Symmetric VS. Asymmetric Encryption
Mark Repka – MegaplanIT Security Consultant
Caleb Coggins – Director of Compliance Services
Individuals and organizations rely on strong cryptography to protect data and systems during transmission and storage. Whether we are logging in to an online banking website, using secure messaging apps, or storing data on encrypted media and mobile devices, cryptography has become ubiquitous across business and personal computing systems. What does it mean to use strong cryptography? Here, we will highlight two methods of encryption and how they address confidentiality, non-repudiation, and integrity requirements.
Encryption is the process of encoding a message or data in such a way that only authorized persons or systems are allowed to decode the data from the original message or data block. This is accomplished through the use of an algorithm that performs mathematical operations and at least one key to encrypt or decrypt the data. While encryption does not prevent the capture of data, it prevents the data from being of any value to the interceptor. There are two types of encryption schemes: Symmetric and Asymmetric. During World War 2, the famous Enigma machine was used by Nazi Germany to securely generate encrypted communications using symmetric-key cryptography. The security of this system relied upon the secrecy of the key. Once a key is obtained or derived through cryptanalysis, the confidentiality of the encrypted data can become compromised.
Symmetric-key encryption is a scheme in which both the receiving and sending parties use the same key to encrypt and decrypt the data. Symmetric-key algorithms such as AES or 3DES block ciphers are commonly used. Since the messages are encoded and decoded with the same key, it is difficult to implement on larger operations, and key management becomes problematic as everyone shares the same key. In addition, the identities of the persons sending or receiving the keys messages are impossible to confirm as everyone shares the same encryption and decryption key. Mass use of the same key becomes problematic because one individual ends up with several different keys to communicate with different endpoints; Keys become difficult to manage as everyone has their own specific cryptographic key they share with only one partner.
[Symmetric Encryption: plaintext file + AES algorithm + key >>> encrypted file]
[Symmetric Decryption: encryptedfile + AES algorithm + key >>> plaintext file]
To better scale and identify individuals sending messages, we refer to an Asymmetric-key encryption scheme wherein the sender and receiver both use separate keys (key pairs) to achieve the same end goal. Public keys are a form of one-way encryption in which the message is encoded so the contents are not decipherable with the same key. This message encrypted with the receiver’s Public Key is sent to the receiver, and the receiver’s Private key is used to decode the message. Using asymmetric keys, the encoded message is only decipherable to the receiver as they are the only person with the appropriate private key. The public key can be made available to anyone who wishes to use it to send the end-user (private key holder) an encrypted message.
[Asymmetric Encryption: plaintext file + RSA algorithm + public key >>> encrypted file]
[Asymmetric Decryption: encryptedfile + RSA algorithm + private key >>> plaintext file]
The amount of key management here is dictated by simple formulas. For Asymmetric keys, each user must have a key pair consisting of one Public key and one Private key.). This results in a very scalable solution where a large number of users require a smaller number of keys. In contrast, when using symmetric keys not only will there be an infrastructure challenge in issuing keys (ensuring both parties have the same key) but the number of keys to be issued would exponentially grow as more users are added to the system. This follows the formula [Equation] where n is the number of users. Here is a brief chart showing how the number of keys required increases depending on the implementation of symmetric or asymmetric key encryption.
These concepts leads us to the topic of public key infrastructure (PKI) wherein messages and date originating from known sources can demonstrate confidentiality, integrity, and authenticity. These three elements from the Parkerian Hexad extend beyond the confidentiality characteristic of symmetric-key encryption and show that public key infrastructure can provide additional assurance for the validity of the data.
This introduces the concept of digital signatures wherein integrity and non-repudiation are preserved within the signature but may also have confidentiality added to the message via public key encryption. Within this scenario, the sender will encrypt the message with their own private key and hash the message with an agreed-upon hash with the receiver. The recipient of the message has a guarantee that if the hashed value of the message is the same as the value calculated by the original sender, the message has not been tampered with by an adversary. If the value differs from the calculated hash value, it would indicate that the message has been tampered with during transit. The message which has been encrypted with the sender’s PRIVATE KEY and decrypted with the sender’s PUBLIC KEY ensures that the message in fact came from the intended sender granting us non-repudiation. In short, a hashing function compiles a message into a numerical or character value. The content of the message is the calculated static value. Changing a single space, comma, or anything within the document will change the hash value and indicate tampering. In this exchange, the message itself is encrypted and its hashed value or message digest is determined to ensure that the message has not been tampered with and came from the intended sender (non-repudiation).
The process to ensure confidentiality of the message would be to encrypt the package with the recipient’s PUBLIC KEY as in theory the only recipient who would be able to decrypt the message would be the intended recipient as they are the only entity with the recipient’s PRIVATE KEY.
These methods of encryption mainly deal with data in transit, but data at rest uses a similar encryption scheme using keys. The end goal is the same: ensuring that only persons or machines with appropriate access rights are able to read or decrypt the data. Encrypting data at rest allows us to store data that would be worthless to anyone without a key or passcode. Following the same method or process, data is transformed using a key (or split keys) known only to certain individuals or machines. This process alters the data so that it is indecipherable without the aforementioned key to undo the transformation.
In a scenario where symmetric keys are used for the storage of information, the same individual or group would be decrypting the stored data using the same key which would have encrypted that data. Asymmetric key encryption may also be used to secure stored data. The data is encrypted using a public key and can later be decrypted using the private key associated with that key pair. This approach can facilitate encryption of your own data or encrypting a file prior to transmitting it to a third party such as over secure file transfer protocol (SFTP).
Organizations use data classification policies and standards to define what data elements require encryption. These policies and standards are generally driven by external requirements and require the participation of multiple internal resources to successfully implement and maintain secure data and systems. For example, companies that store sensitive information (e.g., PCI DSS compliance, HIPAA, GLBA) may apply encryption to specific files, data records, or data elements such as stored credit card numbers, social security numbers, and date of birth.
Encryption, whether it be symmetric or asymmetric, has the same end goal of encoding messages, contents, or data in such a way that only intended parties gain access. This affects both data at rest and data in motion because both are subject to confidentiality. Encryption can also provide non-repudiation and verify message integrity. In addition to selecting the appropriate cryptographic techniques and algorithms, the secure implementation of these methods plays a critical role in the overall effectiveness of the solution. Attempting to crack the encryption of today can be a very time and resource-intensive task if implemented properly; however, poor implementation, side-channel attacks, and inadequate key management processes may be detrimental to the security of your data.
Here at MegaplanIT, we have many years of experience with deployed encryption solutions, ranging from PKI, database encryption, and system-level security. We can guide your organization through every step of your assessment process, including audit preparation, onsite assessment of data flows and processes, policy and procedure development, and secure key management. Call us today to speak with industry-certified experts and learn how we can keep your data secure.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business