When to Use Symmetric vs Asymmetric Encryption

What is data encryption?

The foundation of computer encryption lies in the field of cryptography, a discipline that dates back to when humans first felt the need to conceal information. Today, the majority of cryptographic methods depend on computers, as codes created manually can easily be deciphered by computer algorithms. Cryptographic systems employ a series of processes known as cryptographic algorithms, or ciphers, which are designed to transform readable text into encrypted messages, known as cipher text, or to convert encrypted messages back into their original, readable form.

In 1883, Auguste Kerckhoffs introduced an idea regarding encryption methods: he argued that the methods themselves should be open to the public, but the "keys" for encryption must remain confidential. This idea is now known as Kerckhoff's Principle. Today, encryption systems for computers are broadly classified into two types: symmetric encryption, where the same key is used for both encrypting and decrypting data, and asymmetric (or public-key) encryption, which employs two different keys—one public and one private—for these processes.

eBook

PKI: Are You Doing It Wrong?

Download Now

What is symmetric encryption?

In symmetric encryption, both the sender and receiver use a symmetric key, which is a second instance of the same key, to encrypt and decrypt messages. The confidentiality of the keys is a pivotal aspect of symmetric encryption. Providing a secure method for key distribution presents a notable challenge in symmetric encryption, commonly known as the "key distribution problem." The key plays an essential role in symmetric cryptography, and losing or misplacing it has dire consequences. If these keys end up with malicious individuals, they could potentially decrypt the messages.

The primary benefit of symmetric cryptography is its speed compared to asymmetric cryptography. However, the major drawbacks of symmetric encryption include challenges in key distribution and key management. As the number of users increases, the number of necessary keys also rises. Handling the growing count of secret keys evolves into what's known as the "key management problem”.

What is asymmetric encryption?

Connecting to a website over the public internet introduces complexity, making it impractical to rely solely on symmetric encryption due to the challenge of securely sharing a secret key without it being intercepted. In November 1976, Diffie and Hellman addressed this dilemma in their groundbreaking paper "New Directions in Cryptography," published in the IEEE Transactions on Information Theory. Their work presented a solution to this problem by introducing the concept of public-key encryption, a method that allows secure key exchange over an insecure channel without the risk of interception.

Public key cryptography, also known as asymmetric encryption, is vital for keeping electronic communications and data storage secure, ensuring confidentiality, verifying the sender's identity, and preventing denial of the message's authenticity. This method uses two keys: a public key, which anyone can access and is openly shared, often through a public directory, and a private key, which the owner must keep secret. Despite the public key being available to everyone and used to encrypt messages, these messages remain secure. To decrypt a message, a computer combines the sender's public key with its own private key. Even though the public key is known and the message could be intercepted, without the corresponding private key, the message's encrypted contents cannot be decoded, maintaining its security.The key pair is derived from prime numbers that are long in length. The public and private keys are both calculated simultaneously through a unified mathematical procedure utilizing "trapdoor" functions. The defining feature of these "trapdoor" functions is their ease of computation in one direction, contrasted with the challenge of reversing the computation (determining its inverse) without specific knowledge.

Asymmetric encryption, compared to symmetric encryption, is slower due to its complex mathematical processes, requiring significantly more computing power. This high demand for resources makes it less suitable for prolonged sessions, as maintaining it can become resource-intensive.

Advantages and disadvantages of symmetric vs asymmetric encryption

Although asymmetric encryption is considered more sophisticated than symmetric encryption, organizations typically use both types in their security frameworks. Symmetric encryption excels in rapidly encrypting large volumes of data and securing communication within private systems, thanks to its speed. Asymmetric encryption, in contrast, is preferred for open systems where securing key exchanges, ensuring digital signatures, and authenticating identities are crucial, despite its slower performance. The choice between the two depends on specific business needs, with organizations balancing priorities like speed, security, and other relevant considerations to determine the most suitable encryption method for different scenarios.

