Security for Beginners
by Sergey Okinchuk
Encryption with One Shared KeyProtecting Data in Transit and at Rest
Topic 17

The Public-Key Idea

Concept

The last topic left us with a snag. Encryption with one shared key works beautifully, but both people first have to hold the same secret key — and getting that key to the other person, across the internet, is the very problem we were trying to solve. You need a safe channel to share the key, but the key is what you needed to make the channel safe. It is a chicken-and-egg loop.

Public-key encryption breaks the loop with a clever twist. Instead of one shared key, each person has two matched keys that work as a pair — one they hand out to the whole world, and one they keep entirely to themselves. This is also called asymmetric encryption, because the two keys play different roles. From here on we'll use both terms.

Picture an open padlock. Olivia mails copies of her open padlock to anyone who asks. To send her something secret, you put it in a box, snap her padlock shut, and send the box back. Only Olivia has the little key that opens that padlock — and notice she never had to mail that key anywhere. That mailed-out padlock is the public key; the key that stays in her pocket is the private key.

Sending Olivia a secret with public-key encryption
Olivia's public keyhanded out freely
Sender locks the messagescrambled, can't be read
Olivia's private keyunlocks it — hers alone

Two Matched Keys

The heart of the idea is that the two keys are a matched pair, and they are not interchangeable. What one key locks, only the other key can unlock. They are generated together, by math, so that each one undoes only the other — and no one can work out the private key just by looking at the public one.

Olivia's public key is the one she gives away. She can post it on her website, email it to strangers, print it on a poster — it does not matter who has it. Her private key is the one she guards and never shares with anyone. The whole scheme rests on that one key staying secret.

Anyone Can Lock, Only You Can Open

Here is the part that feels backwards at first. To send Olivia a secret message, you scramble it using her public key — the one everybody has. Once it is locked that way, her public key cannot unlock it again. Only her private key can.

That is why publishing the public key is perfectly safe. It can only lock things to Olivia; it can never open them. An attacker who grabs a thousand copies of her public key still cannot read a single message, because reading requires the private key she never let out of her hands.

Compare this to the shared-key approach from the last topic, where the one key both locks and unlocks. There, the key had to be a secret between two people. Here, the locking key is public and only the unlocking key is secret — and that single difference is what makes the whole thing work.

Solving the Key Handoff

Now look back at the chicken-and-egg problem. With public-key encryption, no shared secret ever has to travel across the network. The thing that gets sent around — the public key — is allowed to be seen by anyone, so it does not matter if it is intercepted on the way.

This is what lets two complete strangers set up security with no prior arrangement. When Olivia's browser connects to a website it has never visited, the two have never met and share no secret. The website proves its identity with its public key, and the two sides use public-key math to agree on a fresh shared key that only they know — without ever sending that key across the network. Security gets established from a cold start — which is the foundation of the padlock you see when you visit a secure website (Chapter 5).

Why We Still Use the Shared Key Too

There is a catch worth being honest about: the math behind public-key encryption is slow. Scrambling a whole video call or a large download with it directly would be painfully sluggish.

So in practice the two methods team up. Public-key encryption is used for one quick job — to safely agree on a fresh shared key while the two sides are still strangers. Once both sides hold that shared key, they switch to the fast shared-key (symmetric) encryption from the last topic to do the heavy lifting of the conversation. Public-key solves the handoff; shared-key carries the load. This handshake is roughly how a secure web connection begins, which we'll walk through in Chapter 5.

How the two encryption methods team up
Public-key phase
Strangers agree on a fresh shared key with no prior secret — public-key solves the handoff
Shared-key phase
Fast symmetric encryption does the heavy lifting — it carries the conversation without the slow math
Common Confusions
  • "The public key can also decrypt the message." No — what the public key locks, only the matching private key can open. That one-way asymmetry is the entire point; if the public key could also unlock, sharing it would give the secret away.
  • "Publishing your public key is a security mistake." The public key is meant to be public. It can only lock messages to you, never unlock them, so handing it to the whole world costs you nothing.
  • "Public-key encryption replaced the shared-key kind." They work together. Public-key is used to safely agree on a key, then the faster shared-key method does the bulk of the work.
  • "If someone has my public key, they can work out my private key." The pair is built so the private key can't be derived from the public one. That is what makes giving out the public key safe.
Why It Matters
  • It explains how strangers on the internet establish security with no shared secret arranged in advance — the foundation that secure websites are built on.
  • The two-key pair shows up again, used in reverse, when we reach digital signatures later in this chapter — so the idea pays off more than once.
  • It clears up a stubborn myth: that giving out a "key" is always dangerous. Here, sharing one of the two keys is exactly how the system is meant to work.

Knowledge Check

In public-key encryption, you want to send Olivia a secret message. Which of her keys do you use to lock it?

  • Her public key — the one she shares with everyone
  • Her private key — the one she guards carefully and never gives out to anyone
  • A single key the two of you both share
  • Your own private key

What does it mean that the two keys are "asymmetric"?

  • What one key locks, only the other can unlock
  • Either key can both lock and unlock any message
  • One key is simply longer than the other
  • One of the keys is a fake meant to fool attackers

Why is it safe to publish your public key where anyone can see it?

  • Because the public key can only lock things, never open them
  • Because it changes automatically every few seconds
  • Because it is hidden inside the message and no one can read it
  • Because it stops working a minute after you share it

If public-key encryption solves the key-sharing problem, why do systems still use shared-key encryption as well?

  • Public-key math is slow, so it sets up a fast shared key to do the heavy work
  • Because public-key encryption is not actually secure on its own for transmitting real data
  • Because shared-key encryption is only kept around out of habit
  • They are never used together; a system picks just one

You got correct