Join Lisa Bock for an in-depth discussion in this video Differentiating between public and private key encryption, part of Foundations of IT Security: Core Concepts.
- Symmetric Encryption provides fast, efficient encryption. However, it requires both sender and receiver have the same shared key. Which can be a problem in a complex networked environment. Asymmetric Encryption, also called public key encryption, is a fundamental component of message security as it uses two keys, a public key and a private key which are mathematically related. And it was developed in the 1970s. Uses for asymmetric encryption include, securely exchanging a secret key, confidentiality using encryption, authentication, and creating digital signatures.
With Public Key encryption, two keys are generated a public key, and a private key. The private key is kept private and never shared with anyone. The public key is shared and available to everyone. Here we see two entities, Alice and Bob. Alice has generated a key pair, a public and a private key. Bob also generates a key pair, a public key and a private key. Alice sends her public key to the key server, and Bob sends his public key to a key server.
Now, the key server can be on a corporate environment, it can be in the cloud, anywhere where you want access so people can get the public keys. Now, let's step through a transaction. We see here that Alice wants to communicate with Bob, so she obtains Bob's public key. She takes Bob's public key and the plain text that creates the cipher text, and then sends it to Bob. Bob uses his private key to decrypt it, and is able to read it.
An important concept we must address while communicating with entities on the internet and dealing with public keys is the issue of trust. So, we see that Alice want to Bob want to communicate with one another. Alice needs to obtain Bob's public key, but can she trust Bob's public key. Was it generated and made from Bob? Phil Zimmermann introduced the Web of Trust after developing pretty good privacy. The mechanism is this. Instead of trusting a trusted third party such as Verisign to decide whether or not a public key can be trusted we look to a trusted introducer.
The Web of Trust works in signing public keys in an intimate environment such as our example, but on a larger untrusted environment we need another option. A better way is to use public key infrastructure with certificates.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Evaluating risks, threats, and vulnerabilities
- Minimizing the attack surface
- Avoiding worms and viruses
- Protecting your system from spyware
- Making web browsers more secure
- Securing wireless transmissions
- Encrypting files, folders, and drives
- Using virtual private networks