# Asymmetric Cryptography

Video Activity
Join over 3 million cybersecurity professionals advancing their career
or

Time
15 hours 43 minutes
Difficulty
CEU/CPE
16
Video Transcription
00:00
>> We've talked about symmetric cryptography,
00:00
and we said it had some problems.
00:00
We said that we have
00:00
this problem with out-of-band key exchange.
00:00
We have a situation where the algorithms can't
00:00
be used in a large environment
00:00
because they're not scalable.
00:00
Then we also talked about the fact that we don't get
00:00
true integrity authenticity or
00:00
non-repudiation with symmetric algorithms.
00:00
All that seems to be a set of fairly weighty problems,
00:00
but the big desirable
00:00
element of symmetric cryptography is that it's fast.
00:00
We want to wind up using
00:00
symmetric cryptography to take advantage of that speed,
00:00
but we've got to find a way to solve
00:00
those problems and that's where
00:00
asymmetric cryptography comes in.
00:00
In this next section, I'm going to give you
00:00
an overview of how asymmetric cryptography works.
00:00
Then we're going to look at how we achieve privacy.
00:00
Then in later sections,
00:00
we'll talk about how we use
00:00
asymmetric to get authenticity,
00:00
non-repudiation, and so on.
00:00
Asymmetric cryptography.
00:00
The heart and soul of
00:00
asymmetric cryptography is the key pair.
00:00
Every user in an asymmetric environment
00:00
is going to get two keys,
00:00
a private key and a public key.
00:00
Those keys are mathematically related,
00:00
and they're mathematically related
00:00
in such a way that anything
00:00
encrypted with one key
00:00
is only going to be able to
00:00
be decrypted with the other key.
00:00
If something is encrypted with Kelly's public key,
00:00
only Kelly's private key can decrypt it.
00:00
Something's encrypted with Kelly's private key,
00:00
only Kelly's public key can decrypt it.
00:00
They're mathematically related.
00:00
Now, the thing is, is even
00:00
though you may know my public key,
00:00
you should never be able to figure out my private key.
00:00
Even if you see text encrypted with the public key,
00:00
even if you know my public key,
00:00
that's the strength in the math is
00:00
the strength between the relationship,
00:00
and the fact that these keys are related,
00:00
but you can't discern one key by knowing the other.
00:00
Again, everybody gets a key pair,
00:00
a public key and a private key.
00:00
Anything encrypted with the public key
00:00
can only be decrypted with the private.
00:00
Anything encrypted with the private
00:00
can only be decrypted with the public.
00:00
Hopefully, probably goes without saying,
00:00
but Captain Obvious is going to tell you.
00:00
A user's public key is publicly available.
00:00
Meaning anybody that wants
00:00
Kelly Handerhan's public key just has to ask.
00:00
I'm happy to share my public key with you.
00:00
There's nothing sensitive on a public key.
00:00
But then Captain Obvious also is going
00:00
>> to remind you that
00:00
>> Kelly Handerhan's private key must be kept private.
00:00
I can't share my private key.
00:00
That is unique. To me,
00:00
it is bound to my identity.
00:00
It's extremely important I
00:00
protect the privacy of my private key.
00:00
I had to keep it secret.
00:00
For any of you in the government that have
00:00
the common access or CAC cards,
00:00
your private key is what's on CAC,
00:00
and that's why you can't just leave that
00:00
or those of you maybe not in the government,
00:00
but maybe have smartcards.
00:00
Usually that's incorporated with
00:00
your private key is on that card,
00:00
and that's why you have to keep
00:00
that card and you use that to login to
00:00
systems or access rooms in the building or whatever.
00:00
00:00
and that's a way that you authenticate.
00:00
We got to keep our private key private,
00:00
but we're willing to share
00:00
our public key with anybody that asks.
00:00
Now, when I say anybody that asks,
00:00
I've never called up somebody and said,
00:00
''Hey, Bob,
00:00
but can you tell me what your public key is?''
00:00
But the way that works is my application
00:00
is going to request the
00:00
>> public key from your application.
00:00
>> Maybe I'm a web client.
00:00
Maybe I'm Chrome browser,
00:00
and I connect to a web server.
00:00
When I connect using the protocol HTTPS,
00:00
that S at the end says,
00:00
I want secure communication.
00:00
What that does is that tells the web server,
00:00
"Hey, send me your public key."
00:00
Now that web server has no
00:00
>> previous relationship with me.
00:00
>> They don't know me from Adam.
00:00
Will they send me their public key?
00:00
Yes, because there's nothing sensitive about it.
00:00
Public keys can be freely distributed.
00:00
What I'm going to do is
00:00
I'm going to ask that web server,
00:00
"Hey, give me your public key."
00:00
Then anything I encrypt with
00:00
that web server's public key can
00:00
only be decrypted with that web servers private key.
00:00
I can ask Capital One Bank of America,
00:00
whoever the banking server
00:00
is and say send me your public key.
00:00
Encrypt communication and I
00:00
can know that only that banking server,
00:00
if I encrypt that communication
00:00
with that banking servers public,
00:00
I know only that exact banking server
00:00
can decrypt it because only they have the private.
00:00
That's how we get privacy
00:00
through asymmetric cryptography.
00:00
Really, we've solved two of
00:00
the problems that come with symmetric cryptography.
00:00
Remember, we said the first problem
00:00
was out-of-band key exchange,
00:00
because I had the secret key,
00:00
I've got to get to you across an unsecure network,
00:00
but not with asymmetric cryptography.
00:00
The magic of asymmetric cryptography with
00:00
the relationship between the key pairs is,
00:00
if you want to send something
00:00
to me and keep it confidential,
00:00
you need my public key,
00:00
which anybody can have.
00:00
I don't have to send you
00:00
something secret across the network.
00:00
I'll send you my public key.
00:00
Even if somebody intercepts it,
00:00
they can't really do any damage with my public key.
00:00
You encrypt my message with the public key,
00:00
send it back and you know only I can decrypt it because
00:00
only my private key will be
00:00
able to decrypt what's encrypted with my public key.
00:00
We've solved the problem of
00:00
out-of-band key distribution
00:00
needing that symmetric cryptography.
00:00
We've also solved the problem of
00:00
scalability because every user gets two keys.
00:00
Regardless of how large my organization is,
00:00
Kelly Handerhan only has two keys,
00:00
a public and a private.
00:00
If I have 100 users in an asymmetric environment,
00:00
I'm going to have 200 keys,
00:00
each user having two.
00:00
But in a symmetric environment,
00:00
if you remember that formula,
00:00
it'd be 100 times 99 divided by 2.
00:00
>> That's a lot of keys.
00:00
>> We're starting to see some benefits
00:00
of asymmetric cryptography.
00:00
Just gave an overview there,
00:00
and we also talked about how we get privacy.
00:00
Go slow through these next sections,
00:00
because if you don't have
00:00
the experience with asymmetric cryptography,
00:00
this can be a little bit tricky.
00:00
But I just want to remind
00:00
you privacy, authenticity, integrity,
00:00
non-repudiation, those are each discrete services,
00:00
and how we accomplish them is
00:00
unique to the security function.
00:00
We talked about privacy with asymmetric cryptography.
00:00
We always get privacy using the receiver's public key.
Up Next