Protecting sensitive data in a digital environment is particularly difficult, but crucial. Cybercriminals seek files, messages, credit card information, and other shareable data from both individuals and businesses. Encryption is used by businesses, governments, and other types of organizations to maintain the confidentiality, and security of their data while sharing, maintaining, and processing it.
Cryptography, which has been utilized for as long as humans have desired to keep information hidden, is the basis for encryption. Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key. Human-based codes are too difficult for a machine to decipher, hence the vast majority of cryptographic systems in use today rely on computers. Cryptosystems employ a collection of methods referred to as cryptographic algorithms.
The mathematical formulas that translate plaintext into ciphertext are cryptographic algorithms. Plaintext is the unaltered form of a message, whereas ciphertext scrambles the content to the point where it is illegible unless you have the necessary authorization to decrypt the code and convert it back to plaintext.
Kerckhoff's Principle states that encryption techniques should be made public while "keys" are kept private. Computer encryption systems typically fall under either symmetric encryption or asymmetric or public-key encryption.
What is asymmetric encryption
Asymmetric encryption, often known as public key cryptography, employs two distinct keys simultaneously, a private key and a public key.
The private key must remain confidential to its owner, while the public key is made accessible to everyone via a repository or directory that is open to the public. The public key encrypts data while its corresponding private key decrypts it. To decode an encrypted message, a computer must use both its own private key and the public key provided by the sending computer. Although a communication sent from one computer to another will not be secure because the public key used for encryption is released and available to everyone, anyone who picks it up without the private key cannot read it.
The key pair is based on lengthy prime numbers. Using trapdoor functions, both the public and private keys are computed simultaneously in the same mathematical procedure. The primary characteristic of trapdoor functions is that they are simple to compute in one direction but difficult to compute in the opposite way (identifying its inverse) without knowledge.
Characteristics of asymmetric encryption
1. Asymmetric encryption is designed to protect data and key exchanges over open, insecure channels.
The aim of asymmetric key encryption is to provide a method for securely encrypting data across public channels, in addition to authentication and data integrity. There is no key distribution issue, as there would be with symmetric encryption, because the exchange of keys is not necessary.
2. Keys for asymmetric encryption are large
Public and private asymmetric keys are unique, lengthy sequences of random numbers. There are millions of websites that use SSL/TLS certificates, yet each website has a unique set of public and private keys. However, for keys to be robust and secure, they must be created with a high entropy (randomness). Each key must be sufficiently random and unpredictable that it would take supercomputers thousands of years to deduce it.
3. Public key encryption algorithms are strong
Popular asymmetric encryption and key exchange methods include Diffie-Hellman, RSA, ECDSA, ElGamal, and DSA. Although it is not a strict rule, asymmetric encryption typically uses 1024-bit, 2048-bit, or longer keys. In general, the encryption is safer and stronger the longer the key size.
4. Asymmetric encryption is a resource intensive process
The primary drawback of asymmetric encryption is that it is slower than symmetric encryption. This is due to the mathematical difficulty of asymmetric encryption, which necessitates significantly more computational resources to maintain. Due of the processing power required to keep it running, it is unsuitable for prolonged sessions.
What does asymmetric encryption do?
Public key algorithms are crucial components of cryptosystems, applications, and protocols for their security. They support a variety of internet standards, including Transport Layer Security (TLS) which makes HTTPS possible. Some public key algorithms enable both key distribution and secrecy (e.g., Diffie–Hellman key exchange) and digital signatures (Digital Signature Algorithm).
Typically, asymmetric cryptography is used to verify data using digital signatures. A digital signature is a mathematical technique used to verify the validity and integrity of a message, piece of software, or electronic document. Digital signatures based on asymmetric cryptography can provide assurances as to the origin, identity, and status of an electronic document, transaction, or message, as well as confirm the signer's informed consent.
Asymmetric cryptography can also be applied to systems that require many users to encrypt and decrypt messages, such as encrypted email. A message can be encrypted with a public key and decrypted with a private key. Asymmetric cryptography is also utilized by Bitcoin and other cryptocurrencies. Users have both public and private keys, the latter of which is kept hidden. Bitcoin employs a cryptographic mechanism to ensure that only authorized owners can spend the currency.
