[From the last episode: We looked at the notion of expressing text as a number and then multiplying by a key to encrypt it.]

Last time we looked at a very primitive way of encryptingEncryption refers to encoding and decoding (or encrypting and decrypting) data so that it can't be read unless you have the right key. It's critical for good security. some text: by multiplying by a key. Some challenges with this approach immediately come to mind:

• The key will be easy to guess by computer unless it’s an extraordinarily high number. Computers can brute-force it by simply starting with 2 and checking all the numbers to see if anything meaningful comes out. You can imagine that that could go pretty quickly; it’s hard to imagine a number so large that a computer couldn’t get there within a week. And yes, crackers will take lots of time if there’s a high-value key to be had.
• Simply expressing text as numbers gives you extremely long numbers that can exceed a computer’s ability to do multiplication. Heck, we saw that with my simple Excel model. It couldn’t handle much more than the word, “Hello.”
• A super-long key (which is more secure) makes that even worse.

So the idea here isn’t so much that multiplication gives us the magic, but that we can represent text as numbers and then use some sort of numerical operation on them. Yes, it could be multiplication, but there are other ones – by design, none of them obvious – that can do a better job. That said, all the methods do better with a longer key. It’s just that some can give you the same level of securityRefers to whether or not IoT devices or data are protected from unauthorized viewers. with shorter keysA number used to encrypt (or encode) information so that no one can read it. Keys are used when encoding and decoding. You shouldn't have to mess with keys yourself. than others, and shorter keys are always faster to work with.

Public and Private

A huge question when it comes to keys is who knows the key and how you keep it secret. Private keys work only if they’re kept… well, private. You can share a public keyA key that you (or your device) can publicly share with someone or something else. This key can be used only to encode (or encrypt) data; it can't be used to read that data. Each public key has a matching private key, and the private key is used for decoding (or decrypting) data. This lets you have a secure conversation with someone or something that you've never shared keys with before. openly without that being a problem. I know, that probably makes no sense; we’ll get there.

Private keysA key that should be known only by your device and, possibly, by someone or something else that your device is communicating with. It must be kept secret. can be tough to deal with. You can’t communicate them in any manner, since, if you did, someone might snoop the message and grab the key. (Yeah, you could encrypt it… but then how would the reader decrypt it without a key?) Private keys are usually buried inside a device when it’s manufactured so that it never has to be communicated after that.

But, in order to have communication, you need two sides, each of which has the key. If a manufacturer uses a single private key for all devices, then that’s easy, since they know the key for everything. But the bad thing about that is, if someone cracks open a device and discovers the key, then they’ve got the key for every device – eureka! There are systemsThis is a very generic term for any collection of components that, all together, can do something. Systems can be built from subsystems. Examples are your cell phone; your computer; the radio in your car; anything that seems like a "whole." that work this way, but they say that they have ways of storing the key securely, making it hard to hackThis can mean a couple things. A quick-and-dirty (but not elegant) trick to get something done is a hack. A computer security break-in is also a hack (because inelegant tricks are used to break in). It can be a noun or a verb ("he hacked my computer").. They may also be able to change all of those private keys at the same time if they feel someone has compromised it (or may do so).

On the other hand, what if each device has a different key? Then, if someone cracks one device and finds the key, it doesn’t help with any other device.

Sharing Keys

If your device only had to connect to its manufacturing company, then that company could keep a databaseA structured way of storing data and relating different pieces of data to each other. (Like, which address belongs to which person.) There are “query” languages, the best-known of which is SQL, that let you enter data into the database, change data that’s already in the database, and retrieve data from the database. of the keys, and it could find one based on your device’s serial number. But, when connecting to the internet, you may go all kinds of places. That’s probably less true with IoTThe Internet of Things. A broad term covering many different applications where "things"  are interconnected through the internet. devices, but still… the device may need some way of talking to someone it hasn’t talked to before. That someone won’t have a database of keys to look up.

So what to do then? You can’t just email them a key to use, since that can be snooped. Instead, we have the notion of public/private key pairs that works remarkably well. The idea is that your device has a private key that it doesn’t share with anyone. But it can create a public key related to that private key that it sends to someone else – and it doesn’t matter if anyone snoops that key. It’s public, and anyone can see it.

Through the magic of some specific complex math, the way it works is that whomever you’re talking to can use the public key to encrypt the message. But they can’t read the message using the public key: they can read it only with the private key. So anyone can have the public key without any danger of having the messages decoded. So you send them that public key and say, “Please encrypt your messages to me using that key, and then I – and only I – can read the message using my private key.”

Based on this, there’s another name for these kinds of keys. With the pure private-key approach, the same key is used both for encrypting and for decrypting. So those keys are called symmetric keysA way of encrypting data that uses the same key both for encrypting and decrypting.. Using the public/private approach, one key encrypts, and a different key decrypts, so they’re called asymmetric keysA way of encrypting data that uses one key for encrypting and another for decrypting..

Trap Doors

The trick here lies in the math. You want some function that is easy to encrypt (so that the computers and devices don’t slow way down when communicating); likewise you want to be able to decrypt quickly if you have the right key. Those aspects of the function have to be easy to compute. But, if you don’t have the right key – say you have only the public key – then you want it to be super hard to figure out the private key. The math that makes the public/private key thing work should be easy to use in one direction, but really hard to reverse.

There’s a cute name for these kinds of functions: they’re called trap-door functions. They call them that because, with a trap door, it’s really easy to go down through it. But, once you’re down below, it’s super hard to get back up the other way.

The earliest functions leveraged math on extremely long prime numbers. More recent ones relate to some obscure math referring to elliptic curves, and I’ve seen discussions of yet another one that plays on braiding theory. The idea in that last one is that, when braiding things, there are many different ways to get to the same finished braid configuration. Braiding is easy, but figuring out how the braid was done is really hard. Of course, no one is flinging strings around to make this happen; there’s an abstract mathematical representation that handles it.

Not all keys are good for the same thing. So there’s actually a need for both public/private and pure private keys. We’ll see this as we look at specific things that we’re going to do with these keys, coming up.