#CS#Security#Encryption#Network#HTTPS
Asymmetric Encryption: Revolution of Lock and Key
How to share secrets safely with a server across the globe? The Magic of Public/Private Keys behind HTTPS.
May 25, 2025
Codemapo
How to share secrets safely with a server across the globe? The Magic of Public/Private Keys behind HTTPS.
Why does my server crash? OS's desperate struggle to manage limited memory. War against Fragmentation.
Two ways to escape a maze. Spread out wide (BFS) or dig deep (DFS)? Who finds the shortest path?
A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
Fast by name. Partitioning around a Pivot. Why is it the standard library choice despite O(N²) worst case?
When I first built an online shop, a terrifying thought hit me while integrating the payment system.
"When a user enters their credit card number and it travels across the internet to my server, what if a hacker intercepts it?"
HTTP communication means data flies as plain text. Anyone capturing network packets can read it directly.
POST /payment
Card Number: 4532-1234-5678-9010
Shopping on cafe wifi? Anyone on the same network can scrape packets. To prevent this, I needed encryption.
But what confused me initially: "To encrypt, I need a password (key). How do I safely send that password?"
This is the Key Distribution Problem, and Asymmetric Encryption was the revolution that solved it.
First, let's look at the traditional Symmetric Key method.
Encryption key = Decryption key (Identical)
Plain text: "Hello"
Key: "SECRET123"
Encrypted: "xJ2k9$mP@"
...
Cipher text: "xJ2k9$mP@"
Key: "SECRET123" (Same key)
Decrypted: "Hello"
Fast and simple. But there's a fatal problem.
To communicate securely with the server:
Analogy:
This is the Key Distribution Problem.
"Just hand-deliver the key when we first meet?"
But my service users are scattered worldwide. How do I meet them all? Physically impossible.
In 1976, two geniuses (Whitfield Diffie, Martin Hellman) had a revolutionary idea.
"What if the encryption key and decryption key are different?"
This is Asymmetric Key encryption.
Core concept:
Let's say I send a secret message to the server.
Server uploads its Public Key (Padlock) online. Anyone can download it.
Server Public Key: RSA-2048-PUBLIC-KEY-ABC123...
const message = "Credit Card: 1234-5678-9012";
const encrypted = encrypt(message, serverPublicKey);
// Result: "xK9jP2#mQ..."
Now I send the cipher text "xK9jP2#mQ..." to the server.
A hacker captures the packet and gets the cipher text.
Cipher text: "xK9jP2#mQ..."
But can't open it. Why? This cipher text can only be decrypted by the server's Private Key. The server's Private Key is held only by the server.
const decrypted = decrypt("xK9jP2#mQ...", serverPrivateKey);
// Result: "Credit Card: 1234-5678-9012"
Success! The secret is safe.
This time, we use it in reverse.
I want to prove "I wrote this document." On the internet, anyone can impersonate my name.
const document = "Transfer: $1000 → John Doe";
const signature = sign(document, myPrivateKey);
// Result: "9xP2#kQ..."
Now I send both:
Document: "Transfer: $1000 → John Doe"
Signature: "9xP2#kQ..."
The recipient (bank) fetches my Public Key (publicly available online).
const isValid = verify(document, signature, myPublicKey);
// Result: true (really signed by me)
If the document was tampered with or signed by someone else, it returns false.
When I push code to GitHub, I sign commits with my GPG key.
git commit -S -m "Fix security bug"
GitHub verifies this commit using my Public Key. A "Verified" badge appears next to the commit.
In my blog backend, I applied asymmetric encryption when using JWT (JSON Web Token).
const jwt = require('jsonwebtoken');
const SECRET = 'mySecretPassword'; // Symmetric key
// Token generation (Server)
const token = jwt.sign({ userId: 123 }, SECRET);
// Token verification (Server)
const payload = jwt.verify(token, SECRET);
Problem: Only the server can verify tokens.
If frontend or other services need to verify, they must share SECRET, which is risky.
const fs = require('fs');
// Server: Sign with Private Key
const privateKey = fs.readFileSync('private.key');
const token = jwt.sign({ userId: 123 }, privateKey, { algorithm: 'RS256' });
// Frontend: Verify with Public Key
const publicKey = fs.readFileSync('public.key');
const payload = jwt.verify(token, publicKey);
Now:
Asymmetric encryption has a fatal flaw. It's mathematically complex and SLOW. 100x slower than symmetric keys.
Encrypting/decrypting a file with RSA takes seconds. Unusable for real-time web communication.
The internet (HTTPS) uses a clever trick.
sequenceDiagram
participant Client
participant Server
Client->>Server: 1. Request server public key
Server-->>Client: 2. Send server public key
Client->>Client: 3. Generate symmetric key (Session Key)
Client->>Server: 4. Send session key encrypted with server public key
Server->>Server: 5. Decrypt session key with server private key
Note over Client,Server: Both now have the session key
Client->>Server: 6. All further communication encrypted with session key
Server-->>Client: 7. Fast symmetric encryption
Initial connection uses Asymmetric Key. Server sends its Public Key (SSL certificate).
Client generates a random Symmetric Key (Session Key). Encrypts this session key with server's Public Key and sends it. Server decrypts with its Private Key.
Now both sides have the same Symmetric Key. Hackers don't know this key (it was transmitted encrypted).
All subsequent data is encrypted with Symmetric Key. Fast.
Commands I actually used.
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
private.key (Secret! Never share)
public.key (Safe to publish anywhere)
RSA 2048-bit encryption is 100x slower than symmetric (AES-256).
Solution: Hybrid approach (like HTTPS).
Lose the Private Key? All cipher texts are locked forever. Private Key leaks? All security collapses.
Solution:
| Purpose | Method | Example |
|---|---|---|
| Secret Delivery | Encrypt with Public Key → Decrypt with Private Key | HTTPS, Email encryption |
| Identity Proof | Sign with Private Key → Verify with Public Key | Git Commit, JWT, SSL cert |
| Fast Encryption | Symmetric Key | AES (File encryption) |
| Real World | Hybrid | HTTPS (Asymmetric + Symmetric) |
RSA is great, but the keys are getting too big. To be secure today, RSA needs 2048-bit or 4096-bit keys. This is heavy for mobile devices.
Enter ECC (Elliptic Curve Cryptography). It uses complex curves instead of prime factorization.
If you are setting up a server today, prefer ECDSA certificates over RSA. It makes your SSL handshake faster on mobile phones.
When building my first shop, I started with "How do I safely receive credit card info?" Only after studying asymmetric encryption did I realize "Oh, this is how the internet works."
All powered by Public/Private Key magic.
As I write this, my browser's address bar shows a padlock icon. Proof that my server and I are talking securely.