Speed. Symmetric encryption has the advantage of being faster than asymmetric encryption, as it requires less computational power for both encryption and decryption. This is largely because the keys used in symmetric encryption are much shorter than asymmetric keys. And because symmetric encryption only requires one key, the entire encryption process is faster, making it suitable for encrypting large amounts of data. Asymmetric encryption does not share these advantages, so it can be less efficient and possibly create performance issues when network processes get bogged down trying to encrypt or decrypt communications. This can result in slow processes and issues with memory capacity.
Security. Asymmetric encryption is considered more secure because it uses two different keys—a public key which is used to encrypt communications and a private key which is used to decrypt those communications. Because the private key never needs to be shared, it acts as the safeguard that ensures that only the intended recipient is able to decrypt encoded communications. The resulting tamper-proof digital signature makes it harder for attackers to compromise the system. On the flip side, symmetric encryption is a bit riskier because it uses the same key to encrypt communications, which means it must be shared with anyone who needs to decrypt that communication. Every time the key is shared, it risks being intercepted by a malicious third party.
Simplified key distribution. Because symmetric encryption uses the same key for both encryption and decryption, secure key distribution is crucial. The key distribution process is simpler with asymmetric encryption, because only the public key is shared, while the private key remains confidential.

Use cases for symmetric encryption

Banking Sector

Symmetric encryption, known for its efficiency and speed, is widely adopted in the banking sector for securely handling large volumes of data. Here are key use cases for symmetric encryption in this sector:

Payment Applications: In card transactions and other payment services, symmetric encryption protects Personal Identifying Information (PII) to prevent identity theft and fraudulent charges. This is crucial for minimizing risks associated with daily payment transactions without incurring significant resource costs.
Validations: Symmetric encryption is used to verify the authenticity of message senders. This ensures that the individual or system claiming to send a message is indeed the one doing so, which is vital for maintaining trust and security in banking communications.

Data at rest

Data at rest refers to information that isn't actively being transferred between devices or networks, such as data saved on hard drives, laptops, flash drives, or stored/archived in other forms. The goal of protecting data at rest is to safeguard inactive data wherever it resides. Even though data at rest might be perceived as less exposed than data in transit, for attackers, it often represents a more enticing target. To safeguard data at rest, companies can opt to encrypt individual sensitive files before storage or decide to encrypt the entire storage medium.

Encrypting data at rest is most effectively done through whole disk or full disk encryption. Full disk encryption offers several advantages over standard file or folder encryption and encrypted vaults. It ensures almost everything, including swap space and temporary files, is encrypted. Encrypting these aspects is vital since they might expose sensitive information. In software-based methods, however, the bootstrapping code remains unencrypted. For instance, BitLocker Drive Encryption uses an unencrypted volume for booting, while the volume with the operating system is entirely encrypted. Moreover, the choice of which specific files to encrypt isn't dependent on user judgment, eliminating potential oversights or reluctance in encrypting crucial data.

Use case for asymmetric encryption

Digital signatures

As businesses and organizations transition from paper documents bearing ink signatures or authenticity markers, digital signatures offer enhanced guarantees regarding the origin, identity, and status of an electronic document. Additionally, they affirm a signatory's informed consent and endorsement.

Digital signatures serve to identify any unauthorized alterations to data and verify the identity of the individual signing. Moreover, the recipient of the signed data can present the digital signature as proof to a third party that the said signature genuinely originated from the alleged signatory. This characteristic is termed non-repudiation, as it prevents the signatory from denying the signature at a future point.

The Digital Signature Standard (DSS), defined in FIPS 186-4 by NIST, uses asymmetric cryptography to add a layer of validation and security to messages sent over non-secure channels. Digital signatures ensure authentication, non-repudiation, and confidentiality. Here's how Alice and Bob use a digital signature to secure a message:

Hash the Message: Alice starts by creating a hash of the message, producing a message digest. Hashing, a method for ensuring data integrity, takes the original message, adds a string value, and transforms it into a new, irreversible value called the message digest. This process makes it impossible to retrieve the original message from the digest.
Encrypt the Digest: The message digest is then encrypted with Alice's private key. This encrypted digest is the digital signature.
Attach and Send: Alice appends this digital signature to her message and sends it to Bob.
Decode the Signature: Upon receiving the message, Bob uses Alice's public key to decrypt the digital signature, which yields a message digest.
Hash the Received Message: Bob also hashes the received message to produce another message digest.
Verify Integrity and Authenticity: Bob compares the two message digests. If they match, he can be sure the message truly came from Alice and remained unchanged during transmission. Any difference in the digests would suggest the message was altered.

