If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Public key encryption

AP.CSP:
IOCโ€‘2.B (LO)
,
IOCโ€‘2.B.5 (EK)
On the Internet, two computers often want to exchange secure data with each other. When I type my password into the Khan Academy login screen, I want my computer to send that data safely to the Khan Academy servers. I do not want to worry that an attacker might be monitoring my Internet traffic and watching the password go across the wires.
Illustrator of an attacker stealing password data. A laptop is shown with a browser and a password input field. An arrow goes from the laptop to a server. Above the arrow, there's a pouch that contains the text "Be3tP@ssw0rd3ver" and a smiling attacker looking at the text.
Symmetric encryption techniques rely on both the sender and receiver using the same key to encrypt and decrypt the data. How can my computer and the Khan Academy server exchange the key securely? If an attacker can see my password go across the wires, then they can also see an encryption key!
Illustrator of an attacker stealing an encryption key. A laptop is shown with a browser and a password input field. An arrow goes from the laptop to a server. Above the arrow, there's a pouch that contains the text "TOP_SECRET_KEY" and a smiling attacker looking at the text.
Public key encryption to the rescue! It's an asymmetric encryption technique which uses different keys for encryption and decryption, allowing computers over the Internet to securely communicate with each other.
Let's step through the high-level process of public key encryption.

Step 1: Key generation

Each person (or their computer) must generate a pair of keys that identifies them: a private key and a public key.
You can generate a pair below, using the same RSA algorithm that's used by your computer:
Did you notice it takes a few seconds to generate the keys? That's due to the math involved. The keys are generated by multiplying together two incredibly large primes. The algorithm repeatedly generates random large numbers and checks if they're prime, until it finally finds two random large primes. All that checking for primes can take a while, and these keys are only 512 bits long. The current nationally recommended key length is 2048, or even 3072 bits.

Step 2: Key exchange

The sending and receiving computers exchange public keys with each other via a reliable channel, like TCP/IP. The private keys are never exchanged.
Key exchange diagram with a laptop and a server. The laptop screen shows a browser with a password input field. An arrow goes from the server to the laptop and is labeled with "SERVER_PUBLIC_KEY". Under that, an arrow goes from the laptop to the server and is labeled with "CLIENT_PUBLIC_KEY."

Step 3: Encryption

The sending computer encrypts the secret data using the receiving computer's public key and a mathematical operation.
The power of public key encryption is in that mathematical operation. It's a "one-way function", which means it's incredibly difficult for a computer to reverse the operation and discover the original data. Even the public key cannot be used to decrypt the data.
You can try it out below, with the public key you generated above:

Step 4: Sending encrypted data

The sender can now safely transmit the encrypted data over the Internet without worry of onlookers.
Key exchange diagram with a laptop and a server. The laptop screen shows a browser with a password input field. An arrow goes from the server to the laptop and is labeled with string of encrypted text. An attacker looks unhappily at the text.

Step 5: Decryption

Now the receiver can decrypt the message, using their private key. That's the only key that can be used to decrypt the message (in the world!).
Try it out below, with the encrypted message and private key from above:
Once you successfully decrypt the message, try decrypting it with the public key. It won't work; only the private key can decrypt it.

But how is that possible?

It may sound too good to be true; that it's possible to encrypt something with one key that can only then be decrypted by a different key. For a long time, mathematicians weren't sure if it was possible, but fortunately they discovered a way in the 1970s.
The math of the one-way function relies on prime numbers, the difficulty of factoring large primes, and modular arithmetic. If you'd like to dig deeper into the math, check out the Khan Academy tutorials on modern cryptography.
Fortunately, all of us can use and benefit from public key cryptography without needing to understand the complicated math behind it. In fact, we likely use public key cryptography everyday as we use computers and the Internet. Just imagine, what would the world be without it?

๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธDo you have any questions about this topic? We'd love to answerโ€”just ask in the questions area below!

Want to join the conversation?

  • boggle yellow style avatar for user Joshua
    The decrypt button doesn't show any result. I'm sure I pasted the right information on the fields from the encrypt and decrypt parts.
    Note that I copied all of the text in each key, including the '-----BEGIN __ KEY-----' and '-----END __ KEY-----' parts. I also tried it without those parts, but it still doesn't work.
    (15 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user arregs6793
    ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ๐Ÿ™‹๐Ÿฝ๐Ÿ™‹๐Ÿปโ€โ™€๏ธ๐Ÿ™‹๐Ÿฟโ€โ™‚๏ธ
    (9 votes)
    Default Khan Academy avatar avatar for user
  • piceratops seed style avatar for user ronanmacg50
    When I encrypt something using my public key, eg "Hi" it seems like it can have many different encrypted forms. How is this possible?
    (3 votes)
    Default Khan Academy avatar avatar for user
  • hopper cool style avatar for user Alex Ewart
    Is all data sent on the internet due to regulations automatically encrypted?
    When getting other's public keys, generating private keys, and decrypting data, when does all this happen, because I now know that my computer does this but I have no idea when it is all this going on. Is it like when I type in someone's email address? Is the address a public key? If so, is the email address like a way humans can remember the public key like domain names instead of typing IP addresses?
    Does every computer have its own designated keys, or do they change like IP addresses?
    Hope this is not too confusing to answer.
    (4 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user Abhishek Shah
      This is a great question!

      All data sent over the Internet is not encrypted. Only if you use certain protocols like HTTPS will it be encrypted. There is no regulation requiring all data to be encrypted.

      A person's email address is not a public key. Every computer has the ability to create its own keys, but when you get a new computer, it doesn't magically already exist. You have to generate it. Once it's generated, keys don't change. You can always generate a new set of keys though.

      One way I find it easy to think about is the following:

      Think about your home. If someone sends you mail, do they need a key to your home to put it inside? No, they could just slide it under the door or put into your mailbox. When you reach home, you can unlock your home and read the mail.

      This is why as users we don't have to generate keys with our own computers. In some sense, we just send mail to servers by slipping it underneath their doors (via a public key encryption) and they can read it via a private key decryption.

      I hope this helps!
      (4 votes)
  • aqualine ultimate style avatar for user sebastian nielsen
    I don't get how the private and public key looks like a mess. Shouldn't the private and public key just be a number? Then what is all those symbols doing in the private and public key?

    -----BEGIN RSA PRIVATE KEY-----
    MIICWwIBAAKBgH1gajwsAHgJKHD7QEFpzWRSbqA2SxdwpmC/QEdqGZpn4ueGI_REMOVED_SOMEPF4TzF/VAPlJ4IJ6f39oohZU27If3jqStYYY2ctwsQ==
    -----END RSA PRIVATE KEY-----

    P.s. I went through the math but at no point is it mentioned how this strange looking key was derived.
    (3 votes)
    Default Khan Academy avatar avatar for user
  • blobby purple style avatar for user Grace
    What degree do you have to get to be a professional cryptographer?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • male robot donald style avatar for user bob
    does anyone know what the 0s and 1s thing is
    (1 vote)
    Default Khan Academy avatar avatar for user
  • male robot johnny style avatar for user DanielS
    The decrypt button isn't giving me any result,and im sure i did it step by step.
    (1 vote)
    Default Khan Academy avatar avatar for user
  • purple pi purple style avatar for user vovsnmail
    I tried encrypt and decrypt using the same private key and it worked! Is that correct behavior?
    (1 vote)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Brionica Levering
    i totally get this
    (1 vote)
    Default Khan Academy avatar avatar for user