Understanding Encryption and Key Exchange

I find algorithms very interesting, particularly compression (especially for media) and encryption. However, they can be challenging to explain to a less-technical audience. When it comes to security, I think it's important that people understand the basics. Here are some analogies that I use to help illustrate how asymmetric encryption works.

Asymmetric Encryption Key Exchange

Symmetric encryption is relatively boring and I find people easily grasp the concept of a secret shared key. They are familiar with password protecting a zip archive and distributing the password out-of-band via phone or instant message.

There are problems with key distribution in symmetric encryption, as the same key is used for both encryption and decryption. The password (or passphrase) could be intercepted and I haven't even touched upon ensuring sufficient entropy by key stretching (for example with PBKDF2 like WPA does).

People aren't generally aware that there is an alternative to sharing a password, or that they already use it every day without knowing. It can be quite counter-intuitive, but hopefully these illustrations will help.

The Paint Mixing Analogy

The following is a good way of thinking about Diffie–Hellman (D-H) key exchange. A variant of this is used in the Elliptic curve Diffie–Hellman (ECDH) protocol favoured by modern HTTPS websites to provide Perfect Forward Secrecy (PFS). Clearly it is more complicated than this but it's a helpful illustration.

colour mixing

  1. The two communicating parties agree on a common colour (blue in this example) that they send to each other in the clear
  2. Each party picks a colour that they keep secret (red and green)
  3. Both parties mix their colours with the common colour and swap the results in the clear
  4. Both parties mix their secret colour with the mixed result they were sent
  5. Each end now has the same final colour without it being sent in the clear

The only colours that were sent in the clear were blue, blue+red and blue+green. Red, green and red+green+blue are still secret. You can't create the final colour by mixing the colours that could have been spied upon.

Lock Exchange 🔒

RSA is a more widely used key exchange mechanism, although it is declining in favour of ephemeral ECDH for HTTPS. Key exchange is a confusing term, and when explaining RSA it helps to think more about lock exchange 🔒.

padlocks on wires

Imagine that rather than sending a key 🔑 that can unlock your secret message, you instead send an open padlock 🔓, but keep the key to it. This padlock is your "public key". The recipient can now use your open lock to secure a message to you 🔏, that only you can open 🔐.

Clearly there needs to be a way to verify that the lock in fact belongs to you. This is why we have a huge ecosystem of certificate authorities with root ones trusted by web browsers. However, there are moves to use other forms of authentication. For example, Keybase uses social media and domain proofs.

I cover encryption and compression algorithms (both lossless for all static assets and lossy formats for images) in my book. I'm also available for hire.

Submit / Comment on Hacker News