Expressvpn Glossary
Public key encryption
What is public key encryption?
Public key encryption (asymmetric encryption) is a cryptographic method that uses a pair of mathematically related keys: a public key that can be shared widely and a private key that is kept secret.
Its core purpose is to enable confidential communication without requiring the sender and recipient to share a secret key in advance: data encrypted with the recipient’s public key can be decrypted only with the recipient’s corresponding private key.
How public key encryption works
Public key encryption works through a series of processes that manage, protect, and verify data:
- Key generation: A cryptographic algorithm generates a key pair using predefined parameters (e.g., key size and algorithm type). The private key is only available to its owner, while the public key is intended to be shared. The keys are typically generated before secure data transfers begin (during system or account setup).
- Encryption: A sender obtains the recipient’s public key and uses it to convert plaintext into ciphertext. The result is unintelligible without the corresponding private key.
- Transmission or storage: The ciphertext can be sent across untrusted networks or stored in untrusted locations. Confidentiality is preserved as long as the private key remains uncompromised.
- Decryption: The recipient applies the private key to decrypt the ciphertext back into plaintext.
Common public key encryption algorithms
Some of the most widely used public key algorithms include:
- Rivest‑Shamir‑Adleman (RSA): Based on the difficulty of factoring large integers. Commonly used for key establishment and digital signatures (and historically for encryption/key transport).
- Elliptic Curve Cryptography (ECC): A family of public key methods based on elliptic-curve discrete logarithm problems. Provides comparable security with shorter keys and is widely used in Secure Sockets Layer (SSL) / Transport Layer Security (TLS), as well as in some cryptocurrency systems.
- Diffie-Hellman (DH): A key exchange method that allows two parties to establish a shared secret over a public channel. Often used to derive session keys.
- ElGamal encryption: A public key encryption scheme based on discrete logarithms and related to DH. Randomized (probabilistic) encryption means the same plaintext encrypts to different ciphertexts each time.
Public key encryption benefits and limitations
The main benefit of public key encryption is secure communication without requiring a shared secret key in advance. Key tradeoffs include higher computational cost and added operational complexity.
| Benefits | Limitations | ||
| Allows secure communication over untrusted networks | Slower than symmetric encryption, making it inefficient for bulk data encryption | ||
| Enables encrypted web browsing through HTTPS/TLS | Requires strong key management to protect private keys and manage public key distribution | ||
| Reduces reliance on pre-shared secret keys for initiating secure communications | Compromised private keys can enable impersonation and may expose encrypted data in some systems (modern TLS commonly uses forward secrecy to limit exposure of past sessions) | ||
| Scales better than pairwise pre-shared keys for large systems (often used with hybrid designs) | Often relies on Certificate Authorities to validate identities and protect key distribution |
Common use cases
- Email encryption: Protects email content and supports sender authentication through digital signatures. Commonly implemented using Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME).
- Secure messaging apps: Support secure session setup for end-to-end encrypted messaging.
- Digital signatures and blockchain transactions: Verify the signer (authenticity) and preserve data integrity for signed records and transactions.
- Virtual private network (VPN) authentication and key exchange: Authenticates endpoints and establishes session keys for encrypted tunnels.
Public vs. symmetric key encryption
Symmetric encryption uses the same shared secret key for both encryption and decryption. Each method suits specific purposes. Asymmetric (public key) cryptography is commonly used for secure key establishment and authentication, while symmetric encryption is faster for bulk data. Modern systems typically combine both methods for efficiency.
Further reading
- What is data encryption?
- End-to-end encryption: What it is and why it matters
- Encryption protocols explained: What they are and how they work
- The history of encryption: From ancient codes to digital security
FAQ
What is the purpose of public key encryption?
The primary purpose of public key encryption is to protect sensitive information by allowing data to be securely encrypted and decrypted without sharing a secret key. It can also enable authentication and integrity through digital signatures, which can help verify the sender and detect tampering.
Is public key encryption the same as asymmetric encryption?
Yes, public key encryption and asymmetric encryption refer to the same cryptographic technique that uses two different (asymmetric) keys: a public key and a private key.
How are public and private keys generated?
Public and private keys are generated together as a mathematically related key pair by cryptographic algorithms using predefined parameters (such as key size or a chosen curve). One key is kept secret (the private key), while the other is shared (the public key).
Can someone decrypt data using the public key?
No, only the secret key corresponding to the public key can decrypt data scrambled by the public key. Because the secret key remains private, the encrypted data stays locked even if a public key is compromised.
Where is public key encryption used in everyday life?
Public key encryption is used to establish secure connections and verify identities in everyday digital services. It underpins HTTPS for web browsing, helps set up encrypted sessions in messaging apps and VPNs, and supports email encryption standards.
