What is it?
Asymmetric cryptography is a cryptographic system proposed in 1976 by American cryptographers Martin Hellman and Whitfield Diffie. It involves encrypting a message using a pair of asymmetric cryptographic keys: the Public Key and the Private Key. These keys can only be decrypted through the other key in the pair.
Now that we understand what asymmetric cryptography is, let's delve into how it works and, most importantly, how this pair of keys functions.
Cryptographic keys are the foundation of cryptography, whether it is symmetric or asymmetric. They can be defined as sets of characters that, when subjected to a cryptographic algorithm, are capable of encrypting and decrypting messages.
The difference between symmetric and asymmetric cryptography keys is that while symmetric cryptography uses only one key for encryption/decryption, asymmetric cryptography uses two keys, one for encryption and another for decryption. This makes it possible to decentralize the cryptographic process to other agents without exposing a single master encryption key.
Public and Private Keys
Public and private keys are a pair of cryptographic keys that are mathematically linked so that the public key is derived from the private key, but it is practically impossible to obtain the private key through the public key.
Therefore, it is possible to encrypt a message using one of the keys and decrypt it using the other key.
It is worth noting that, in typical cases, the private key should be kept secure while the public key can be sent to agents.
The use of cryptography, in general, is obvious: to protect information. However, given the decentralized nature of asymmetric cryptography, we have much more differentiated use cases than in the case of symmetric cryptography, although the objective is the same.
You may not be familiar with this set of acronyms, but TLS (Transport Layer Security) protects the information you generate and consume on the internet with end-to-end encryption.
The purpose of this article is not to describe in detail how TLS/SSL works, but in summary, it uses asymmetric encryption to encrypt information in the network and to verify that both the client and the server are authentic through a complex process called SSL Handshake.
JWT (JSON Web Tokens)
JWTs are an open standard for transmitting information between agents through an encoded JSON object that can be cryptographically verified for validity.
It is an extremely effective and widely used method for user authentication, being the standard means of credential authentication for OAuth 2.0.
Although JWTs support symmetric authentication, modern standards use their asymmetric version. The private key issues and signs the token, and the public key validates that signature, ensuring that the token is valid.
Again, the purpose of the article is not to explain how JWT works in depth, but there are endless articles on the internet explaining how it works with examples in various platforms and programming languages.
Safely Decentralizing Cryptography
One of the main uses of asymmetric cryptography is to decentralize the cryptographic process without exposing the master key, as already occurs in asymmetric cryptography.
This is of vital importance in a microservices architecture. For example, if service A encrypts data with key X when service B needs to decrypt that information, two possibilities arise:
- Grant access to key X to service B, increasing the attack surface for a leak.
- Delegate the responsibility of decryption to service A, keeping the attack surface low but increasing the responsibility and, consequently, using this service, causing a potential bottleneck in the flow.
Both problems do not occur when we use asymmetric cryptography. We can simply make service A use a private key to encrypt the information and generate a public key for service B to decrypt the information. This keeps the attack surface low for the private key without creating a bottleneck in the flow with the dependency of service A on service B.
In summary, we now understand how asymmetric cryptography has become essential for corporate security, allowing data protection through a decentralized and robust method. Its implementation in frameworks such as Spring Security and Quarkus Security is straightforward and simple, requiring only a few configurations to enable its use.
is passionate about computing and eager for change. He has experience in data engineering and software development, specifically in application modernization, and holds three Google certifications