This process allows Alice and Bob to communicate securely, even over non-secure channels, by confirming the sender's identity and ensuring the message's integrity.

Digital signatures are designed for applications needing to assure data integrity and authenticate the origin of the data. These applications include:

Electronic Mail (Email): Enhancing the security of email communications by verifying the sender's identity and ensuring the message hasn't been altered.
Electronic Funds Transfer (EFT): Securely authorizing the transfer of money between accounts or entities, ensuring the transaction's legitimacy.
Electronic Data Interchange (EDI): Safeguarding the exchange of business documents or data between companies, which is critical for operations like ordering supplies or invoicing.
Software Distribution: Ensuring that software comes from a legitimate source and hasn't been tampered with, which is crucial for protecting computer systems from malware.
Data Storage: Protecting stored data's integrity and verifying its source, essential for legal, financial, or personal records.

Digital signatures serve as a robust tool for securing electronic transactions and communications, providing a way to verify the authenticity of digital messages or documents and the integrity of their contents.

Use case for both asymmetric and symmetric encryption: Messaging applications

Messaging applications like Signal and WhatsApp employ end-to-end encryption to safeguard the confidentiality and privacy of user communications, while also authenticating users. This encryption means only the message content is encrypted, not the metadata like headers, trailers, and routing information. The foundation of this encryption strategy is the Signal Protocol, developed by Open Whisper Systems, which prevents third parties and even the messaging service providers themselves from accessing message or call content. Importantly, should a user's encryption keys be compromised, past messages cannot be decrypted with those keys.

Here's how end-to-end encryption works in these messaging apps, combining both asymmetric and symmetric cryptography:

Installation and Key Registration: Upon installing the app on a smartphone, the client's public keys are registered with the app's server. The private key remains secret and stored only on the user's device.
Initiating a Session: When a user wants to start a conversation, they retrieve the recipient's public keys from the server. The initiating client then encrypts the first message using these public keys, which includes parameters to establish a symmetric session key.
Establishing a Secure Channel: The recipient decrypts this initial message with their private key, allowing both parties to establish a session. Following this, all exchanged messages are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
Maintaining Privacy: This encrypted session remains secure until the device is changed or the app is reinstalled, requiring a new session to be established.

The WhatsApp Encryption Overview White Paper further details this process, illustrating the sophisticated methods used to ensure that user communications remain private and secure, highlighting the technical underpinnings that make end-to-end encryption a cornerstone of modern digital communication privacy.

Use case for both asymmetric and symmetric encryption: HTTPS

HTTPS (HyperText Transfer Protocol Secure) plays a pivotal role in this process, ensuring safe communication between clients (browsers) and servers. Unlike the applications focused on user identities, HTTPS is used for machine identification.

HTTPS operates as a TCP/IP application layer protocol, essentially layering the SSL/TLS (Secure Socket Layer/Transport Layer Security) protocols over HTTP. It leverages both asymmetric and symmetric encryption to secure connections. Here’s a simplified overview of how HTTPS facilitates a secure connection:

TLS Certificate Generation and Authentication: The process starts with generating a TLS certificate for the server, which must be authenticated by a Certificate Authority (CA). This certificate is crucial for establishing a trusted connection.
ClientHello Message: The client (browser) initiates the conversation by sending a ClientHello message to the server. This message includes necessary details for establishing a TLS connection, such as supported cipher suites and the maximum TLS version.
ServerHello Message: In response, the server sends back a ServerHello message, specifying the TLS version to be used, its TLS certificate, and its public asymmetric key.
Browser Verifies Server Certificate: The client verifies the server’s certificate to ensure it’s communicating with the legitimate server.
Session Key Creation and Encryption: The client generates a random session key for symmetric encryption and encrypts it using the server's public key, then sends it to the server.
Session Key Decryption by Server: Upon receiving the encrypted session key, the server decrypts it with its private key. Now, both parties have the symmetric session key.
Switch to Symmetric Encryption: With the session key shared, the connection switches from using public key encryption to symmetric encryption for the remainder of the session.

This method efficiently combines the strengths of both encryption types. Asymmetric encryption, despite its slow speed and high computational requirements due to complex mathematical operations, is ideal for securely exchanging the symmetric session key at the connection's start. Subsequently, the faster and less resource-intensive symmetric encryption takes over for the duration of the session. This approach not only ensures the security of the data in transit but also solves the key distribution challenge inherent in symmetric encryption systems.

