1. Public-key cryptography uses two mathematically related keys, where a message encrypted by one key can only be decrypted by the other key. This is in stark contrast to traditional cryptography (now known as symmetric cryptography) where the same key was used for both encryption and decryption. The reason this is so important is because one of the two keys can be made public, hence the name "public-key cryptography". When this technique was discovered, it solved the biggest problem in cryptography at that time. In traditional symmetric cryptography, both the sender and receiver of a message had to agree upon the same key. Imagine your country has spies out in the field. If a spy gets captured, then the adversary could steal that key and decrypt messages. With asymmetric keys, however, the enemy can only steal the key the spy is using to encrypt messages, but cannot use that key to decrypt anything. The enemy may be able to forge messages, but the system wouldn't otherwise be compromised. Furthermore, the key could be extremely public: you could simply broadcast your public-key on the open airwaves for your spies to use. This is indeed what happens with SSL, the protocol you use to connect to e-commerce sites and pay for stuff with credit-cards. The public-key of the server is given out to everybody who connects to the site. However, each user encrypts his data using the public-key, which means nobody else can decrypt it without the secret private-key known only to the owners of the website. Example: Some uses of public-key encryption are: e-mail encryption Allows anybody to send an encrypted message to you that only you can read. The two most popular ways of doing this are PGP and S/MIME. digital signatures You can encrypt something with your private-key that can be decrypted by everyone (using your public-key). Therefore, if you encrypt a message, it proves it came from you, because only you know the private-key. Thus, you can digitally "sign" documents. President Clinton signed the "Electronic Signatures in Global and National Commerce Act" into law using a digital signature in this manner (using a smart-card with the password "Buddy"). Point: The public and private keys are mathematically related. In order to create them, you start with some randomly generated prime numbers. You then run these through some mathematical operations in order to generate the two keys. You publish one of the keys (making it "public") and you keep the other one private. Since the keys are rather large (hundreds of bytes), you generally store them in an encrypted file. Whenever you need to decrypt a message, you type in a password to decrypt the private-key, then use the private-key to decrypt the message. Key point: Protecting the "private key" from theft/disclosure is the most important thing any company can do. There is exist private keys whose value lie in the range of hundreds of millions if not billions of dollars (such as the key Verisign uses to sign certificates). The private key is usually protected with strong encryption based upon a strong password. In paranoid cases, parts of the password are given to different people, so that more than one person must be present in order to recover the private key for use (note: redundancy is also used, if the key is XYZ, then Alice knows XY, Bob knows YZ, and Charlene knows XZ, meaning that any two can unlock the private key). The paranoid things you see in movies about high-security installations apply: background checks on employees with access to the private key physical security consisting of photo IDs, searches, and strict entry/exit controls the two-person rule biometrics (retina/palm/finger/handwriting) additions to normal authentication physical keys Private-keys are frequently stored on separate objects. The most common is the floppy disk, which can be inserted into a server when booted, but removed to a safety deposit box. Other examples include crypto-cards. (Note: when you get a certificates from a CA, they usually require that the private-key never be stored on a computer). Servers that must use private keys must employ heavy countermeasures: intrusion detection systems firewalls (both packet filtering as well as more complex ones) frequent vulnerability assessments and auditing limited people who have access to the server full use of the security features of the server (i.e. turn on logging, enforce strong passwords, etc.) Example: Some public-key algorithms are: Diffie-Hellman The original one, though only designed for key-exchange. RSA The most popular algorithm. ElGamal Extends Diffie-Hellman algorithms to support the same features as RSA, such as encryption and digital-signatures. DSA Government standard for digital-signatures based upon ElGamal. Elliptic Curves Based upon a different mathematical problem from number theory and algebraic geometry. It results in smaller keys and faster operation, but is not as well analyzed as other systems. Other There are other systems based upon different hard-to-solve mathematical problems. Antonym: Sometimes the word "secret-key" is used as an antonym to "public-key" in order to highlight the fact that it is a shared-secret. Also, "symmetric" encryption is the antonym to "asymmetric". From Hacking-Lexicon