Asymmetric encryption lets you send secret messages to someone without ever sharing a secret password.
Imagine you want to send a secret note to Alice. You can’t just write it down and hand it to her, because someone might intercept it. You also can’t agree on a secret code beforehand, because how would you securely tell her the code? Asymmetric encryption solves this by giving Alice two keys: one public key that she can share with anyone, and one private key that she keeps entirely to herself.
Here’s how it works in practice. Let’s say Alice wants to receive secret messages. She generates a pair of keys: a public key and a private key.
# Alice generates a key pair using OpenSSL
openssl genpkey -algorithm RSA -out alice_private.pem -aes256
openssl pkey -in alice_private.pem -pubout -out alice_public.pem
The alice_private.pem file contains her secret private key, protected by a strong password. The alice_public.pem file contains her public key. Alice can freely distribute alice_public.pem to anyone who wants to send her a secret message.
Now, Bob wants to send Alice a secret message. He takes Alice’s public key and uses it to "encrypt" his message.
# Bob encrypts a message using Alice's public key
echo "This is a super secret message for Alice!" > message.txt
openssl pkeyutl -encrypt -inkey alice_public.pem -pubin -in message.txt -out encrypted_message.bin
This encrypted_message.bin file is now unreadable to anyone who intercepts it. Even if someone has Alice’s public key, they can’t decrypt it. Why? Because encryption with the public key can only be reversed by the corresponding private key.
When Alice receives encrypted_message.bin, she uses her private key to decrypt it.
# Alice decrypts the message using her private key
openssl pkeyutl -decrypt -inkey alice_private.pem -in encrypted_message.bin -out decrypted_message.txt
If Alice typed her private key password correctly, decrypted_message.txt will contain the original message: "This is a super secret message for Alice!".
The core concept here is that encryption and decryption use different keys. One key (public) encrypts, and the other key (private) decrypts. This is what makes it "asymmetric."
The RSA algorithm is a common way to generate these public and private key pairs. It relies on the mathematical difficulty of factoring very large prime numbers. The public key is derived from these large primes, while the private key requires knowing the original primes. It’s computationally infeasible to derive the private key from the public key alone.
The system in action isn’t just about sending secrets; it’s also the foundation for secure communication protocols like TLS/SSL (which secures websites with HTTPS) and digital signatures. In digital signatures, the process is reversed: you "sign" a message with your private key, and anyone can "verify" that signature using your public key. This proves that the message came from you and hasn’t been tampered with.
A common misconception is that public keys are inherently insecure because they’re public. However, the security of the entire system hinges on the private key remaining secret. If Alice’s private key is compromised, anyone can decrypt messages intended for her and even impersonate her by signing messages with her private key. This is why protecting your private key with a strong password and secure storage is paramount.
The next step in understanding secure communication is exploring how these key pairs are managed and trusted in real-world systems, often through certificates.