Private-Public Key Pair

Recipient creates a pair of Private-Public keys (using name, expiry, passphrase and algorithm).

Recipient shares the Public key with third parties.

Senders user the Public key to encrypt data.

Only the Recipient can decrypt data with the Private key.

If the Private key is compromised, the Recipient needs to recreate a pair of keys:

Only the owner of the private key can decrypt it.

Public key can be shared non-securely.

Private key needs to be securely stored.

All entities having the public key can decrypt what is encrypted with the Private key:

Private-Public keys are bigger in size than shared keys.

Algorithm is more complex and slow than shared keys.

How to exchange and use asymmetric keys?

Only Public keys are exchanged.

Step 1. Each entity sends its public key to the other:

Public key can be sent by email.
Private key needs to be kept secret.

Step 2a. Sender uses Receiver’s public key to encrypt it:

Step 3a. Receiver uses its Private Key to decrypt it.

Step 3b. Sender uses its Private key to sign and the Receiver's Public key to encrypt it:

Step 3c. Receiver uses its Private key to decrypt and the Sender’s Public key to validate it.

Certificates

To send data securely to a recipient the public key must be used to encrypt it.

How to trust that the public key is genuinely the recipient’s one?

Certificates can solve this issue:

A certificate is a Public key signed with the Private key of a trusted authority:

In the above scenario the Issuer certificate in the Chip is verified by the POS terminal using the Visa public key loaded in the terminal. The public key obtained is the trusted Issuer Public key.