DEV Community

Shahriyar Al Mustakim Mitul
Shahriyar Al Mustakim Mitul

Posted on

Transport Layer Security (TLS), Public & Private Keys

Assume you own a bank and you want to send a users name and password to the server.

Image description

But while passing the data, a hacker can easily hack that data.

Image description
To solve this, you can use an encrypt and decrypt key. Now your data will be encrypted.

Image description

Image description

Now the hacker gets the data but it's encrypted.

Image description

But you have to sent the key to the server so that the server can decrypt as well.

Image description
Now the hacker will get the key and hack your data.

Image description
This is called Symmetric encryption.

Asymmetric encryption

To prevent the issues in symmetric encryption, we use private and public key.

Image description

Assuming public lock for our better understanding in this blog.

Image description

Here your data is encrypted using public lock and you can encrypt the data only using the private key.

Image description

Image description

You can generate this key using this way.

Image description
You can use this public lock and anyone can access it but can not break or open it.

Image description
But you can access the server 1 using your private key.

Image description
Now the server sets 2 keys. Public and private key and send the public key or lock to you.

Image description
The hacker gets one too.

Image description

Now you add the encryption key to this packet.

Image description
You then send this packet to the server.

Image description
Now the server can easily unlock its public lock which it sent previously.

Image description
This time hacker can not access to the package as it does not have server's private key.

Now the server has successfully got the encrypted key.

Image description

Now assume that the hacker is acting like a server .

Image description
Now you were confused and sent your encrypted key and data to the hacking server.

Image description
So, you have been hacked now as the hacker has all the data.

Image description

But we have a solution here.
When any server send any package it sends a certificate as well to prove that the server is real.

Image description

This is how it might look.

Image description

Image description
But the hacker can also create a certificate of its own.
But how to know that?
You can see the certificate is signed by himself

Image description

But this should not be here.
Even browsers show you issues when they see "self" in the signature row.

Image description

So, here comes Certificate Authority(CA) which will ensure the real certificate.

Image description
Once issues, you can see this.
Image description

Basically our browser has access to CAs and get recognize it.

Image description

This is how our browsers have recorded all of the CAs.
Image description

Lets clear the public lock and key confusion.

Image description
As mentioned, this is actually a public key not a public lock.

Image description

You can encrypt your data with one key and decrypt with other.
So, if you encrypt using private key, hacker and other can easily access public key and thus can hack your data.

So, you should encrypt your data using public key and you can then decrypt data only using the private key which is not available to the hackers.
Also , they are meant using these extensions.

Image description

Done!

Top comments (0)