Explaining security concepts in every day terms is one of my hobbies. Can that be a hobby? I’m not sure… Of course, every analogy is wrong but some are useful (as the saying goes…). When trying to describe the relationship between a public/private certificates, I’ve come to think of it in these terms.
The relationship between a private and public certificate pair is like a riddle. The public key is the answer to the riddle. Let’s say “Imagination” for an example. That is put on the remote device and can be seen by people. That’s okay because it doesn’t inherently give away the riddle. The ability to guess an entire riddle perfectly based on the single word answer is nearly impossible (unless, as in our example, it is internet-searchable or a well known riddle).
This is where the private key comes in. It, as the name implies, must be secret because it perfect compliments the answer (therefore proving your identity). In our example the private key would be:
“I soar without wings, I see without eyes.
I’ve traveled the universe to and fro.
I’ve conquered the world, yet I’ve never been anywhere but home.
Who am I?”
That’s nearly impossible to guess verbatim (punctuation and capitalization included) without previous knowledge or the internet.
To take this a step deeper, this is why certificate-based credentials are stronger than passwords. Passwords, that I’ve often seen, are typically based on something very human like a dictionary words, birthdays, or someone/something important to that individual. For a human to remember a password, the entropy (original randomness) is typically low.
That’s why I’m a big proponent of certificates wherever possible.
Hopefully that analogy is helpful in your ongoing security journey!