[Cryptography] Asymmetric encryption analogy (vault with 2 different locks)

Erik van Straten (Cryptography list) evs20200430f at xs4all.nl
Thu Sep 15 11:05:29 EDT 2022 

On 2022-09-13 21:16:35, Michael Kjörling wrote:
> On 13 Sep 2022 17:53 +0200, from evs20200430f at xs4all.nl (Erik van Straten (Cryptography list)):
>> A couple of years ago I came up with an analogy to explain asymmetric
>> encryption to lay(wo)men, based on a physical vault with two mutually
>> different locks (with non-interchangeable keys): one for locking the vault,
>> and the other one for unlocking.
> 
> What you posted seems way too complicated for a layperson to grasp. To
> be fair, I gave up before I made it through your text...
> 
> If you want to describe asymmetric cryptography to a layperson, go
> with the simple approach. Lots of people are familiar with
> self-locking key-operated locks, not least in padlocks.
Thanks for your response, but I fail to see how I can use those analogies to explain Passkeys.

Perhaps I should have made my initial mail longer by explaining that Passkeys are FIDO2/Webauthn-based password 
alternatives: your smartphone has a protected database with, per domain name, a private key, while the associated public 
key is on the server with that domain name (basically, to understand authentication, it is not really relevant whether 
the server uses your public key for encryption, or you use your private key to sign, to prove to the server that "it's 
you").

What could be called an advantage over hardware keys (Yubikey, Google Titan, ...) is, apart from unintentially leaving 
behind such a key in a PC - instead of forgetting your smartphone, that the (encrypted) database is backed up to "your 
cloud".

And, optionally, synchronized to any of your other trusted devices automatically. Or, once an attacker obtains access to 
"your cloud", to /their/ device(s).

Which happens to be one of the risk I plan to publish about, and why it is important to understand that, most probably, 
not your public keys pose the primary risk for attacks, but your private keys. And hence why I think that it is 
important to understand the essentials of asymmetric cryptography for anyone who plans to use Passkeys - perhaps except 
those "who couldn't care less".

Best regards,
Erik van Straten

More information about the cryptography mailing list