Keys: PSK, private/public

This topic introduces basic knowledge on keys. 

Pre-shared Keys (PSK)

Pre-shared keys (PSKs) can be used for authentication purposes. When establishing, for example, a VPN or WLAN connection, the PSK is used for exchanging the (symmetric) session key between the applications involved.
PSKs can also be used for symmetric encryption, where one individual key is used for encrypting and decrypting data.

In both cases, for authentication and symmetric encryption, the same key is used on both communication end points. Therefore, the key must be available for all participants before the authentication or encryption/decryption - it must be pre-shared.

With this symmetric method, only one key needs to be distributed (in contrast to the asymmetric encryption with private and public keys - see below). However, it requires a secure distribution medium, because anyone in possession of the PSK can authenticate themselves or decrypt data. For this reason, all peers involved must protect the PSK accordingly. The key must not be disclosed even if a participant is compromised. Consequently, if the PSK becomes accessible to an unauthorized person, it must be modified, redistributed to all authorized participants, and set up accordingly.

Note: While passwords are typically stored "self-encrypted", PSKs are stored in plain text in all systems involved. Therefore the risk of being compromised is significant. Whenever possible, public key methods should be used (see section below).

Typical application area for PSKs are those, where the key exchange is possible because the participants are known. Examples are WLAN networks, VPNs, or IoT connections.

To prevent brute-force attacks, PSKs should be suitable long combination of characters, numbers and special characters. (Brute-Force designates a method which tries to determine keys or passwords by automated and random trial and error.)


Private and public key

Asymmetric cryptography is based on individual key pairs. Each communication party possesses its own unique private key which belongs to exactly one public key as counter part.

  • Using its private key, a party can sign data (for example, a certificate). The signing party is referred to as signer (also referred to as "issuer" within CA-signed certificates).

    When realizing data integrity by data encryption/decryption, the receiver of encrypted data uses its private key to decrypt the data which where encrypted before by the sender of the data using the related public key.

    Private keys may be protected by special, security-related hardware like a TPM (Trusted Platform Module) or Smartcard/Integrated Circuit Card(ICC) which provides enhanced security functions thus ensuring the integrity of a hardware/operating system. Protected this way, private keys can provide a very high security level.

  • Using the relating public key of the signer (which exclusively belongs to the private key), this signature can be verified by other parties.

    For encrypting data, a public key can be used. To decrypt this data, the related private key is required.

The private key must be kept secret by the party. The public key can be distributed in a certificate. By giving the certificate (with the contained public key) to other parties, these recipients are enabled to verify the identity of the subject.
See topic Certificates for details.




•  Web browser recommendation: Chrome, Firefox 78 or newer, Edge 88 or newer, or Safari • 
• Published/reviewed: 2023-01-13 • Revision 005 •