What Is Public-Key Cryptography? Asymmetric Encryption Explained
Public-key cryptography (asymmetric cryptography) uses a mathematically linked key pair. The public key can be shared freely — anyone can use it to encrypt a message or verify a signature. Only the private key can decrypt messages or create signatures. This elegantly solves the key distribution problem that made symmetric cryptography impractical for strangers communicating over open networks.
RSA and Elliptic Curve Cryptography
RSA security relies on the difficulty of factoring large numbers. 2048-bit RSA is currently secure; 4096-bit is used for very long-term key material. Elliptic Curve Cryptography (ECC) provides equivalent security with much shorter keys: a 256-bit ECC key has similar security to 3072-bit RSA. ECC (ECDSA, Ed25519) is preferred for new systems due to smaller key sizes, faster operations, and smaller signatures.
Digital Signatures
A digital signature proves authenticity and integrity. The signer computes hash(message) → encrypts with their private key. The verifier decrypts with the public key → checks the hash matches the message. Forgery requires the private key. Code signing certificates tie an identity to a public key: git tag signatures, software installer signing, TLS certificates, email (S/MIME) all use this model.
Public Key Infrastructure (PKI)
PKI is the system of certificate authorities (CAs), certificates, and policies that allow parties to trust public keys. A CA signs a certificate binding a public key to an identity (domain name, organisation). Browsers and OSes ship with a list of trusted root CAs. The CA hierarchy: root CA → intermediate CA → end-entity certificate. Certificate Transparency logs allow auditing of all issued certificates.