Originally Posted by

**watercooled**
<—— snip

That's exactly why cryptography is used - a single-use random number is sent out by the host to prevent replay attacks (e.g. a fake scanner sending the same exact response which was previously recorded), and the asymmetric encryption prevents the scenario you describe - a fake device would not have the private key required to encrypt the random number, which would be readable with the public key.

It doesn't matter with asymmetric encryption - if malware has access to the public key, we don't care, because that's exactly what we assume anyway. It could decrypt the random number the same as the host, but it wouldn't do it any good. It's only used once (a nonce) so it cannot send it back to the host on another occasion, and even if it could, it still doesn't have that private key to encrypt it.

With asymmetric encryption (AKA public key cryptography), a simplified way of looking at it is as follows: you create two mathematically related but different keys, one is the private key which you must keep secret, and a public key which can be freely distributed. Anything encrypted with the private key can only be decrypted with the public key, and vice-versa. You also cannot decrypt something using the same key used to encrypt. Check out RSA, DSA, and Diffie-Hellman key exchange more more details and the maths involved, if you're not already familiar.