Public and Private Keys - Signatures & Key Exchanges - Cryptography - Practical TLS

[Music] in the last lesson we talked about symmetric encryption and asymmetric encryption we mentioned that asymmetric encryption uses two different keys to do its encryption and decryption well those two keys are referred to as a key pair and you can use that key pair to do encryption so let me show you how that works we're going to use pam and jim they're going to use asymmetric keys to securely exchange data with one another now since these two are two different people they each have their own set of public and private keys pam has one set

of public and private keys she has her public key closer to jim available to jim if he needs it and she has her private key hidden private from anybody else jim also has his own set of public and private keys and like we discussed in the last lesson what is encrypted with this public key can only be decrypted with this private key and vice versa so let me show you how these keys are used to do encryption let's say jim has a message that he wants to send to pam securely well what he can do

is use pam's public key to encrypt that message now the only key in the world that can decrypt this back to the original message is the correlating private key which only pam has because again the private key is never shared that message can be sent across the wire safely knowing that only pam has the required key to decrypt the content of that message and extract the original plaintext and this is how asymmetric keys are used to provide confidentiality recall that confidentiality is the idea that the data is only accessible to the intended recipient and we

can use an asymmetric key pair to ensure data confidentiality but that's not all you can do with a set of asymmetric keys there's actually something else you can do which is pretty cool let's say pam now has a message for jim let's say for this particular message pam doesn't care about the confidentiality meaning she doesn't care who can read this message but she definitely wants to prove that it was definitely her that sent this message what she can do is use her own private key to encrypt that message now the only key in the world

that can decrypt that would be her public key which jim has and anybody else has because it's a public key so this can get sent across the wire and then jim can decrypt that message using pam's public key if jim can decrypt the message successfully with pam's public key this actually proves two things first it proves that pam must have sent that message this gives us authentication if jim was able to decrypt something with public key it proves that the only key that could have encrypted it was pam's private key and pam should be the

only person that has that key therefore we know pam sent that message it also proves something else it also proves that the message was not modified in transit that is integrity if someone captured the message in the middle and changed the content of the message well when jim tried to decrypt it with pam's public key he would end up with a jarbled mess if the decryption would have worked at all so if jim was successfully able to decrypt a message with pam's public key then we know for a fact the message hasn't changed since pam

encrypted it with her private key this process that we just discussed is what's known as message signatures you can use an asymmetric key pair to create a signature which provides authentication and integrity for what was signed so we just talked through how you can use an asymmetric key pair to provide both encryption to get confidentiality and signatures to get integrity and authentication but in reality it's not quite that simple remember in the last lesson we talked through a bunch of limitations that asymmetric encryption has namely that it's inefficient to use asymmetric encryption for bulk data

transfers because asymmetric encryption is slower and more taxing on the cpu instead if we want to actually protect bulk data what we want to be doing is using symmetric encryption but symmetric encryption has this problem that we have to first establish a symmetric key on either side of the wire we have to do it in a secure way well that symmetric key is a pretty small piece of data and recall that we can use asymmetric encryption for smaller limited data sets well why don't we use an asymmetric key pair to share a symmetric key that

is what ssl and tls actually do let me show you how it works pam is going to randomly generate a symmetric secret key this key is just a string of ones and zeros and pam will generate them randomly pain will then take jim's public key and encrypt that symmetric key the only key in the world that can decrypt this back to the original symmetric secret key is jim's private key which only jim has which means pam is safe to send that across the wire jim will then take his private key to decrypt the content of

that message to extract the original symmetric secret key and now both parties have established a symmetric key that is identical in a secure way they can use that symmetric key to protect bulk data here pam has a message for jim pam will encrypt that message with her symmetric key the only key in the world that can decrypt that message is the same symmetric key that was used to encrypt it that message can be sent across the wire and then jim can use his copy of the symmetric key to decrypt that message and extract the original

