Skip to content

Asymmetric Encryption

Two keys: public and private
Public key encrypts , private key decrypts. Solves the key distribution problem because the public key can be shared freely while the private key stays secret

How It Works

Alice wants to send Bob a message:
1. Alice gets Bob's public key
2. Alice encrypts message with Bob's public key
3. Bob receives ciphertext
4. Bob decrypts with his private key

Eve cannot decrypt even though she has the ciphertext and Bob's public key

RSA (Rivest-Shamir-Adleman)

Most widely deployed public-key cryptosystem

  • Security based on difficulty of factoring large composite numbers
  • Key sizes: 2048-bit minimum (3072+ recommended)
  • Slow for bulk encryption (typically used for key exchange only)
  • Vulnerable to quantum attacks (Shor's algorithm)

RSA Operations

# Generate RSA key pair
openssl genrsa -out private.pem 4096
openssl rsa -pubout -in private.pem -out public.pem

# Encrypt with public key
openssl rsautl -encrypt -pubin -inkey public.pem -in plain.txt -out encrypted.bin

# Decrypt with private key
openssl rsautl -decrypt -inkey private.pem -in encrypted.bin -out decrypted.txt

Elliptic Curve Cryptography (ECC)

Modern replacement for RSA. Same security with much smaller keys

  • 256-bit ECC ~= 3072-bit RSA
  • Security based on Elliptic Curve Discrete Logarithm Problem (ECDLP)
  • Used in TLS, SSH, Bitcoin, Ethereum, Signal
  • Key curves: P-256, P-384, P-521, Curve25519 (X25519)

Diffie-Hellman Key Exchange

Allows two parties to establish a shared secret over an insecure channel

  • Used in TLS, SSH, IPsec
  • Forward secrecy when used with ephemeral keys (DHE, ECDHE)
  • Vulnerable to man-in-the-middle if no authentication
# Simplified DH: Alice and Bob agree on prime p and generator g
# Alice chooses a, sends g^a mod p
# Bob chooses b, sends g^b mod p
# Both compute (g^a)^b = (g^b)^a = g^(ab) mod p

Digital Signatures

Prove authenticity and integrity of a message

  1. Signer hashes message and encrypts hash with private key
  2. Verifier decrypts hash with public key and compares to computed hash
  3. Match proves message signed by private key owner and not tampered
# Sign a file
openssl dgst -sha256 -sign private.pem -out file.sig file.txt

# Verify signature
openssl dgst -sha256 -verify public.pem -signature file.sig file.txt

PKI and Certificates

Public Key Infrastructure binds public keys to identities via Certificate Authorities (CAs)

  • Root CA - Self-signed , trusted by operating systems
  • Intermediate CA - Issued by root , issues leaf certificates
  • Leaf Certificate - Actual server/client certificate
  • Certificate Chain - Path from leaf to trusted root

Forward Secrecy

Ephemeral Diffie-Hellman ensures that if long-term private keys are compromised , past session keys remain secure. Always prefer ECDHE cipher suites in TLS configuration