3

I don't understand the real world usage scenarios of these cryptography methods. Can any one please explain how they work, with examples and also their usage in the real world?

nealmcb
  • 20,544
  • 6
  • 69
  • 116
n92
  • 869
  • 2
  • 9
  • 9
  • 1
    Hi @Vinay, welcome to the site! Please read the [FAQ], and [ask] - this is a very easy question to find on Google or Wikipedia. Also, I recommend browsing this site a bit, I believe this has been discussed in depth before. – AviD Jul 17 '11 at 22:32
  • 5
    This question is already answered on Wikipedia. I feel that it is disrespectful to ask for others to volunteer their time to help, if you haven't already checked Google and Wikipedia to learn what's already readily available on the Internet. – D.W. Jul 18 '11 at 02:08

2 Answers2

10

Wikipedia has a good article on public/private-key cryptography. To summarize public/private-key cryptography is one concept, not two. The alternative to public/private-key cryptography is using symmetric cryptography which has one key per pair of communication partner.

In asymmetric cryptography a person/computer has a keypair. One key is kept secret and called private key. The other one is given to communication partners. Anything that is encrypted using the public key can only be decrypted using the matching private key.

Symmetric cryptography is a lot simpler and more performant, but it does not scale to a large number of communication partners (10 people need 45 keys for each one to talk securely to every one else).

So as a result both systems are often used in conjunction in the real world: The actual data is encrypted using a symmetric session key, which is only valid for one session. This key (or some information from which it can be derived) is transmitted using public/private-key cryptography at the beginning of the session.

Encryption

Anything that is encrypted using a public key can only be decrypted by using the private key.

The most common example is HTTPS. When you connect to an HTTPS server, it will send you a certificate. A certificate is just a public key with some identity information attached to it. Using this public key the browser can send information to the server that only the server can decrypt, using its private key. Building up on that, a symmetric session key is negotiated between the browser and the server, which is used to encrypt the traffic.

Signatures

Using a private key information can be signed and this signature can be verified by using the public key. The most common use case is to sign certificate to tell the world that you trust that certificate to contain correct identity information. There is a number of certification authorities out there which are by default trusted by the common browsers.

Other use cases

Public/Private key cryptography can be used for many different things. The standard example is email, but this is not really widespread because it's too complicated for average computer users. Smartcards are a better example: They store the private key and have a little processor that can do the encryption and signing. So the private key never leaves the device.

Piskvor left the building
  • 1,644
  • 15
  • 14
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • So,symmetric and asymmetric encryption methods can be used at a time like one to handle the data and other one for session keys, could you please tell how the symmetric encryption will be used in session keys – n92 Jul 17 '11 at 18:09
  • please give me an example where both the symmetric and asymmetric encryption used – n92 Jul 17 '11 at 18:21
  • 1
    @Vinay - the example @Hendrik gave is the perfect example. It is used every time you go to an https website. – Rory Alsop Jul 17 '11 at 18:58
  • 1
    "Symmetric cryptography is a lot simpler and more performant, but it does not scale to a large number of communication partners (10 people need 45 keys for each one to talk securely to every one else)." -- only if you are using point to point encryption. It's possible to create a network where every member of the network has the shared symmetric key. Then you move the pain factor to key distribution. – bethlakshmi Jul 18 '11 at 18:29
6

I like Hendrik's answer, but figured I'd throw in some more stuff that won't fit in a comment.

Common term usage:

  • Public Key Crypto - refers to as asymmetric cryptography because one of two keys is made public
  • Private Key Crypto - refers to symmetric cryptography where the one and only key must be kept private

General Usage:

Symmetric crypto is generally quite fast, so it is readily used in time sensitive applications - for example, session encryption between two points. TLS/SSL uses it this way.

Symmetric crypto has a big drawback - everyone/everything using it has to have that private key, and the private key must be transported carefully or else it will loose the value of its privacy. So Symmetric crypto can NOT be used for proof of identity or signature. That's always been the big value add of asymmetric crypto, where you can keep your private key and distribute the public key to everyone else.

The big obvious example (as Hendrick said) is server certificates on an HTTPS session. If you're watching carefully, asymmetric crypto is actually used in a number of ways in that single case:

  • digital signature - the server's certificate is signed by a Certificate Authority (or it's self-signed) - this proves that some higher power (like GoDaddy) verified this information and asserts its truthfulness. That information has not been tampered with, and you can prove it by hashing the certificate information, and comparing it to the CA's signature after it has been decrypted with the CA's public key.

  • encryption - the client uses the server's certificate to encrypt and send information needed for setting up the session.

  • identification - the fact that the server could decrypt the client's information proves that it posses the private key. Proof of private key gives evidence that you are, indeed, talking to the server that the CA certified.

But - once all the up front work of the SSL/TLS handshake is done, the server's asymmetric keys are obsolete - the two computers are talking using symmetric cryptography. Asymmetric crypto, when used purely for encryption, tends to be slower than symmetric crypto, so most of the time a system will take a hybrid approach and use asymmetric for things only asymmetric crypto can do (identification) and it will fall back on symmetric crypto for things where time is a factor.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • overall a very good answer (as always, LMGTFY-question notwithstanding), one comment: to avoid ambiguousness, I've always heard that private key crypto is the same as public key crypto, as @Hendrik said. For symmetric encryption, it's usually called "*Secret Key* encryption", or "*Shared key* encryption"... – AviD Jul 18 '11 at 21:34
  • Our experience is definitely different then. Granted, in the office we have bunches of terms running around about BOTH types of encryption based on other factors. But "private key" = "symmetric" IS a pretty standard term: http://en.wikipedia.org/wiki/Symmetric-key_algorithm. Our thread here is one of the big reasons why I almost never use the term "private key" to describe an encryption type, I much prefer asymmetric/symmetric. – bethlakshmi Jul 20 '11 at 14:04
  • Hmm. Interesting, that. In any event, I agree with your last line, asymmetric/symmetric over public/private/secret etc... unless its important to the context. – AviD Jul 20 '11 at 14:20
  • 1
    With one exception... PKI is, well, PKI - I know of none that calls it an Asymmetric Key Infrastructure. :) – bethlakshmi Jul 20 '11 at 14:26