Passkeys use something called public key cryptography. They have your public key. And because it’s public, it doesn’t matter if anyone gets it. That public key and your private key combine to validate who you are.

But how does that work? Wouldn’t they have to know something besides the public key that’s unique to you? No. That’s the brilliance of it.

Featuring Tom Merritt.

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

Internet security. It’s bad. Data breaches are constant, and peoples passwords are sold on the internet like cherries from a roadside cart.

Some of that is because of passwords. We rely on humans to pick passwords and they aren’t so good at it.

We need to get past passwords. Passkeys are one of the most promising ways to do this. We have a whole episode about how they work, but in short, you keep the key on your device and only use it when you need to log in. That way you don’t have to remember a password, meaning you won’t pick an easy one to guess, and more importantly the company you’re logging into doesn’t have your password, or anyone’s, so it’s not a big juicy target for attackers.

But wait, you may say? How does that work? Passkeys use something called public key cryptography. They have your public key. And because it’s public, it doesn’t matter if anyone gets it. That public key and your private key combine to validate who you are.

But how does that work? Wouldn’t they have to know something besides the public key that’s unique to you? No. That’s the brilliance of it.

So let’s help you Know a Little more about Public Key Cryptography

Public key cryptography is a system to make it easy to prove who you are with whomever you want. Public keys can be given out to anyone without risk. And as long as only you have your private, only you can use those public keys to prove who you are.

OK, but how is it not risky to give everyone your public key?

Those of you who are experts in security or security researchers don’t cringe too much at this, I’m going to take some shortcuts in this explanation in order to make it easy to understand for those of us who don’t know anything about encryption.

Don’t get too hung up on the word key either. A key, public or private, is just a number. The private key needs to be complex enough- read long- not to be easily guessed, even by a powerful computer. You don’t have to memorize it either, it’s just a file.

Your public key is also just a file made up mostly of a really complex number. Not so people can’t guess it in this case, but to make the cryptography strong when you use it.

If I have your public key I can encrypt something I send to you, I can read something encrypted by you and can confirm that something was created by you.

That’s all made possible by the combination of the public key associated with you and the private keys each of us keep secret.

One of the first questions I had when trying to understand this was how someone could decrypt something from me without having my private key that I used to encrypt it.

Certainly, I thought, I’d have to give the private key to the other person. The actual way this works involves a lot of math so let’s use a metaphor of an actual physical key and a padlock.

I don’t know who came up with this metaphor first, it wasn’t me, but it’s a great one.

First imagine a typical padlock but instead of the usual locked or unlocked position it has a third position which is also locked. Think of it like this. You have the key in the lock straight up and that’s unlocked. If you can turn it to the left it would be locked. OR you could turn it to the right and be locked.

So left or right are locked. Middle is unlocked.

But the trick is you have two keys that work in the padlock. One key can only turn to the left. The other key can only turn to the right.

Now let’s say you make a bunch of copies of the key that turns the lock to the right and you just give them away. You don’t even care if you drop some for other people to pick up.

Anybody with that key could take my padlock from the locked left position or the unlocked middle position and lock it. But they can’t turn it back from that right locked position and they can’t lock it to the left.

If that’s hard to picture let me give you an example.

Look, you’ve got my public key, the one that goes to the right, and I’ve got my key that goes to the left. So here’s what we’re gonna do. I’m gonna send you an unlocked padlock for you to send me an encrypted message. The padlock is the Public Key platform we’re using. Like Passkeys for example. You put your message in a box. You close the box and latch it shut with a padlock on it. Then you take my public key, which again goes to the right and you put that key in the padlock, and you turn it to the right from unlocked to locked.

And here’s the thing, remember, you can’t go to the left with that public key. So now even you can’t unlock it. You just locked it. You can’t even unlock it yourself. That’s why it’s safe to give everybody the public key. It can only go one direction. You send that padlock box to me. I’ve got my private key, the only copy of the key that can go to the left. And so I’m able to unlock it and I’m the only one. If someone in the middle grabs that padlocked box. What can they do? Unless they have my private key, nothing.

I mean sure in real life they could pick the lock but metaphorically this is a lock that has been made very difficult to pick.

How do we do that with the real cryptography?

Public key cryptography uses numbers not actual keys and locks. Now you may reasonably say that numbers can be guessed especially by powerful computers that can just roll through billions of guesses in a few minutes.

We’re dangerously close to having to use actual math again, so let’s use another metaphor.

May I introduce you to the classic players of the cryptography metaphor stage, Alice, Bob, and Eve.

They have now shared information in public in front of Eve, the platform number two and their two public keys, 8 and 16. And used that to share a private number, 4096, that only they know. That private number could be the key to unlock some more traditional encryption and unlock messages.

Now you might be sitting here thinking oh, well hold on, if Eve knows it’s two, and Eve sees eight and 16, it’s not gonna take very long to figure it out with some simple math. And that is exactly the key to understanding public encryption. When you hear about weakened encryption weakened keys, it means that Eve got better at figuring things out. So of course, in our very weak example, Eve can sit there and go, Okay, well, I know two is the base. And I saw that Alice sent eight to Bob. So let me come, let me compute this. Two times two is four, four times two is eight, aha, I’ve computed that Alice’s secret number is three.

But Eve wasn’t able to just look at eight and immediately do that. She had to do the math in her head. In other words, she had to compute it. Make that math a lot harder than our example and it becomes a lot harder for Eve to figure it out.

The strength of public key cryptography relies entirely on how difficult that mathematical factor is. Now you can get into all kinds of things about the elliptic curve and factoring of primes. If you want to know how they actually create these numbers, but the principle is the same, which is, you create a system based on math, that the other person can come up with so that you’re only exchanging these public numbers that then Eve the person in the middle, or the computer Eve is using, would have to spend a long time factoring to guess. With strong encryption that time should equal thousands of years if not more.

That’s one of the reasons you’ll hear security people often say that there is no such thing as uncrackable encryption, it’s just a matter of time, because it is all math. What you’re trying to do is come up with an algorithm that is sufficiently complex, that the amount of time it will take to crack it makes it worthless to try.

If it’s going to take me to the heat death of the universe to factor out the number, that’s pretty strong encryption. Of course, as computers get more powerful as we do things like add in natural random number generators, from quantum sources, suddenly, things get different.

But as computers get better at solving complex math they also get better at creating complex math. So it stays at parity.

Now granted, these are overly simplistic models. And there’s lots of shortcuts I took to explain them, that when you get into RSA encryption, diffie Hellman 256 bit encryption, there are caveats and things you have to know to make it work in real life. But the fundamental principle is there, which is taking a piece of math and using it to create a number that you can give someone publicly that they can then use to create a key that only the two of you know.

I hope this helps you understand the concept of encryption a little better

In other words I hope now you know a little more about Public Key Cryptography.

CREDITS

Know A Little More is researched, written and hosted by me, Tom Merritt. Editing and production provided by Anthony Lemos in conjunction with Will Sattelberg and Dog and Pony Show Audio. It’s issued under a Creative Commons Share Attribution 4.0 International License.