22

Possible Duplicate:
Principle of asymmetric algorithm in plain english

In the spirit of How can I explain SQL injection without technical jargon?, do you have any suggestions on how to explain the concept of a key pair to someone who's not well versed in technological terms?

Community
  • 1
NickAldwin
  • 320
  • 1
  • 2
  • 6
  • 3
    @Lucas has answered it with pictures: [Principle of asymmetric algorithm in plain english](http://security.stackexchange.com/questions/24407/principle-of-asymmetric-algorithm-in-plain-english/24408#24408) – ypercubeᵀᴹ Dec 20 '12 at 23:31

5 Answers5

41

Note: This answer is aimed at really non-technical people, I have tried to make it understandable by a child, please don't be offended!

Lets say I want to send something to you, but I don't want anyone else to be able to read it. The first thing that comes to mind is encryption! Encryption gives confidentiality, right? It sure does, but there are some problems to address.

Classical, or symmetric encryption requires some kind of shared secret. In the computer world, this is called a key. The problem is, in order to communicate confidentially using symmetric encryption, we both have to know the same key. We have to communicate this key to each other by some secure means before we can use it. It's a chicken-and-egg situation, we need to send the key confidentially in order to have a confidential channel.

One solution would be to meet up somewhere physically, agree on a key (which is just a really big number), and then go our separate ways. With this arrangement, we know we are the only two people who know the key, and we can happily transmit messages to each other using it, in the knowledge that nobody else can read those messages.

This solution does not scale well, and in the world of the internet when we might want to talk securely to a few dozen parties a day, that would be a whole bunch of secret meetings to set up, a whole bunch of keys to keep track of, and a fortune in travel costs.

Enter some really clever mathematicians. Asymmetric cryptography is essentially a smart bit of maths that allows us to use a pair of keys. One key for encryption, and one key for decryption. What's more, it is impossible to generate one key from the other.

Think of it like this; the encryption key is a padlock. You just click it closed, and it locks. The decryption key is like the padlock key.

It works like this; I want to communicate with you securely, but we have never met, and share no secret.

  • You send me your padlock.
  • I write my message to you, put it in a box, and lock it with your padlock.
  • You keep hold of your padlock key at all times, so you are the only person who can unlock the padlock. Once I have locked the box, not even I can open it, because I don't have the key.
  • Then I send the box to you, safe in the knowledge that you are the only person that can unlock it.

Someone watching our traffic can see you send over your padlock (encryption key). But they can't do anything with that padlock except lock things that only you can open. They can't examine the padlock to figure out how to make a padlock key for it, the mathematics of the system ensure this.

They then see my message to you, locked away with the padlock, but they don't have the padlock key, so they can't do anything with it.

lynks
  • 10,646
  • 5
  • 29
  • 54
  • 1
    This is not offensive. The mistake with this is going with historic meanings and words and choosing to call the public key a key. We call it a key in the first place because it's an analogy so god knows why we didn't use the same reasoning and call it public padlock / private key as it is the most intuitive description of the whole thing. This of course falls apart for digital signatures, but when we teach PKI we first understand the most common use case which is encryption. Some research has been done that shows a common mistake ppl make is encrypting using their public key - wonder why? – RaviU Jan 13 '17 at 18:43
  • 1
    Here's the link to the study: https://arxiv.org/abs/1510.08555v1 - usability of encryption is important. – RaviU Jan 13 '17 at 18:45
  • very nice, the only thing I find missing is the explanation that the padlock represents the public key and the key - the private key – gilad905 Sep 05 '17 at 09:18
5

The background comes from this older answer. Here's the summary: public / private key encryption is like a keyed padlock. Anybody can be given a lock and anybody can close that lock to secure a box. The lock's owner keeps the key to themselves.

For some complicated reasons, using keyed locks takes a long time and only fit one size box. To make lots of exchanges quicker, we usually send a combination lock (for our analogy, the kind you can set the code on) inside the box that is secured by the keyed lock and we tape the code you want the lock set to right on the lock. Those combination locks are more universal and can secure very large boxes. The obvious catch is that since you must send the code you plan to open the lock with along with the lock, you must make sure that it won't be seen by people you don't want to see your data.

Community
  • 1
Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
4

Think of the blue USPS mailboxes sitting in an office building or outside a post office. There is a door that anyone can open, that they can use to insert mail. However, this door is one-way; once the mail is in the mailbox, that door can't be used by anyone else to get any mail back out. Instead, there is a second door secured by a key that only the postman has, which he uses to get all the mail back out.

This is roughly analogous to an asymmetric-key system. The "public key" is freely available, like the name implies; it allows anyone to send a message to the recipient in a secure manner. Nobody else, not even other people sending messages, can see what you're sending. Even you can't see what you sent, if you forgot. Only the recipient, with the "private key", can get those messages back out and read them.

KeithS
  • 6,758
  • 1
  • 22
  • 39
1

Explain it like a lock, but instead of a metal key, you use a key full of weird characters that are sent through a math equation to see if they match. If the keys match, the door opens.

Layton Everson
  • 171
  • 4
  • This really describes shared (symmetric) key encryption more than public/private key (asymmetric) encryption. – AJ Henderson Dec 20 '12 at 19:28
  • Yup, but we explaining something on a basic level... I mean were not going to key shapes and lock pin configuration here. – Layton Everson Dec 20 '12 at 19:47
  • True, but the question is asking about Public/Private key encryption, not encryption in general. Simply saying it is like a lock doesn't explain anything about what public/private key encryption is, just what encryption in general is. – AJ Henderson Dec 20 '12 at 20:42
0

A public key is like a phone number listing in a phone book. It tells everyone that if they use your listing to contact you, then you will get the message and not your next door neighbor. Similarly, if you call from your phone (the private key) then they can see your caller id and know that it is you calling since the phone book says it is your number.

It isn't quite perfect since caller id can be spoofed, but it explains the general idea.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110