What is Public Key Cryptography (How VPNs Work, Part 2)

This article in the “How VPNs Work” series describes how public key cryptography (asymmetric encryption) works. If you’re already lost, don’t panic! This series of articles is written to explain the concepts and methods behind VPNs without requiring a deep dive into the mathematics that powers them.

If you’re completely new to the concept of VPNs, check out this introduction. If you already know a little about the how VPNs work and want to know a little more, this series is for you. Each article addresses one aspect of the means by which a VPN helps to secure data by telling a story which serves as a metaphor of the logical mechanisms involved. These stories involve two people, Adam and Burt, trying to keep a secret and a third person, Cesar, trying to nefariously discover their secret. Since VPNs have no perfect physical world equivalent, there may be some elements that stretch the bounds of credibility (for example, Cesar has access to a duplicator ray). Remember, it’s just a story…

Each article also has expandable sections (indicated with the gear icon) which contain a slightly more in-depth explanation that is somewhat more technical but still avoids getting too lost in the mathematics. These sections tie the events of the story a little more to the components or steps of encryption or authentication but are not required to get a basic understanding of the topic.

Adam and Burt have already discovered the weakness in using a lockbox with a shared symmetric key to keep things secure. So, Burt proposes they try a new method in which each of them has their own unique set of keys (asymmetric encryption).

Public Key Cryptography

Public Key Cryptography is an asymmetric encryption methodology that seeks to maintain confidentiality without having to ever share a secret key over an insecure channel (such as unencrypted email). In this explanation, Adam and Burt each have a unique lock, but for the remainder of this example, we’ll cover Burt’s lock and keys (Adam’s lock and keys will work in the same fashion). Each lock has two special properties: first, the lock has two distinct and related keys that can work with it, and second, each key that works with the lock can only turn in the lock in one direction–for the sake of this example, they only turn clockwise.

Paired Keys

The two keys in this asymmetric system only work as a pair. If Burt were to re-key this lock, he’d need to create two new keys. To make it simpler to distinguish the two keys, Burt color-codes them. One he makes green and the other red. Burt keeps the red key secured (his private key), but he can make the green key widely available to anyone who wants it (his public key). This may sound counterintuitive. But an important feature of these keys is that while they are related, it is virtually impossible to figure out one key based on knowledge of the the other. As such, one key can be made publicly available without revealing anything about its counterpart.

The Clockwise Lock (How the Keys Work)

Besides only working as part of a pair, these keys also only work in the lock in one direction. For example, Burt uses the green (public) key to secure the lock, which requires a half-turn in the lock. Since the lock only works in one direction, the green key can’t unlock the lock by reversing direction like an ordinary lock. At this point, because of the special nature of this locking mechanism, the only way to unlock it is to use the paired red (private) key.

In this fashion, when the lock is secured with the green (public) key, only the person who possesses the red (private) key can open it. This is how Burt can make the green key widely available to the public. He can send a copy of the green key to Adam (he could even make a copy available for public pickup or duplication). Anyone who has a copy of this green key can lock this lock, and at that point, only Burt–assuming he keeps his red (private) key secure–can open the lock. Now, when Adam wants to securely send something to Burt, he can use Burt’s green (public) key. Similarly, Adam would have his own key pair, and he could also make his green key available for Burt (or anyone else) to use.

Now, if our ne’er-do-well Cesar were to try to crack this method of security, he’d need to crack two different locks in order to get the whole conversation. Even if he were able to get past just one, he’d only be able to see one half of the conversation.

A Twice-Locked Box

Here’s where Burt gets a clever idea. He places some artwork for the comic book he and Adam are working on in a box, places his lock on the box, and secures it with his green (public) key. Now, he’s the only person (since he has the only copy of the red key) that can unlock this box. He sends this box to Adam.

Adam, not having a copy of Burt’s red (private) key, can’t unlock the lock. But he can place his own lock on the box. He secures this lock with his own green (public) key. Adam sends this twice-locked box back to Burt.

Burt gets the box, and the only way he can open it is if he has both his own red key and Adam’s red key. But Adam is keeping his red key just as secret as Burt keeps his own red key, so Burt won’t be able to open the box. Burt, though, doesn’t want to open the box–remember, he started this process, so he wants Adam to get the art contained within the box. He can, though, unlock his own lock with his own red (private) key. When he does this, the only security on the box is the lock that Adam secured.

Burt sends the box back to Adam, and now Adam, using his red key, unlocks the remaining lock. Burt has successfully and securely sent this package. This method adds a couple of layers of security, in that there are two layers of locking/encryption and in the fact that no shared key needs to ever be exchanged via a potentially insecure medium. However, it isn’t a very efficient system if they need to send more secure messages back and forth in a more timely manner.

 

A Complicated, Robust Lock

So while Adam and Burt now have worked out a public-key cryptography method, it’s not without its drawbacks. This twice-locked box method of keeping communication secure takes three times as long per message. In addition, public-key cryptography methods tend to be more work-intensive when it comes to carrying out the encryption or decryption. In the example above, imagine that instead of each key turning in the lock one half turn, it requires 10 full rotations. That would mean 40 rotations (Burt locks (10) + Adam locks (10) + Burt unlocks (10) + Adam unlocks (10)) per message!

There is, however, one advantage to this inefficiency. If Cesar were to use a device that could simulate any key, and assuming that to open one of these locks requires the full 10 rotations just to see if that key works, then the time it would take him to try every key combination (a brute force attack) goes up by a factor of 10 as well.

 

More in the “How VPNs Work” Series

Part 1: Symmetrical Encryption Algorithms
Part 3: Shared Key Exchange
Learn more about services from Atlantic.Net, including VPS hosting.