Topic 10

Public-Key Crypto and Key Exchange

Public-Key

Public-key cryptography solves the problem symmetric keys cannot: how two parties who have never met agree on a secret over a channel an eavesdropper is watching. Each party has a key pair — a public key to share and a private key to guard — and the math lets anyone encrypt to your public key or verify your signature, while only you can decrypt or sign.

This topic makes RSA and elliptic-curve crypto concrete and explains the key exchange — Diffie-Hellman — that every HTTPS session with app.meridian.example depends on. The whole scheme rests on one thing: the private key never leaking, and the public key genuinely being yours.

The Key-Pair Idea, Operationally

The public key encrypts and verifies; the private key decrypts and signs. The public key is meant to be handed out freely — publishing it is the point — while the private key never leaves its holder. Confusing which key does what, or treating the public key as a secret, is a common beginner error; the security comes entirely from guarding the private key and from being sure a public key really belongs to who you think (which PKI, next topic, guarantees).

RSA vs Elliptic Curve

RSA is the well-known incumbent, but it needs large keys — 2048 to 4096 bits — to stay secure. Elliptic-curve cryptography (Ed25519 for signing, X25519 for key exchange) gives equivalent security with much smaller, faster keys, and it is now the default for new systems. Both are threatened in the long term by quantum computers, which is why post-quantum algorithms are beginning to arrive, but for today ECC is the pragmatic choice.

Generate an elliptic-curve key pair for a Meridian service
# generate an Ed25519 private key (signing) — keep this secret, ideally in a KMS/HSM
openssl genpkey -algorithm ed25519 -out meridian-svc.key

# derive the public key to share freely
openssl pkey -in meridian-svc.key -pubout -out meridian-svc.pub

# the .key never leaves the host; the .pub is distributed to anyone who verifies signatures

The private key stays on the host — better still, inside a hardware security module or KMS that never releases it — while the public key is distributed to anyone who needs to verify the service's signatures. If that private key leaks, every guarantee built on it collapses, which is why key protection is the real security boundary, not the algorithm.

Diffie-Hellman Key Exchange

Diffie-Hellman lets two parties derive a shared secret over a public channel without ever sending it. An eavesdropper sees the exchange but cannot compute the secret from what crosses the wire — and that shared secret becomes the symmetric session key for the conversation. Every TLS session starts with a key exchange like this, which is why the padlock can appear the instant you connect to a site you have never visited.

Forward Secrecy and the Hybrid Model

Using an ephemeral Diffie-Hellman key — a fresh one per session, written ECDHE — gives forward secrecy: even if the server's long-term private key is stolen later, past recorded sessions stay unreadable, because each used a throwaway key. And because public-key operations are slow, real systems use them only to exchange a symmetric key, then encrypt the bulk data with AES — the hybrid model behind TLS and every encrypted messenger.

RSA vs ECC

RSA — widely supported and simple to reason about, but large keys and slower operations; still common for certificates and legacy interoperability.

ECC (Ed25519, ECDSA, ECDH/X25519) — smaller keys, faster, same security level; the default for new keys and modern TLS. Both are long-term threatened by quantum computers, which is why post-quantum algorithms are arriving.

Common Mistakes
  • Confusing which key does what — encrypting with the private key, or treating the public key as a secret; the public key is meant to be shared, the private key never leaves its holder.
  • Using RSA to encrypt bulk data directly instead of wrapping a symmetric key — it is slow and size-limited; asymmetric crypto exchanges keys, symmetric crypto moves the data.
  • Skipping forward secrecy, so one theft of the server's key retroactively decrypts every recorded past session.
  • Generating keys with weak randomness, producing predictable private keys — bad RNGs have broken real deployments.
  • Leaving a private key in a file or repo instead of an HSM or KMS, so the whole scheme collapses when it leaks.
Best Practices
  • Prefer modern elliptic-curve keys — Ed25519 for signing, X25519 or ECDHE for exchange — for new systems, and use RSA only where interoperability demands it.
  • Use ephemeral key exchange (ECDHE) everywhere to get forward secrecy.
  • Protect private keys like crown jewels — in an HSM or KMS where possible — because the whole scheme collapses if one leaks.
  • Follow the hybrid model: asymmetric crypto to establish a session key, symmetric AES-GCM to encrypt the traffic.
  • Generate keys from a proper cryptographic random source, never a general-purpose RNG.
Comparable toolsSigning Ed25519 · ECDSA · RSAExchange X25519 · ECDHE · finite-field DHEmerging ML-KEM / Kyber (post-quantum)

Knowledge Check

Which key in a key pair is safe to publish, and which must never leave its holder?

  • Share the public key; the private key must stay secret
  • The private key is shared; the public key is kept secret
  • Both keys must be kept secret at all times
  • Both keys can be published without any risk

What does forward secrecy protect against?

  • Decryption of past sessions if the key is later stolen
  • An eavesdropper reading traffic in real time during the session
  • Brute-forcing of the symmetric cipher itself
  • Tampering with ciphertext in transit

Why do real systems use public-key crypto only to exchange a key, then switch to AES?

  • Public-key is slow, so AES moves the data
  • AES is fundamentally more secure than any public-key algorithm
  • Public-key crypto cannot encrypt data at all
  • AES does not require any key to operate

You got correct