For many, security remains a mystery that is better left to the professionals. It has been seen as too complex for the layperson to explore or fully understand. While diving into the math of some of the most complex algorithms can be a daunting task, the essence of what makes all of these algorithms work isn’t necessarily out of anyone’s reach. Instead of looking at the minute details of cryptography that most people find either boring or overwhelming, we can look at the concepts that make up public key encryption so that we may understand completely what exactly is protecting us from hackers.
What is public key encryption?
Public key encryption, a concept of public-key cryptography, is a means of exchanging data privately that involves a public and a private key. The public key is seen by everyone (hence the name “public”). However, the private key is only visible to the endpoints that are transmitting the data. Public key encryption is known as an “asynchronous” algorithm.
What is a synchronous/asynchronous algorithm?
If we had to label PKE as an “asynchronous” algorithm, it was done in order to distinguish it from synchronous algorithms. All cryptography uses a key-based system to approach the issue of privacy. The terms “synchronous” and “asynchronous” refer to the ways in which these keys are shared.
Let’s say that you’re trying to send a letter to someone that’s encrypted. The person receiving your letter needs to know how to decipher the entire text to understand what’s in it. How are you going to teach that person to decipher it? You’ll need to meet in secret to get that person the key. This is essentially how synchronous algorithms work. That “meeting in secret” part is a little difficult, because eyes and ears are everywhere. The internet is no different, since snoopers are also able to listen (“sniff”) on your transmissions.
Asynchronous algorithms work differently. There are two components to the formula: public and private. In an asynchronous scenario, you have a box with a lock instead. You send that box to the person you want to send the letter to and with a key that locks it, but doesn’t unlock it. This is known as the public key. Anyone can lock the box. Unlocking it is another story.
You’d only be able to unlock your box with your private key, and each of you have your own that can unlock it. You don’t have to meet in secret or anything, and this eliminates the possibility of someone prying.
What if someone finds out your private key?
“If asynchronous encryption is being used to store passwords on most modern databases, why do people still get hacked?” That’s a bit of a mess, isn’t it? This is because hackers still use dastardly methods to get into major databases, either through internal sabotage, social engineering, or outwitting the security behind an employee’s account. Since most companies store private keys on their own servers, they still run the risk of compromising all of their users’ accounts. Some algorithms are also very easy to figure out and unlock regardless of whether the hacker has a private key or not (lock picking, anyone?). This is where public key encryption has its flaw.
There are a few companies out there that try to do something about this issue, including storing private keys across many different servers. But nothing works better than giving someone the ability to create their own private key (given that the private key is strong enough not to be guessed on its own). At this moment, PerfectCloud is the only company employing that solution. It has to since it’s providing a service that deals with very sensitive data from its customers. Unfortunately, I can’t say the same of other alternative services.
How would you approach the private key issue?
What advice would you have for people concerned about their privacy? Let’s hear from you in the comments section below!