. The vault may be locked, but it cannot be opened with the same key. To open the vault, you’d have to use a different key. It works similarly in public key cryptography: there are two keys, one that can encrypt data and the other that can decrypt it. These keys are distinct, but they are mathematically connected. That’s because they’re made with an asymmetric algorithm that connects the public and private keys together.

What Is a Public Key & How Does It Work?

The public key encrypts data in a public key infrastructure. It’s called a public key because it can be freely distributed and used for encryption by anyone. You can neither read nor guess the original content of the data from the ciphertext, nor can you use the same key (i.e., public key) to decrypt it once the data has been encrypted using a public key.

Complex asymmetric encryption algorithms are used to produce the public key. The length of the public key is determined by the algorithm used to generate it. The key size ranges from 128 to 4096 bits in general. The CA/B Forum (Certificate Authority/Browser Forum) offers recommendations for the ideal minimum public key size. According to the latest CA/B Forum guidelines, all CAs must confirm that:

The RSA public key must be at least 2048 bits long, or one of the ECDSA curves NIST P-256, NIST P-384, or NIST P-521 must be used.

The following is an example of an RSA public key:

rsa-public-key

Private key vs public key graphic: This screenshot of SectigoStore.com’s RSA 2048-bit public key is an example of what a public key looks like.

The mathematical algorithms used to create the public key (and private key) are:

  • Rivest-Shamir-Adleman (RSA)
  • ElGamal
  • Elliptic curve cryptography (ECC)
  • Diffie-Hellman key agreement
  • Digital signature algorithm (DSA)

So, what is a difference between an RSA public key versus one that’s ECC? The key sizes, for one. RSA keys are significantly larger than ECC keys, yet ECC keys are just as strong. Second, the keys are calculated in different ways. An RSA public key is the result of two massive prime numbers and a smaller number, whereas an ECC public key is an equation that calculates a specific point on an elliptic curve.

What Is a Private Key & How Does It Work?

This key is capable of decrypting ciphered data (i.e., encrypted data). Each public key has a private key that corresponds to it. Each pair of public and private keys is distinct. The owner must keep the private key a secret (i.e., stored safely on the authorised device or non-public-facing server). Your private key is provided as part of the key pair produced with your certificate signing request for SSL/TLS certificates (CSR). This ensures that no one, including the certificate’s issuing CA, can see or use your public key.

Since your key is private, you must keep it secure and know where it is at all times. If your private key is lost, you’ll have a lot of work ahead of you, since you’ll have to re-issue your certificate.

Since a private key is created with high entropy, guessing it from its corresponding public key is nearly impossible (randomness). As a result, brute-force cracking a private key will take even a modern supercomputer thousands of years. As a consequence, only the approved device that contains the private key can decrypt the data.

The following is an example of a private key:
Chart of public vs. private keys: An example RSA private key is shown in this picture, which has been edited to remove sensitive information.

rsa-private-key-example

A Quick Overview Down the Differences: Public Key vs Private Key

Looking for a quick visual to help you see the differences between a public key and private key? Then look no further:

Public Key Private Key
Can be openly distributed Must be kept a secret
Used for encryption Can be used for decryption in asymmetric encryption, or encryption AND decryption in symmetric encryption
Authenticates digital signature signed with the corresponding private key (when used in certificate pinning) Insert the digital signature (encrypting the hash)
Stored inside the digital certificates, outgoing emails, and executables Stored in authorized devices and non-public-facing servers

The Difference Between a Public and a Private Key in Data Privacy and Protection

Public key cryptography comes in handy when you want to encrypt data while it’s in transit or at rest. One endpoint encrypts the data and sends it using the recipient’s public key. The receiver uses the corresponding private key to decrypt it. Without the private key, someone in the centre who intercepts the data is unable to open, decipher, or otherwise understand it.

As a result, asymmetric encryption prevents plaintext data from being revealed as a result of:

  • Man-in-the-middle attacks,
  • data leakage, and
  • data theft are all possibilities.

To be clear, asymmetric encryption does not prevent these types of attacks, data breaches, or theft from occurring. It does, however, prevent anyone from reading and accessing the unencrypted/plaintext data. All the bad guys can see is gibberish unless they have the corresponding private key to decrypt the data.

Consider your email address and password as a classic example of how to think of a public key and private key.

In this situation, your email address is a public key that is accessible to the general public, and anyone with access to it can send you an email. However, only the account’s password holder (that is, you) can access and read the account’s email. The password acts as a private key in this case.

Every pair of public and private keys is distinct. If you’re creating a new user ID on a website or programme, the system alerts you if the one you want is already taken. A user ID (which may be an email address, phone number, or ID card number, for example) and password must be unique.