Common symmetric encryption algorithms

Certain algorithms are widely used in securing data and communications within the bounds of symmetric encryption. The algorithms that are ideal for symmetric encryption include Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), Blowfish Twofish and Rivest Cipher (RC4).

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is a popular symmetric encryption algorithm that encrypts data in 128-bit blocks, providing a robust security framework for digital data. AES operates on fixed-size blocks of data using keys of three different lengths: 128, 192, or 256 bits. The encryption process involves multiple rounds of transformation—10 rounds for a 128-bit key, 12 rounds for a 192-bit key, and 14 rounds for a 256-bit key. These rounds consist of a series of substitution and permutation steps, organized in a structure known as a substitution-permutation network, which significantly enhances its security and efficiency across various applications.

AES was developed to replace the Data Encryption Standard (DES), a previous encryption standard that became vulnerable due to its relatively short key length. This vulnerability was highlighted when DES was successfully cracked by security researchers in 2005, demonstrating the need for a more secure encryption method. AES's longer key lengths make it substantially more resistant to brute-force attacks, addressing the main weakness of its predecessor and establishing it as a cornerstone of modern cryptographic security measures.

Triple Data Encryption Standard (3DES)

The Data Encryption Standard (DES) is a symmetric key algorithm developed for encrypting digital information. Despite its initial popularity, DES's vulnerability to brute-force attacks due to its short 56-bit key length led to the development of Triple DES (3DES) as a more secure alternative. 3DES enhances the security of the original DES by encrypting data blocks three times using three different keys, effectively increasing the key length and security.

3DES operates in three phases of encryption, significantly improving security over DES by using key lengths of 112 bits (in two-key 3DES) and 168 bits (in three-key 3DES). However, the triple encryption process inherently makes 3DES slower than newer encryption algorithms. Additionally, 3DES's use of small data blocks does not entirely eliminate the risk of brute-force attacks, a concern as computational power increases.

Reflecting these concerns and the advancement of cryptographic techniques, standards organizations have recommended the deprecation of 3DES for all new applications. The use of 3DES is advised against after 2023, steering the industry towards adopting more secure and efficient encryption methods like AES, which offer stronger security without the drawbacks associated with smaller block sizes and slower encryption speeds inherent to 3DES.

Blowfish

Blowfish is a symmetric key block cipher known for its straightforward design, speed, and resilience against cryptographic attacks. Created to serve as a "general-purpose algorithm," Blowfish was intended to offer a swift, freely available alternative to the then-prevalent Data Encryption Standard (DES), which was showing signs of obsolescence and vulnerability to attacks.

Unlike DES, Blowfish operates with a variable key length ranging from 32 bits up to 448 bits, allowing for a flexible approach to encryption strength based on the specific requirements of the application. It encrypts data in 64-bit blocks, which, while contributing to its efficiency, has also been a factor in its limitation; the 64-bit block size is considered less secure compared to the larger block sizes used by newer encryption algorithms, hindering its ability to fully replace DES in all use cases.

Despite these limitations, Blowfish's non-proprietary nature—it was designed to be unlicensed and freely available—has led to its widespread adoption in various applications. It is useful in password hashing and the secure storage and transmission of data, where its balance of simplicity, effectiveness, and speed make it an attractive option for securing sensitive information.

Twofish

Twofish, as the successor to Blowfish, addresses and improves upon many of the security concerns associated with its predecessor, notably through the use of a larger 128-bit block size, which can be extended to a maximum of 256 bits. This enhancement aligns Twofish more closely with modern encryption standards like the Advanced Encryption Standard (AES), which also encrypts data in fixed-size blocks and supports key lengths of 128, 192, or 256 bits.

Designed with a focus on compatibility with 32-bit CPUs, Twofish is versatile, performing efficiently in both hardware and software environments. This adaptability, combined with its open-source status—meaning it can be freely used without licensing restrictions—has contributed to its popularity in a variety of security applications.

