What is a public key (used in asymmetric cryptography)?

Public-key cryptography is a method used to securely send and exchange messages (authentication of the sender, guarantee of integrity and confidentiality). This technique is based on the principle of an “asymmetric key pair” consisting of encryption keys (encryption is the general term used for mathematical data encoding and decoding techniques). Each individual involved in a transaction has a “private key” and a “public key.” You mustn’t divulge your private key to anyone, but you can give your public key to all of your contacts, with no restrictions. The general principles of public key cryptography are described below:

  • A message encoded with a private key can only be decoded using the associated public key.
  • Similarly, a message encoded with a public key can only be decoded using the associated private key.
  • A given public key can only be associated with a single private key (several different private keys cannot have the same public key as their complement).
  • Likewise, a given private key can only be associated with a single public key (several different public keys cannot have the same private key as their complement).

What is a secret key (used in symmetric cryptography)?

Symmetric-key cryptography was widely used to encrypt confidential messages. Its use gradually declined following the arrival of public-key cryptography, even if the two techniques are very often used conjointly. In symmetric, or secret, key encryption, the same key is used to encrypt and decrypt a message. It is the exact same principle as the key to a door, which requires the same key to lock and unlock it.

The challenge is transmitting your secret key to the person with whom you want to communicate confidentially. This method has several drawbacks: whenever you need to exchange messages with several people, you must have as many secret keys as the number of persons with whom you wish to communicate, and store all of these secret keys in a highly secure manner. As a result, managing all of these secret keys rapidly becomes very complex, turning into a source of security risk.

What is the relationship between public keys and certificates?

The main issue with public-key cryptography (for message signing and encryption) is the probity, or integrity, of the public key received by a contact or retrieved from a shared directory. To send a confidential message to someone, you must use their public key, which requires you to be absolutely sure that the key is indeed theirs. Similarly, to verify that the message received was indeed sent and signed by you, your contacts need your public key.

The electronic certificate is an electronic document that associates the name of a person (private individual, legal entity, website, router…) with a public key. Like a traditional ID, which establishes the link between a face, a name and a handwritten signature, the certificate is used to establish the link between a public key and its owner (private individual or legal entity). To use a person’s public key with a total peace of mind, the key must be certified by a Certificate Authority. Before delivering a certificate, the CA therefore uses various authentication procedures to ensure that the certificate requester is the person they claim to be, and is truly the owner of the public key to be certified. Thus, if end users trust the CA that issued the certificate and have a copy of its public key (to read the signature, the “official stamp” of the certificate received), they are assured of the legitimacy of the certificate and therefore of its public key.