Symmetric and Asymmetric Encryption

http://resources.infosecinstitute.com
1. Introduction
This article explains how symmetric and asymmetric encryption work. It also describes how to build a secure mail system using these two types of encryption.
2. Symmetric Encryption
Let’s assume that Alice wants to talk to Bob. She wants to keep the message secret. Bob is the only one who should be able to read the message. The message is confidential, so Alice uses a key to encrypt the message. The original message is called a plaintext while the encrypted message is called a ciphertext. The ciphertext is sent to Bob, who knows the key and uses the same symmetric cipher (e.g., AES or 3DES). Thus Bob is able to decrypt the message.
Alice and Bob share the key, which is called symmetric. They are the only ones who know the key and no one else is able to read the encrypted message. This way, confidentiality is achieved.
2.1 Key Length vs. Security
The key space doubles when one bit is added to the key. Longer keys are better, but don’t necessarily increase security. Because people tend to use patterns for passwords, the attacker can build a dictionary of commonly used passwords and launch a dictionary attack. This way the attacker can save time, because he doesn’t have to brute force the whole key space.
2.2 Symmetric vs. Session Key
The symmetric key can be changed every time Alice communicates with Bob. Then it is called a session key (randomly generated and valid only for one session). If an attacker grabs the session key, he can decrypt only the messages from one session. If Alice and Bob always used the same key, the attacker would be able to decrypt all messages encrypted with this key.
2.3 Scalability and Secure Key Distribution
There are a few problems with symmetric ciphers. This system is not scalable. If there are 1,000 people who want to communicate with each other, everyone needs 999 different keys to establish separate and confidential communication channels. Secure key distribution is another problem. The security of the system is broken if a man-in-the-middle can grab the key while it is being transmitted from Alice to Bob.
3. Asymmetric Encryption
Two keys are used in asymmetric cipher (e.g., RSA)—a public and a private one. The public one is available for everyone, but the private one is known only by the owner. When the message is encrypted with the public key, only the corresponding private key can decrypt it. Moreover, the private key can’t be learned from the public one.
Asymmetric cipher solves the problem of secure key distribution. Alice takes Bob’s public key and uses it to encrypt the session key. Only Bob can then decrypt the encrypted session key, because he is the only one who knows the corresponding private key. Asymmetric ciphers are quite slow when compared with the symmetric ones, which is why asymmetric ciphers are used only to securely distribute the key. Then, Alice and Bob can use symmetric cipher and the session key to make the communication confidential.
Use of an asymmetric cipher also solves the scalability problem. Everyone will need only one public key and one private key to communicate with other people.
4. Mail Security
Let’s analyze how symmetric and asymmetric encryption can be used to build secure mail system.
4.1 Achieving Message Confidentiality
Alice is going to send a mail to Bob. She wants to keep the message secret. Bob is the only one who should be able to read the message. Confidentiality can be achieved by using symmetric encryption. The key used for symmetric encryption (the session key) needs to be securely sent to Bob. Asymmetric encryption is used for the purpose of secure key distribution.

==> Read More