Describes the concepts of public key, private key, and digital certificate.

Source: Internet
Author: User
Tags asymmetric encryption

Encryption and authentication 
First, we need to distinguish the two basic concepts of encryption and authentication.
Encryption encrypts data so that illegal users cannot obtain the correct data even if they have obtained the encrypted data. Therefore, data encryption can protect data and prevent attacks. The focus is on data security. Identity Authentication is used to determine the authenticity of an identity. After the identity is confirmed, the system can grant different permissions according to different identities. The focus is on the authenticity of users. The two have different focuses.

Public Key and Private Key
Public and private keys are commonly known as asymmetric encryption methods, which are improved from the previous symmetric encryption (using usernames and passwords.

In modern cryptographic systems, encryption and decryption use different keys (public keys), that is, asymmetric key cryptography systems. Each communication party requires two keys, namely, the public key and private key, these two keys can be used for mutual encryption and decryption. The Public Key is public and does not need to be kept confidential. The private key is held by the individual and must be kept properly and kept confidential.

Principles of Public Key and private key:

    1. A public key corresponds to a private key.
    2. The key pair is known to everyone as a public key. If you do not know it, you only know it as a private key.
    3. If one of the keys is used to encrypt data, only the corresponding key can be decrypted.
    4. If one of the keys can be used for data decryption, the data must be encrypted by the corresponding key.

Describe the principles by email.
The public key and private key are used to secure emails:
1. The content I sent to you must be encrypted and cannot be seen by others during Email transmission.
2. You must ensure that the email is sent by me, not by someone else impersonating me.
To achieve this goal, both the Email recipients must have the public key and private key.
The public key is for everyone. You can publish it via email or download it from a website. The public key is actually used for encryption/Seal verification. The private key is your own and must be kept very carefully. It is best to add a password. The private key is used to decrypt/sign the seal. First of all, for the ownership of the key, the private key is only owned by the individual. The role of the public key and the private key is: The content encrypted with the public key can only be decrypted with the private key, the content encrypted with the private key can only be decrypted with the public key.
For example, I want to send you an encrypted email. First, you must own your public key.
First, I use your public key to encrypt the email. This ensures that the email is not visible to others, and that the email is not modified during transmission. After receiving the email, you can use your private key to decrypt the email and view the content.
Next, I use my private key to encrypt this email. After it is sent to you, You can decrypt it with my public key. Because I only have the private key in my hand, this ensures that this email is sent by me.


The main application of asymmetric key cryptography is public key encryption and public key authentication. The process of public key encryption is different from that of public key authentication. I will explain in detail the differences between the two.


Public Key-based encryption process

For example, two users Alice and Bob, Alice want to send a piece of plain text to bob through the two-key encryption technology. Bob has a pair of public and private keys, the encryption and decryption process is as follows:

    1. Bob transfers his public key to Alice.
    2. Alice encrypted her message with Bob's public key and sent it to Bob.
    3. Bob uses his private key to decrypt Alice's message.

Alice uses Bob's public key for encryption and Bob uses his own private key for decryption.


Public Key-based authentication process

Identity authentication and encryption are different. The main users identify the authenticity of users. Here, we can identify a user's private key as long as it is correct.

For Alice and Bob, Alice wants Bob to know that she is a real Alice, rather than a fake one. Therefore, Alice only needs to use public key cryptography to sign the file and send it to Bob, bob uses Alice's public key to decrypt the file. If the decryption succeeds, it proves that Alice's private key is correct and thus completes Alice's identity authentication. The authentication process is as follows:

    1. Alice uses her private key to encrypt the file and sign the file.
    2. Alice transfers the signed file to Bob.
    3. Bob decrypts the file with Alice's public key to verify the signature.

Alice uses her own private key for encryption, and Bob uses Alice's public key for decryption.


Root Certificate

The root certificate is issued by the CA.The certificate issued is the starting point of the trust chain. Installing the root certificate means you trust the CA. 


According to the principle of asymmetric cryptography, each certificate holder has a pair of public keys and private keys, which can be mutually decrypted. The Public Key is public and does not need to be kept confidential. The private key is held by the certificate holder and must be kept properly and kept confidential.

A digital certificate is a digital certificate issued by a certificate authority (CA) to verify the real identity of the certificate applicant, A digital file formed by using the CA root certificate to sign the applicant's basic information and the applicant's public key (equivalent to the Public Seal of the CA. After a certificate is issued, the Ca publishes the certificate to the certificate library (Directory Server) of the CA. Anyone can query and download the certificate. Therefore, the digital certificate is public like the public key.

In this case, a digital certificate is a ca-certified public key, and the private key is generally generated locally by the certificate holder and kept by the certificate holder. For specific use, the signature operation is to sign the sender with the private key, and the receiver uses the sender certificate to verify the signature. The encryption operation is to encrypt the signature with the recipient's certificate, the receiver uses its own private key for decryption.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.