Public Key Cryptography
Certificates and PKI are built on public key cryptography (also called asymmetric cryptography), which uses key pairs. A key pair consists of a public key that can be distributed and shared with the world, and a corresponding private key that should be kept confidential by the owner.
Let's repeat that last part; it's important: the security of a public key system depends on keeping private keys private.
There are two things you can do with a key pair:
- You can encrypt some data with the public key. The only way to decrypt that data is with the corresponding private key.
- You can sign some data with the private key. Anyone who knows the corresponding public key can verify the signature, proving which private key produced it.
Public key cryptography is a magical gift from mathematics to computer science. The math is complicated, for sure, but you don't need to understand it to appreciate its value. Public key cryptography lets computers do something that's otherwise impossible: public key cryptography lets computers see.
Explaining Metaphors
Public key cryptography lets one computer (or bit of code) prove to another that it knows something without sharing that knowledge directly. To prove you know a password you have to share it. Whoever you share it with can use it themselves. Not so with a private key. It's like human vision. If you know what I look like you can tell who I am -- authenticate my identity -- by looking at me. But you can't shape-shift to impersonate me.
Public key cryptography does something similar. If you know my public key (what I look like) you can use it to see me across the network. You could send me a big random number, for example. I can sign your number and send you my signature. Verifying that signature is good evidence you're talking to me. This effectively allows computers to see who they're talking to across a network. This is so useful, we take it for granted in the real world. Across a network, it's straight magic. Thanks math!