LIVE WEBINAR: 5 Ways to Modernize Customer Onboarding and Defeat Account Takeover
Register Now!

What is Symmetric vs Asymmetric Encryption?

Javed Shah

Encryption is the foundation of modern Internet security. Data cannot move safely and securely across the public Internet without it. However, not all forms of encryption are made equal.

What is asymmetric encryption? It is a form of cryptography that uses two distinct but linked encryption-decryption keys to protect information from outside viewing.

How Does Encryption Work?
Encryption is a form of data obfuscation in which information is transferred reversibly, such that the data remains unreadable by unauthorized parties.

As long as there has been writing and information storage, there has been a demand to hide the contents of that data from outside eyes. Forms of cryptography were found to exist as early as 1900 BC in Ancient Egypt when hieroglyphics were transformed to make them seem more mysterious or important.

The first major evidence of the use of cryptography for hiding information is usually attributed to Julius Caesar. He used a simple letter shift to hide the meaning of messages he sent to and from generals.

Cryptography is simple to break, given enough work and attention to patterns and details. Modern cryptography draws from these ideas but uses factors like random number generation and prime numbers’ unique properties to create encryption styles that are nearly impossible to break without powerful computers working over centuries.

The process of encryption itself, outside of the encryption method itself, is relatively straightforward:

  • Creation of Cipher Text: An encryption algorithm may obfuscate information in various ways. However, the basic approach will involve creating a complex encryption key (or simply “key”) to transform data at the level of its bits. For example, some algorithms will feed characters in a message through an algorithm that manipulates each character’s bitwise value.
  • Transmission: The encrypted information is transferred to the recipient. If an individual intercepts that message and tries to read it (assuming there are no means to break that encryption), they will find it essentially useless.
  • Decryption and Verification: The recipient must receive the key to decrypt that message and read it. In some cases, the sender may also use a form of hashing or digital signature to verify that the document came from the right person and has not been tampered with.

In any situation where encryption is used, the only way to effectively share information (encrypt, send, decrypt) is by using associated keys. Two overarching encryption strategies are based on how these keys are generated and used.

These are:

  • Symmetric (or Private): A single key is created and then during the encryption process. This key is the lynchpin to encrypt the information, and the end recipient must have the key to decrypt and read that data.
  • Asymmetric (or Public): This method involves the creation of two different and unique keys connected by the fact that one key is used for encryption and the other serves as the decryption key.

How Is Asymmetric Encryption Different from Symmetric Encryption?

The surface-level difference, as stated, is that asymmetric encryption uses two distinct keys for encryption or decryption. However, this difference changes how the encryption process works:

  • Creation of Key Pairs: The pair of keys created for the encryption-decryption process are created using mathematical formulas and pseudo-random numbers that link them to one another. Typically, one key is designated as the “public” key while the other is the “private” key.
  • Encryption: The connection between the public and private keys are at the heart of asymmetric encryption. In a simple asymmetric model, one party will use a recipient’s public key to encrypt a message or block of data. At this point, the only way to decrypt that information is through the paired private key.

Because of this public/private relationship, asymmetric encryption is particularly useful when sending information (for example, via email). Unlike common symmetric algorithms like AES, where a single key can be kept and used without worrying about sharing in the wild, asymmetric provide additional security for outgoing data.

Unsurprisingly, many security regulations, frameworks, and best practices will call for encryption standards that cover data at rest and in transit. The latter is almost always a form of asymmetric encryption.

PGP and Certificates

The challenge of an asymmetric encryption plan is providing a secure and accessible way to manage and share public and private keys.

Pretty Good Privacy, or PGP, accomplishes this more straightforwardly and facilitates strong end-to-end encryption. An application using PGP will generate keys for a user and manage them through the application, such that a user has a centralized location to collect, manage, and use public keys to send encrypted messages to trusted recipients.

However, this strategy isn’t scalable enough to work at enterprise levels. The sheer endeavor of managing a key infrastructure of that size would swamp even the best app while creating problematic honeypots.

Additionally, protocols like PGP present hurdles to widespread communication between organizations and the public because, to function properly, all parties must use the same protocol–and most email providers do not support PGP out of the box.

The more common form of public-key encryption is the use of SSL certificates. This approach is familiar to anyone using the Internet. Any website that uses the secure HTTPS protocol will include proof of legitimacy through a publicly-maintained certificate, secured by a certificate authority, that guarantees the certificate holder’s identity and facilitates encrypted communications.