How does asymmetric encryption work?
The two participants in the asymmetric encryption workflow are the sender and the recipient. Each has its own pair of public and private keys.
The sender obtains the recipient's public key and uses it to encrypt the plaintext message. This creates a ciphertext. The ciphertext is sent to the recipient, who decrypts it with their private key, returning it to legible plaintext.
Figure 1: How asymmetric encryption works. Image courtesy of Sectigo Store
Because of the one-way nature of the encryption function, one sender is unable to read the messages of another sender, even though each has the public key of the receiver.
Asymmetric encryption vs symmetric encryption
The primary distinction between asymmetric and symmetric cryptography is that asymmetric algorithms employ two distinct but related keys. Data is encrypted with one key and decrypted with another. On the other hand, the same key is used for both encryption and decryption with symmetric encryption.
Key length is another distinction between asymmetric and symmetric encryption. In symmetric cryptography, the length of the randomly generated keys is commonly 128 bits or 256 bits, depending on the required level of security. In asymmetric encryption, there must be a mathematical relationship between the public and private keys. Given that malevolent actors may exploit this pattern to break the encryption, asymmetric keys must be longer to provide the same level of protection. The difference in key length is so significant that a 2048-bit asymmetric key and a 128-bit symmetric key provide almost the same level of protection.
In SSL/TLS and other digital certificates, both symmetric and asymmetric algorithms are utilized. The computing time is a fundamental disadvantage of public key cryptography, as we have shown. As verification and functionality are applied from both sides, the process is greatly slowed down. Here, symmetric encryption is also employed.
First, when two parties (browser and server in the case of SSL) begin communicating, they use asymmetric encryption to validate each other's private and public key. Once the verification is complete and both parties recognize one another, the data is encrypted using symmetric encryption, saving much time and achieving the aims of privacy and data security. This entire operation is referred to as an SSL/TLS handshake.
Advantages of asymmetric encryption
Among the advantages of asymmetric cryptography are:
- The problem of key distribution is eliminated because there is no requirement for key exchange.
- The security is strengthened because the private keys are never sent or disclosed.
- The usage of digital signatures is enabled so that a recipient may confirm the origin of a message.
- Therefore, the sender cannot deny sending a communication.
Disadvantages of asymmetric encryption
The following are disadvantages of asymmetric cryptography:
- The procedure is slower than symmetric cryptography. Because the keys are longer and the server must compute two distinct encryption and decryption keys, the operation becomes time-consuming. It also employs more intricate algorithms.
- It is not suitable for decrypting messages at scale; otherwise, the servers become overloaded and sluggish. This is the reason why, for instance, asymmetric key encryption is used initially in the SSL/TLS handshake procedure, while symmetric encryption is utilized for data exchange during the established session.
Mitigate key risk with Venafi
With the rapid adoption of multiple cloud platforms and the proliferation of non-human entities, machines are driving significant advances in business growth and agility. But before machines can communicate privately and securely, they need machine identities to identify, authenticate and secure machine-to-machine communications. Just as people rely on usernames and passwords to identify and authenticate themselves, machines rely on cryptographic keys and digital certificates to serve as their identities. This includes TLS certificates used for authentication, encryption, and decryption.
However, the aggressive enterprise adoption of machines and the expansion of encryption have outpaced the manual, ad hoc tools most organizations rely on to manage their TLS certificates. Due to manual processes or homegrown tools, machine identities go largely untracked, unmanaged, and unmonitored. The inability to inventory and enforce policy for certificates can leave organizations vulnerable to certificate-based application outages and security breaches.
Venafi TLS Protect delivers visibility, intelligence and automation to manage TLS certificates and digital keys. Venafi is the only solution that provides complete and continuous visibility and monitoring of machine identities across highly segmented and complex networks, including public and private clouds, combined with automated, intelligence-driven actions that securely scale encryption, remove error-prone manual installation and remediate vulnerabilities and weaknesses.
Download this data sheet to learn how TLS Protect stops outages across your enterprise—and discover how TLS Protect leverages automation to provide global visibility into your TLS machine identities across extended global IT environments, including cloud, and streamlines all aspects of the TLS certificate lifecycle, and remediates policy violations.