Chapter II

Public-key cryptography, an overview.


This is the second theoretical chapter in the discussion of email encryption. The understanding of the notions described below is paramount for the correct, practical application of email cryptography.

We will begin constructing our secure email system in Chapter III

When discussing the application of cryptography in email communication one should understand well its two functions:

  • assurance that an email sent from person A to person B can only be read by person B
  • verification that an email arriving presented as coming from person A has indeed been sent by person A

Both function are in practice executed through the application of a pair of cryptographic keys – a private and a public key. This chapter describes in layman’s terms what this means, and how it works exactly.

The public-key cryptography is often called the asymmetric cryptography because both processes mentioned above are executed using a private key on one end an the public key on the other.

Public and private encryption key

In computer based communication a cryptographic key is a set of letters, digits and punctuations signs forming a long, often fixed length “word” (although for a cryptographer this is understood as a set of 1/0 bits, which for practical reasons is only presented as letters, numbers, etc.)

Version: SKS 1.1.6
Comment: Hostname:



When setting up your encrypted email, your system will generate two such keys 1) a private key which only you will (should) have access to, and 2) a public key that everyone you want to communicate with will (should) have access to.

The two keys always work together to complete whichever process (encryption/decryption or signing/identification).

Encrypting and decrypting an email

When person A sends an encrypted email to person B the following steps take place:

  • once the content is ready, before sending, the email is encrypted at person A’s end with person B’s PUBLIC key. This key could be retrieved from a key-server (another chapter) or delivered in an email from person B or delivered as a file on a usb stick….. Bottom line is that in order for person A to send an encrypted message to person B, A has to have B’s PUBLIC key to encrypt en email to person B.
  • Once the email has arrived, person B uses their PRIVATE key to decrypt and read the email.

Since only person B holds their private key, only person B can decrypt and consecutively read the email.

A worthwhile note on the private key. All tools available today will only allow you to create your private key protected with a password. Why is it so? This protects you against anybody who may sit at your computer while you’re brewing your coffee and read your communication. The password on your private key is independent from the password you use to log in to your email service.

Signing an email

The purpose of signing en email is the identification, or the verification of identity of the person who sent the email. The following processes happen:

  • person A signs an email with their PRIVATE key and sends it to person B. This signature it NOT the private key. It is calculated through an irreversible formula, namely, one can calculate the signature using the private key, but it is impossible to calculate the private key using the signature
  • person B’s email system matches (again through a mathematical formula) this signature to person A’s PUBLIC key and therefore verifies the senders identity.

There’s only one signature that matches person A’s PUBLIC key. And to create it, person A uses their private key. Therefore, person A is the only one that can create the correct signature.

By now it should be clear that we will operate with a private and public key that work in unison. None of the processes described below can be completed using only one of these keys.

It should also be clear that the PRIVATE key has to be kept secret and protected from unauthorized access .

It should also be clear that the PUBLIC key has to be distributed to everybody who we want to communicate with.

The last thing that should be clear is that the PRIVATE key should be kept save from loosing. Once gone, we will not be able to read our email or to verify our identity when sending one.

We can replace our set of keys with a new one at any time but we have to keep in mind that 1) the content of old emails won’t be accessible any more and 2) we have to make sure we redistribute our new public key to all entities we communicate with.

End of Chapter II