content this can be done in either direction for an arbitrary amount of data here jim is sending something to pam securely using that same symmetric key now that both parties have the identical symmetric key on either side they can continue to use that for however much data that they want to protect this concept that we just discussed is referred to as hybrid encryption hybrid encryption is the idea of using both asymmetric encryption and symmetric encryption now you're using both of those at different points so it's not like you're both symmetrically and asymmetrically encrypting the same

content you're using asymmetric encryption to facilitate a key exchange and then with this key you're then using symmetric encryption to protect bulk data do you remember those strengths and weaknesses of symmetric and asymmetric encryption we talked about in the last lesson using hybrid encryption in this way gets you the best of both worlds you get the strength of asymmetric encryption that you have used the more secure way of sharing a key and the efficiency of symmetric encryption to protect your bulk data transfer this method is what every secured communication protocol uses this is how ssl

tls protect bulk data transfers this is also how ipsec and ssh protect bulk data transfer so that is the concept of hybrid encryption but what about signatures we talked about earlier how you can use signatures to attain integrity and authentication on a message by encrypting something with your own private key but again asymmetric encryption has limitations you can't simply encrypt an entire message with a private key instead what we'd like to do is simply encrypt a smaller fixed representational sample of that message if only we had a way of converting messages to smaller representational sizes

well we do we talked about hashing algorithms earlier on in this course we define them as a thing that specifically exists to take a message of any size and produce a smaller fixed width fingerprint of the original message and signing is going to use hashing algorithms to simplify the process let me show you how that's going to work here is how asymmetric keys are used for generating signatures pam is going to generate a message she's then going to run that message through a hashing algorithm that's going to result in a particular digest that digest is

then going to be encrypted with pam's private key the result of that which is the encrypted digest is the signature that is actually the signature of that message that gets appended to the message and then both the message and the signature gets sent across the wire now that signature was created with pam's private key which means on the other side jim is going to use pam's public key to verify the signature what he's going to do is take the signature and decrypt it using pam's public key that's going to result in the digest that pam

created then jim is going to independently calculate a hash of that message and if the digest that jim got in his calculation matches the digest that pam had sent this proves two things first it proves that the message has not changed since pam signed it remember this digest was created by taking a hash of this message so if anything changed in this message tim would have gotten a different digest this gives us the property of integrity the other thing that signatures prove is that only pam could have created the signatures this signature was created as

a result of taking pam's private key and encrypting this digest well if jim was able to decrypt something with paim's public key this proves it was definitely pam's private key that signed it and the only person in the world that has pam's private key is pam this gives us authentication so using an asymmetric key pair to generate signatures in this way gives us both integrity and authentication for the content that was signed now we've been discussing this from the perspective of a message sent across the wire but keep in mind many different things can be

signed sure you can sign messages but that's actually pretty rare often what you see signed is much smaller pieces of data things like a single certificate are things like a single piece of software or an email or whatever the case so this definition of signatures should not be limited to just messages you can sign anything and that wraps up our discussion of public and private keys the main takeaway from this lesson is understanding hybrid encryption how we can use asymmetric encryption to securely establish symmetra keys and then we can use the symmetric encryption to protect

bulk data at scale and the other thing to understand is message signatures how they are a function of using your own private key and a hashing algorithm to prove you signed something and it hasn't changed since you signed it in the next lesson we're going to summarize a lot of what we've discussed so far in this module we're going to tie it all together and show you how ssl actually uses all these different cryptographic tools we discussed but that's it for this lesson i hope you enjoyed this video i want to thank you for watching

and we'll see you in the next one hey youtube if you enjoyed that lesson then you'll also enjoy the full course that it came from practical tls it's a deep dive into ssl and tls taught methodically and intentionally full of easy illustrations and in the simplest way possible you'll get to learn cryptography certificates private keys the handshake opens cell and everything you need to become an ssl expert to learn more check out pracnet.net tls and if you need more convincing that this is the best tls training course then check out the other free lesson previews

on youtube thank you and have a great day