Why to know asymmetric encryption
As a security manager you should understand some of the most important security concepts, even if you are not a technical person.
Asymmetric cryptography definitely is such an important concept. And it's not that you must understand the advanced math around it (ony a few people do). It's because the understanding makes you better equipped when taking security decisions.
It's no secret that there many sysadmins who use SSH daily and still don't understand the concept of asymmetric crypto. That may be the reason why they don't apreciate when you tell them that using key-based authentication (based on public/private keys) is way better/safer.
The same things like TLS (SSL) encryption or passkeys or digital signatures.
A good security manager is at home in this and it's not that difficult either.
Let's make it as simple as it can get.
First, we need to understand the centuries old problem with symmetric crypto: to encrypt and decrypt you use the same key. This is the biggest drawback - how to securely deliver the password, the secret code? If I have to deliver the code first, in person, then I can as easily tell you the secret message itself right away, correct?
Asymmetric crypto has solved this problem - no common secret is shared. You don't have to send any code, any password, the communication will still be protected (encrypted).
We all know that in asymmetric cryptography there are always two keys created for a single user (use): private and public. They are like a good couple, one belongs to another.
Encryption part
Imagine your public key is actually your physical mailbox that is located in a public place. It has your name on it so anyone who wants to send you something can throw in a letter, a small package. The mailbox is locked and you are the only one who was ever given the key.
This is what happens when someone sends you information, e-mail, encrypted by your public key, you open/decrypt it using your half of the keypair, the private key. And this makes the part of encryption/decryption easy to understand.
What about proving your identity? Because that's the second feature of asymmetric encryption.
Remember: even if it sounds counter-intuitive it's the public key that can contain your "identity", either directly (in PGP/GnuPG, self-asserted) or via a digital certificate (in PKI, X.509, confirmed by a trusted party, a Certification Authority), the private key only proofs it.
Identity part
There are two ways how to prove you hold a private key (important - private means only you have it):
- one could be called challenge-response (it's been used in computing for decades) and the other
- digital signature.
Challenge-response is like this: I have put something in your mailbox (encryption), tell me what it is (e.g. "AX18$2aa"). If you can tell me it's "AX18$2aa" it must mean that you have the right private key to open the mailbox (decryption), which is a prove it's you.
Where is the challenge-response method used
| Technology | Purpose |
|---|---|
| SSH | public‑key login, MFA |
| TLS/SSL | server auth, client cert auth |
| WebAuthn / FIDO2 | passwordless login, passkey |
| smartcards / HSMs / TPMs | hardware identity proof |
| Kerberos | password‑based proof |
| VPNs | client authentication |
| cryptocurrency wallets | prove ownership of private key |
Digital signature serves a different purpose: it's to prove that it was you who created a document or sent a message. Technically, it is the hash of the message/document itself signed with a private key. Beside the identity of the sender it also ensures the integrity and authenticity of the message (if changed, the hash would not match and digital signature would not be confirmed).
Remember: signing something digitally does not mean that the private key is somehow, in some form, attached! It must not be! What usually is attached though, is your public key (separately, not as part of the signature) - so that the recipient can immediately check what's written in the public key (which contains your identity details).
Where is the digital signature method used
| Purpose | What gets signed | Who chooses it |
|---|---|---|
| identity proof | a random challenge | the verifier |
| document signing | the document’s hash | the signer |
Remember: when a trusted authority (government, police, domain name provider) digitally signs your public key together with your identity information, the result is a digital certificate. This is exactly the kind of certificate that websites present to your browser when you connect to them at the https://
Also, using the same physical mailbox example: in PGP you put your name on it yourself, in PKI someone else, with high authority, did.
If you prefer a more technical explanation, see Asymmetric encryption explained.