A distinctive feature of Twofish is its consistent application of 16 rounds of encryption, regardless of the key size or data length. This approach provides a high level of security that is less dependent on the specifics of the key or data being encrypted, enhancing its resistance to attacks compared to algorithms that vary the number of encryption rounds based on these factors. The consistent encryption methodology ensures that Twofish remains a robust and reliable choice for securing digital data across a wide range of applications.

Rivest Cipher (RC4)

Developed as a stream cipher for RSA Security in 1987 by Ron Rivest, RC4 encrypts data one byte at a time. RC4 is one of the most popular stream ciphers, used in SSL/TLS protocols, IEEE 802.11 wireless LAN standard, and Wi-Fi Security Protocol Wireless Equivalent Protocol (WEP). While it offers significant advantages in terms of usability and performance speed, RC4 has declined in popularity due to significant flaws that have come to light.

Common Asymmetric Encryption Algorithms

Asymmetric encryption algorithms have become essential in securing digital communications. The most commonly used asymmetric algorithms include Rivest-Shamir-Adleman (RSA), Diffie-Hellman, Elliptic Curve Cryptography (ECC) and Pretty Good Privacy (PGP).

Rivest–Shamir–Adleman (RSA)

RSA is a widely used asymmetric encryption algorithm found in a variety of products and services and is considered to be a staple of asymmetric encryption. The mechanics of RSA rely on the notion that multiplying two adequately large numbers is straightforward. However, figuring out the original prime numbers from their product is immensely challenging. One of the two figures used to derive the public and private keys is the result of multiplying two large prime numbers. Both keys are formulated using these same prime values. RSA keys commonly have lengths of 1024 or 2048 bits, rendering their factorization to be highly complex. However, since RSA requires two different keys of incredible length, the encryption, and decryption process can be slow, but the level of security it provides for sensitive information is incomparable.

Diffie-Hellman Key Exchange

Often referred to as an exponential key exchange, Diffie-Hellman is a digital encryption method that leverages numbers elevated to certain powers to generate decryption keys. This is done using elements that are never sent outright. Such a process renders the task of potential decryption exceedingly complex from a mathematical perspective, making it harder for code breakers to crack. The Diffie-Hellman key exchange facilitates the sharing of a confidential secret between two entities, enabling the secure exchange of information over an open network. Essentially, the algorithm leverages public-key methods to enable the transfer of a private encryption key.

Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA, or Elliptic Curve Digital Signature Algorithm, is among the more intricate algorithms used in public key cryptography. Elliptic curve cryptography (ECC) produces keys that are smaller compared to the average size of a digital signature algorithm key. ECDSA leverages the algebraic framework of elliptic curves over finite fields. ECDSA performs the same function as other digital signatures, but more effectively. This is because ECDSA uses smaller keys to achieve the same level of security as other digital signature algorithms. Because ECC is a mathematical operation that is quick and easy to complete but extremely difficult to reverse, it is nearly impossible to crack the private key. The primary applications of elliptic curve cryptography include the generation of pseudo-random numbers, digital signatures, and more.

Pretty Good Privacy (PGP)

PGP was a widely-used program for encrypting and decrypting emails online, validating messages via digital signatures, and securing files. Today, PGP is a general term often applied to any software or tool that adheres to the OpenPGP public key cryptography standard.

Unlocking Efficiency and Security with Zero Touch PKI

Venafi Zero Touch PKI represents a significant advancement in the management of asymmetric encryption, offering a seamless and automated approach to handling digital certificates and encryption keys. The primary benefit of Zero Touch PKI is its ability to streamline the complex processes associated with generating, distributing, and renewing digital certificates — crucial components of asymmetric encryption systems. By automating these processes, Zero Touch PKI not only reduces the administrative burden and potential for human error but also enhances security by ensuring that certificates are always up-to-date and compliant with current standards. This automation facilitates a more secure and efficient deployment of encryption, making it easier for organizations to protect data, authenticate identities, and secure communications without the need for extensive manual oversight. As a result, Zero Touch PKI enables organizations to leverage the full potential of asymmetric encryption with minimal operational overhead, making it an invaluable tool in today's security landscape.

Explore how Zero Touch PKI can streamline your encryption processes and bolster your organization's security. Contact us today to learn more about automating your digital certificate management and taking the next step towards a more secure and efficient encryption strategy.

(This post has been updated. It was originally published on September 16, 2019.)

When Should You Use Symmetric vs Asymmetric Encryption?