03
18 min read · 5 briefings

Asymmetric Encryption & PKI

Two keys, a mailbox metaphor, and the fragile web of trust that holds the web together.

01 Two keys that undo each other

Asymmetric (public-key) cryptography uses a mathematically linked keypair: a public key you can hand to anyone, and a private key you guard with your life. What one key locks, only the other can unlock.

The classic intuition is a mailbox with a public slot. Anyone can drop a letter through the slot (encrypt with your public key), but only the person holding the mailbox key can open it and read the mail (decrypt with the private key). Crucially, being able to put mail in gives no ability to take mail out — the two operations are genuinely different.

This is slower than symmetric encryption by orders of magnitude, so in practice it is almost never used to encrypt bulk data directly. Instead it does two priceless jobs: key establishment (safely agreeing on a symmetric key with a stranger, solving the key distribution problem) and digital signatures (proving who sent something and that it was not altered). Nearly every secure system you touch combines asymmetric crypto for setup with symmetric crypto for speed.

Insight Public-key crypto did not make symmetric crypto obsolete. It made it usable at internet scale by solving the one problem symmetric crypto could never solve on its own.

02 RSA and ECC, without the heavy algebra

Public-key systems rest on trapdoor functions: math that is easy to compute one way and infeasible to reverse without a secret.

RSA leans on factoring. Multiplying two enormous prime numbers together is trivial; taking the product and recovering the original primes is, for large enough numbers, computationally hopeless with classical computers. Your public key is built from the product; your private key depends on knowing the factors. Practical RSA today uses keys of 2048 or 3072 bits.

ECC (Elliptic Curve Cryptography) leans on a different hard problem: the difficulty of the elliptic-curve discrete logarithm. Its headline advantage is efficiency — a 256-bit ECC key offers security roughly comparable to a 3072-bit RSA key. Smaller keys mean faster math and less bandwidth, which is why modern TLS and mobile devices favor ECC. Common curves include NIST's P-256 and Daniel Bernstein's Curve25519.

RSAECC
Hard problemInteger factorizationElliptic-curve discrete log
Typical key size2048-3072 bits256-384 bits
Speed / footprintLarger, slowerSmaller, faster

03 Digital signatures: proving who and proving what

Encryption hides content. Digital signatures do the opposite job — they make content verifiable. The keys are used in reverse: the signer processes a message with their private key, and anyone can check the result with the corresponding public key.

In practice you do not sign the whole message — you hash it first (see the next module) and sign the hash. A valid signature proves three things at once:

  • Authenticity — it came from the holder of the private key.
  • Integrity — the message was not altered, because any change breaks the hash and the signature no longer verifies.
  • Non-repudiation — the signer cannot plausibly deny it, since only they hold the private key.

Signatures are the backbone of trust online: they authenticate software updates, sign TLS handshakes, secure code-signing and package managers, and validate the certificates we discuss next. Algorithms include RSA signatures, ECDSA, and EdDSA (Ed25519).

Pro tip Encryption and signing are complementary, not interchangeable. You encrypt to keep something secret; you sign to prove it is genuine. Many protocols do both.

04 Certificate authorities and the chain of trust

Public keys solve secrecy, but they create a new problem: when your browser receives a public key claiming to be your bank, how does it know the key really belongs to the bank and not an impostor? The answer is Public Key Infrastructure (PKI) and the certificate authority (CA).

A CA is a trusted third party that vouches for the binding between an identity and a public key by issuing a signed X.509 certificate. Your device ships with a built-in list of trusted root CAs. Roots rarely sign end-user certificates directly; instead they sign intermediate CAs, which sign the leaf certificate for an actual website. This is the chain of trust: your browser verifies the leaf was signed by an intermediate, the intermediate by a root, and the root is one it already trusts.

Each link is checked by verifying a digital signature. If any signature fails, the chain breaks and the connection is untrusted. This delegated model is what lets a browser trust hundreds of millions of websites it has never seen, by trusting a few hundred CAs.

Insight An X.509 certificate is essentially a public key plus an identity, wrapped in a signature from someone your device already trusts. Trust is transitive, and it flows downward from the roots.

05 When a CA falls: the DigiNotar catastrophe

The chain of trust has a terrifying property: any trusted CA can issue a valid certificate for any domain. Your browser trusts hundreds of them, and each is a single point of failure for the entire web. Compromise one CA and you can impersonate anyone.

This is not hypothetical. In 2011 the Dutch certificate authority DigiNotar was breached. The attacker issued more than 500 fraudulent certificates, including one for *.google.com. That certificate was then used in a large-scale man-in-the-middle attack against roughly 300,000 Gmail users in Iran — reading supposedly encrypted traffic in real time. When it came to light, browser vendors removed DigiNotar from their trust stores entirely, and the company collapsed into bankruptcy within weeks.

Watch out The CA system is only as strong as its weakest member. Defenses have since hardened it — Certificate Transparency logs make every issued certificate publicly auditable, and HSTS and pinning limit impersonation — but the structural risk remains: trust is broad, and betrayal by one link endangers everyone.

Field Glossary

Asymmetric encryption
Cryptography using a linked public/private keypair, where what one key encrypts only the other can decrypt. Used mainly for key establishment and digital signatures.
RSA
A public-key algorithm whose security rests on the difficulty of factoring the product of two large primes. Typical modern keys are 2048-3072 bits.
ECC
Elliptic Curve Cryptography, based on the elliptic-curve discrete logarithm problem. Achieves RSA-level security with much smaller, faster keys (256-bit ECC ~ 3072-bit RSA).
Digital signature
A value produced with a private key and verified with the matching public key, proving a message's authenticity, integrity, and non-repudiation.
Certificate authority (CA)
A trusted third party that issues signed X.509 certificates binding an identity to a public key. Browsers ship with a list of trusted root CAs.
Chain of trust
The verifiable path from a website's leaf certificate up through intermediate CAs to a trusted root, each link validated by a digital signature.
X.509 certificate
The standard format for a public-key certificate: a public key plus identity information, signed by a certificate authority.

Knowledge Check

Field Assessment

0 / 3

01 In a digital signature scheme, which key does the signer use, and which do verifiers use?

02 Why is ECC often preferred over RSA in modern systems?

03 What is the fundamental danger of the CA trust model, as shown by DigiNotar?

ESC
↑↓ navigate jack in