Public Key Cryptography for Beginners
How asymmetric encryption works, the relationship between public and private keys, and where you encounter it every day.
Last updated Apr 7, 2026Current
Continue your mission
How asymmetric encryption works, the relationship between public and private keys, and where you encounter it every day.
Symmetric encryption uses the same key to encrypt and decrypt. It is fast and efficient, but it has a fundamental problem: how do you securely share the key with someone you have never met? If you send the key over the internet, anyone intercepting it can decrypt your messages. This is called the key distribution problem.
Public key cryptography (also called asymmetric cryptography) solves this. Each party generates a pair of mathematically linked keys: a public key they share with the world and a private key they keep secret.
If Alice wants to send Bob a secret message, she encrypts it with Bob's public key. Only Bob's private key can decrypt it. Even Alice cannot decrypt it after encryption. This means anyone can send Bob encrypted messages, but only Bob can read them.
The reverse also works: if Bob encrypts something with his private key, anyone with his public key can decrypt it. This does not provide confidentiality (anyone can read it), but it proves the message came from Bob. This is the basis of digital signatures.
The most widely used public key algorithm is RSA, based on the difficulty of factoring large numbers. Two large prime numbers are multiplied together easily, but reversing the multiplication (factoring the product back into its primes) is computationally infeasible for sufficiently large numbers. RSA key sizes of 2048 bits or larger are currently considered secure.
Elliptic Curve Cryptography (ECC) achieves equivalent security with much smaller keys. A 256-bit ECC key provides security comparable to a 3072-bit RSA key. ECC is faster and uses less bandwidth, making it preferred for mobile and IoT applications.
HTTPS/TLS: When you connect to a website over HTTPS, your browser uses the server's public key (from its TLS certificate) to establish a shared session key. The session key then encrypts the actual data transfer using symmetric encryption. This hybrid approach combines the key distribution benefits of asymmetric crypto with the speed of symmetric crypto.
SSH: When you connect to a server via SSH, you can authenticate using a key pair. Your public key is placed on the server, and your private key stays on your machine. The server challenges your client to prove possession of the private key without ever transmitting it.
Email encryption (PGP/S-MIME): Users publish their public keys so others can send them encrypted emails. Only the recipient's private key can decrypt the message.
Code signing: Software developers sign their code with a private key. Your operating system verifies the signature using the developer's public key before installing the software.
The cryptography itself is well understood and mathematically sound. The challenges are practical. Private keys must be stored securely, ideally in hardware security modules (HSMs) or secure enclaves, not in plaintext files on disk. Key rotation schedules must be defined and followed. Revocation mechanisms (like certificate revocation lists or OCSP) must work when a key is compromised.
Quantum computers running Shor's algorithm could theoretically break both RSA and ECC. While large-scale quantum computers do not exist yet, NIST has already standardized post-quantum cryptographic algorithms (ML-KEM, ML-DSA, SLH-DSA) as replacements. Organizations should begin inventorying their cryptographic dependencies now and planning migration timelines.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.