Some common forms of asymmetric encryption include:

  • Secure Socket Layer (SSL)/Transport Layer Security (TLS): Secure Sockets Layer, supplanted by the more advanced Transport Layer Security protocol, uses a handshake process to facilitate authentication and encryption protocols while using SSL certificates as the public component of the asymmetric encryption approach.

TLS currently serves as the baseline for many different forms of email communication, most notably in-transit (but not end-to-end) email cryptography and HTTPS protocols.

  • Rivest Shamir Aldeman (RSA): Named after its inventors, RSA uses the challenge of factoring prime numbers as the basis for deriving its encryption methods. This problem is so challenging that, with a strong enough key complexity, there is no published method for breaking RSA.

The trade-off is that it is quite slow due in no small part to its complexity. Because of the lack of efficiency, RSA is often used to encrypt keys to encode data as an additional layer of security.

  • Digital Signature Standard (DSS): The DSS was created by the National Security Agency (NSA) and published by the National Institute for Standards and Technology to provide organizations with a method of ensuring the legitimacy of digital documents.

This process uses a hashing function with a “signature” function, the sender’s private key, and the message itself to create a unique signature appended to the encrypted message. This signature can then be verified on the recipient’s end.

What Are the Benefits of Asymmetric Encryption?

There isn’t a one-size-fits-all approach to encryption, and different approaches will excel in different contexts. Furthermore, many systems will combine symmetric and asymmetric encryption in different ways to provide maximum protection.

Generally speaking, asymmetric encryption provides a few key benefits.

What Are the Benefits of Asymmetric Encryption?

 

  • In-Transit Security: Symmetric encryption only works with a single key used for encryption and decryption. With the right strategy, this is a perfectly stable and secure way to manage database or server encryption. Having a single key, however, is a liability when sending data between multiple parties. Asymmetric encryption is much more suitable for public internet data sharing.
  • Document Authentication: Public and private key pairs are necessary for creating security signatures that allow users to authenticate documents. This additional layer of security assures that the sender is who they say they are and that the message has not been tampered with.

What Are the Drawbacks of Asymmetric Encryption?

 

  • Speed: Asymmetric encryption is complex and, therefore, slow. It’s not the best solution for bulk encryption–which means it isn’t the best solution for encrypting servers, hard drives, databases, etc.
  • Complexity and Adoption: To be useful, all parties must use the same form of encryption to share messages. In many cases, this isn’t a problem. For example, all the major internet browsers and providers utilize HTTPS, which means that they have adopted certificate authorities and tools to ensure that HTTPS is seamlessly integrated such that users never have to do a thing. The same is true for email–almost all email providers will use some form of TLS.

The problem comes when organizations need to implement end-to-end encryption solutions like PGP. Because all parties must use the same solution, it’s not feasible for a hospital to send emails in a HIPAA-compliant fashion, counting on E2E to maintain data confidentiality.

Use Cases for Asymmetric Encryption

Despite challenges and benefits, asymmetric encryption isn’t a one size fits all solution. It has a big impact in areas where people need to secure information being exchanged on a network connection, often public ones, where a symmetric key isn’t necessarily secure enough.

Some of the primary business use cases for asymmetric encryption include:

  • Web Traffic Security: The use of SSL certificates on HTTPS transactions serves as a foundation of security on the Internet. It not only protects sensitive data exchanged across websites (such as, for example, payment information from a web store cart), but it also provides a way to prove that an entity is who they say they are–crucial for avoiding phishing scams.
  • Email Encryption: Most email providers will utilize TLS security for incoming and outgoing emails as a matter of purpose. This doesn’t obfuscate those emails in an inbox, but it ensures that emails cannot be plucked out of the ether and read by malicious actors.
  • Virtual Private Networks: VPNs are crucial for businesses with remote workers or an international workforce. To maintain the security, privacy and usability of the VPN intact, asymmetric encryption will be used (similar to TLS or SSL) to authenticate and authorize users while protecting data moving back and forth between the users and the central enterprise system.

Powerful Encryption and Authentication with 1Kosmos BlockID

Encryption and authentication go hand in hand–encryption keeps enterprise data safe while allowing authenticated and authorized users to access it. Following that, powerful asymmetric encryption standards work as part of maintaining remote and global enterprise operations every single day.

Products like 1Kosmos BlockID and BlockID Workforce use identity-based biometric authentication powering seamless onboarding, identity assurance, and integration with remote systems.

With 1Kosmos, you get the following benefits:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

If you’re ready to learn about BlockID and how it can help you remain compliant and secure, learn more about what it takes to Go Beyond Passwordless Solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.

1Kosmos FIDO2
Read More