TLS/SSL Certificate

Similarly, the SSL/TLS certificate uses public key cryptography to secure data transmission between a browser and a website’s server. The website owner instals an SSL certificate on their site and trusts the certificate’s specific collection of public and private keys. SSL/TLS certificates are used by millions of websites. They don’t, though, all have the same key pairs.

When a website user attempts to open a website, their web browser initiates a TLS handshake with the website’s server. The browser (client) produces a random pre-master password, encrypts it with the server’s public key, and sends it to the server as part of this process. The server uses the corresponding private key to decode the pre-master password and compute a symmetric session key.

The session key is used to encrypt all data exchanged between a user and a website for the remainder of the session, resulting in symmetric encryption. Without a private key, no attacker can access the session key. This initial use of public key cryptography allows session keys to be exchanged and symmetric encryption to be used for the rest of the session. Data transmissions between a website and its visitors are protected using this method.

To protect data, public key cryptography is also used in the following digital certificates:

  • Code signing certificate
  • Email signing certificate
  • Document signing certificate
  • Personal authentication certificate

Public Key vs Private Key in Identity Verification

Identity authentication and digital signatures are two other applications of a public key and a private key.

The sender inserts a digital signature using a private key in digital signatures. The sender’s public key is used by the recipient to verify the signature’s authenticity. Except for the owner of the private key, no one can alter, copy, or erase the digital signature (i.e., the authorised sender). Digital signatures, in combination with other security measures, provide assurance about the sender’s identity and the data’s integrity.

Email Signing Certificates

An S/MIME certificate creates a specific pair of public and private keys when you instal it on your email device. The private key is stored on your computer, and the public key is sent with all outgoing emails. You can use a private key stored on your computer to digitally sign your addresses. The email includes the public key, which the recipients may use to validate the signature. It provides recipients with trust in the identity of the email sender.

Code Signing Certificates

Computer publishers use these certificates to sign executable software, scripts, drivers, and applications. When a piece of software is done, the creator digitally signs it with their private key. Users’ computers obtain the software’s public key to validate the signature if they attempt to download it.

A protection window appears during the download process. The publisher’s name appears in the dialogue box if the digital signature is correct. The publisher’s name will be shown as “unknown” if there is no digital certificate. A code signing certificate assures users that the programme they are downloading is from a trusted source.

Public Key vs Private Key in Two-Way Authentication

The public key and private key may also be used for client authentication, or two-way authentication. Organizations do not allow outsiders to have access to their intranet pages, production and testing sites, and other internal tools. Similarly, certain confidential internal emails should not be opened by third parties. In this case, the private and public keys assist in the creation of two-way authentication.

Some certificates (known as “two-way SSL/TLS certs,” “personal authentication certificates,” or “client authentication certificates”) may be mounted on employees’ office devices to allow two-way authentication, in which the server verifies the client. (With conventional SSL/TLS certificates, for example, authentication is usually one-way: the client authenticates the server, not the other way around.)

Assume Alice and Bob work for a business that has email signing certificates built on their email clients. When Alice encrypts and signs an email for Bob, she uses Bob’s public key and her private key. Bob decrypts the email using his private key and Alice’s public key when he opens it. Since no one else has the private key, no one else can open or read the email.

Unique Authentication Certificate: Personal authentication certificates (client certificates) are mounted on the company computers of employees in the same way (desktop, laptop, and even smartphones). A public key and a private key are used by both the client and the server. When workers want to access the website, they must first go through the standard TLS handshake, in which the server presents the SSL/TLS certificate and the client authenticates it. The client must then provide its certificate to the server in order for it to authenticate.

Let’s take another example to better understand this process:

John works for XYZ Corporation as a remote software developer. Only workers are allowed to access the company’s intranet website, intranet.xyz.com. XYZ has sent John a laptop with a client certificate installed for office work. As part of the TLS handshake process, John’s browser tests the website’s SSL/TLS certificate whenever he tries to open intranet.xyz.com.

John’s computer must show its certificate as part of the handshake, which the website’s server authenticates. John will be able to access the intranet site only after this procedure is completed. As a result, John is only able to access intranet.xyz.com from his office desktop.

Wrapping Up on Public Key vs Private Key

There are two forms of encryption. There are two types of symmetry: symmetric and asymmetric. Only one key is necessary for encryption and decryption in symmetric encryption. Both endpoints and users must keep the key secret. When a large number of endpoints are involved, key delivery and key management become more complicated, and the chances of key compromise increase.

When large keys with high entropy are used, asymmetric encryption (public key cryptography) is more reliable. This is due to the fact that there are two keys involved (i.e., the public key and private key). The primary distinction is that the public key encrypts data while the private key decrypts it. You can also freely distribute public keys to a wide number of endpoints without fear of security breaches. However, the private key is a valuable asset that must be safeguarded at all costs.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.