If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Public key encryption

On the Internet, two computers often want to exchange secure data with each other. When I type my password into the Khan Academy login screen, I want my computer to send that data safely to the Khan Academy servers. I do not want to worry that an attacker might be monitoring my Internet traffic and watching the password go across the wires.
Symmetric encryption techniques rely on both the sender and receiver using the same key to encrypt and decrypt the data. How can my computer and the Khan Academy server exchange the key securely? If an attacker can see my password go across the wires, then they can also see an encryption key!
Public key encryption to the rescue! It's an asymmetric encryption technique which uses different keys for encryption and decryption, allowing computers over the Internet to securely communicate with each other.
Let's step through the high-level process of public key encryption.

Step 1: Key generation

Each person (or their computer) must generate a pair of keys that identifies them: a private key and a public key.
You can generate a pair below, using the same RSA algorithm that's used by your computer:
Did you notice it takes a few seconds to generate the keys? That's due to the math involved. The keys are generated by multiplying together two incredibly large primes. The algorithm repeatedly generates random large numbers and checks if they're prime, until it finally finds two random large primes. All that checking for primes can take a while, and these keys are only 512 bits long. The current nationally recommended key length is 2048, or even 3072 bits.

Step 2: Key exchange

The sending and receiving computers exchange public keys with each other via a reliable channel, like TCP/IP. The private keys are never exchanged.

Step 3: Encryption

The sending computer encrypts the secret data using the receiving computer's public key and a mathematical operation.
The power of public key encryption is in that mathematical operation. It's a "one-way function", which means it's incredibly difficult for a computer to reverse the operation and discover the original data. Even the public key cannot be used to decrypt the data.
You can try it out below, with the public key you generated above:

Step 4: Sending encrypted data

The sender can now safely transmit the encrypted data over the Internet without worry of onlookers.

Step 5: Decryption

Now the receiver can decrypt the message, using their private key. That's the only key that can be used to decrypt the message (in the world!).
Try it out below, with the encrypted message and private key from above:
Once you successfully decrypt the message, try decrypting it with the public key. It won't work; only the private key can decrypt it.

But how is that possible?

It may sound too good to be true; that it's possible to encrypt something with one key that can only then be decrypted by a different key. For a long time, mathematicians weren't sure if it was possible, but fortunately they discovered a way in the 1970s.
The math of the one-way function relies on prime numbers, the difficulty of factoring large primes, and modular arithmetic. If you'd like to dig deeper into the math, check out the Khan Academy tutorials on modern cryptography.
Fortunately, all of us can use and benefit from public key cryptography without needing to understand the complicated math behind it. In fact, we likely use public key cryptography everyday as we use computers and the Internet. Just imagine, what would the world be without it?
🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!