Public Key Cryptography Explained- How Encryption Works

What Public Key Cryptography Actually Is

Public key cryptography is a method where you use two different keys to secure data. One key encrypts, the other decrypts. That's the whole point.

You keep one key secret. The other one you hand out freely. Anyone can use the public key to lock a message meant for you. Only you can unlock it with your private key. Simple concept, massive implications.

This approach solved a problem that plagued encryption for centuries: how do you safely share the key itself? With symmetric encryption (same key for encrypt and decrypt), you had to somehow get the key to your recipient without anyone intercepting it. That's a massive headache.

Why This Matters

Without public key cryptography, HTTPS wouldn't work. Digital signatures wouldn't exist. Every secure transaction you've ever made online relied on this math.

The security comes from mathematical asymmetry. Some operations are easy in one direction but nearly impossible in reverse—unless you know the secret. Multiplying two large prime numbers is trivial. Factoring their product back into those primes? That's a different story.

How Encryption Actually Works

Here's the flow in practice:

Anyone intercepting the encrypted message sees garbage. They don't have your private key. The math makes brute-force attempts impractical—decrypting without the right key would take longer than the age of the universe with current computers.

The Reverse Works Too

You can also flip this around. Encrypt with your private key, decrypt with your public key. That proves the message came from you—since only you have your private key. This is how digital signatures work.

Hash the message, encrypt the hash with your private key. Recipients decrypt with your public key, hash the message themselves, and compare. Match? Message is authentic and untampered.

Common Algorithms You Should Know

Several algorithms implement public key cryptography. Each has different strengths.

RSA (Rivest-Shamir-Adleman)

The old standard. Still widely used. RSA security relies on the difficulty of factoring large numbers. Key sizes of 2048 or 4096 bits are standard today. Smaller keys are considered weak.

RSA works for both encryption and signatures. It's slow compared to modern alternatives though. You don't encrypt large files with RSA directly—that's inefficient. Instead, you encrypt a symmetric key and use that for the actual data.

ECC (Elliptic Curve Cryptography)

ECC provides equivalent security to RSA with much smaller keys. A 256-bit ECC key matches the security of a 3072-bit RSA key. That's a huge advantage for performance and bandwidth.

Bitcoin and most cryptocurrencies use ECC. So do many modern protocols. The math is more complex, but the practical benefits are real.

Diffie-Hellman Key Exchange

DH doesn't do encryption or signatures. It solves a different problem: establishing a shared secret over an insecure channel. Two parties can agree on a secret value that eavesdroppers cannot determine, even if they watch the entire exchange.

This is foundational for many encrypted protocols. Perfect forward secrecy depends on it.

Algorithm Primary Use Typical Key Size Speed
RSA Encryption, Signatures 2048-4096 bits Slow
ECC (P-256, P-384) Encryption, Signatures 256-384 bits Fast
Diffie-Hellman Key Exchange 2048-4096 bits Moderate
ECDHE Key Exchange 256-384 bits Fast

Where This Shows Up in Real Life

You encounter public key cryptography constantly without thinking about it.

HTTPS/TLS

Every secure website connection starts with a key exchange. Your browser and the server use Diffie-Hellman or ECDHE to establish a session key. The server proves its identity with a certificate signed using RSA or ECC. After that, symmetric encryption handles the actual data transfer.

Digital Signatures

Software updates, code repositories, contracts—all signed with private keys. Recipients verify with public keys. If the signature checks out, the content hasn't been tampered with and came from the right source.

SSH Keys

Passwordless server access uses key pairs. You generate a pair, upload the public key to servers you need to access, and log in by proving you hold the private key. No passwords transmitted, no brute-force vulnerability.

Encrypted Messaging

Signal, WhatsApp, and similar apps use the Double Ratchet algorithm—a sophisticated system built on ECDH key exchanges. Your messages are encrypted end-to-end. The servers never see the content.

Getting Started: Generating Your Own Keys

You can generate RSA or ECC keys right now with standard tools.

Using OpenSSL (Terminal)

Generate an RSA key pair:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

Generate an ECC key pair:

openssl ecparam -genkey -name prime256v1 -out ec_private.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pem

The private key stays on your machine. The public key goes wherever you need it.

Using SSH

ssh-keygen -t ed25519 -C "your_email@example.com"

Ed25519 is the modern standard for SSH keys. Faster, smaller, and more secure than RSA alternatives. Your public key appears in ~/.ssh/id_ed25519.pub—that's the one you share.

Using Python

from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes

private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)
public_key = private_key.public_key()

message = b"secret data"
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
plaintext = private_key.decrypt(
    ciphertext,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)

The cryptography library handles the math. OAEP padding is essential—raw RSA encryption without proper padding is vulnerable.

What Can Go Wrong

Implementation failures happen constantly. Real-world systems get compromised not because the math breaks, but because developers misuse it.

Use established libraries. Don't implement crypto primitives yourself unless you're a cryptographer. The chances of getting something wrong are extremely high.

The Bottom Line

Public key cryptography solves the key distribution problem through mathematical asymmetry. You share one key freely while keeping another secret. This enables secure communication without prior key exchange.

RSA and ECC are the dominant algorithms. ECC wins on efficiency. Use 2048-bit minimum for RSA, 256-bit for ECC. Generate keys properly with good entropy. Store private keys securely—anyone who has it can decrypt everything encrypted for that key.

That's the core. The rest is implementation details.