MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

Symmetric VS. Asymmetric Encryption

MegaplanIT
Posted by MegaplanIT on 6/4/21 11:24 AM

Written By:

Mark Repka - MegaplanIT Security Consultant LinkedIn_logo_initials 

Caleb Coggins - Director of Compliance Services LinkedIn_logo_initials 

 

Individuals and organizations rely on strong cryptography to protect data and systems during transmission and storage. Whether we are logging in to an online banking website, using secure messaging apps, or storing data on encrypted media and mobile devices, cryptography has become ubiquitous across business and personal computing systems. What does it mean to use strong cryptography?  Here, we will highlight two methods of encryption and how they address confidentiality, non-repudiation, and integrity requirements.  

 

Encryption is the process of encoding a message or data in such a way that only authorized persons or systems are allowed to decode the data from the original message or data block. This is accomplished through the use of an algorithm that performs mathematical operations and at least one key to encrypt or decrypt the data. While encryption does not prevent the capture of data, it prevents the data from being of any value to the interceptor. There are two types of encryption schemes: Symmetric and Asymmetric. During World War 2, the famous Enigma machine was used by Nazi Germany to securely generate encrypted communications using symmetric-key cryptography. The security of this system relied upon the secrecy of the key. Once a key is obtained or derived through cryptanalysis, the confidentiality of the encrypted data can become compromised.   

  

Symmetric-key encryption is a scheme in which both the receiving and sending parties use the same key to encrypt and decrypt the data. Symmetric-key algorithms such as AES or 3DES block ciphers are commonly used. Since the messages are encoded and decoded with the same key, it is difficult to implement on larger operations, and key management becomes problematic as everyone shares the same key. In addition, the identities of the persons sending or receiving the keys messages are impossible to confirm as everyone shares the same encryption and decryption key. Mass use of the same key becomes problematic because one individual ends up with several different keys  to communicate with different endpoints; Keys become difficult to manage as everyone has their own specific cryptographic key they share with only one partner.  

  

Encryption-Graphic-2

[Symmetric Encryption: plaintext file + AES algorithm + key >>> encrypted file]  

[Symmetric Decryption: encryptedfile + AES algorithm + key >>> plaintext file]  

 

To better scale and identify individuals sending messages, we refer to an Asymmetric-key encryption scheme wherein the sender and receiver both use separate keys (key pairs) to achieve the same end goal. Public keys are a form of one-way encryption in which the message is encoded so the contents are not decipherable with the same key. This message encrypted with the receiver’s Public Key is sent to the receiver, and the receiver’s Private key is used to decode the message. Using asymmetric keys, the encoded message is only decipherable to the receiver as they are the only person with the appropriate private key. The public key can be made available to anyone who wishes to use it to send the end-user (private key holder) an encrypted message.   

  

AdobeStock_274402393

[Asymmetric Encryption: plaintext file + RSA algorithm + public key >>> encrypted file]  

[Asymmetric Decryption: encryptedfile + RSA algorithm + private key >>> plaintext file]  

  

The amount of key management here is dictated by simple formulas. For Asymmetric keys, each user must have a key pair consisting of one Public key and one Private key.). This results in a very scalable solution where a large number of users require a smaller number of keys. In contrast, when using symmetric keys not only will there be an infrastructure challenge in issuing keys (ensuring both parties have the same key) but the number of keys to be issued would exponentially grow as more users are added to the system. This follows the formula [Equation] where n is the number of users. Here is a brief chart showing how the number of keys required increases depending on the implementation of symmetric or asymmetric key encryption.  

Users (n)  

Symmetric  

Asymmetric  

2  

1  

4  

5  

10  

10  

50  

1225  

100  

100  

4950  

200  

500  

124750  

1000  

1000  

499500  

2000  

5000  

12497500  

10000  

10000  

49995000  

20000  

  

  

These concepts leads us to the topic of public key infrastructure (PKI) wherein messages and date originating from known sources can demonstrate confidentiality, integrity, and authenticity. These three elements from the Parkerian Hexad extend beyond the confidentiality characteristic of symmetric-key encryption and show that public key infrastructure can provide additional assurance for the validity of the data.  

 

This introduces the concept of digital signatures wherein integrity and non-repudiation are preserved within the signature but may also have confidentiality added to the message via public key encryption. Within this scenario, the sender will encrypt the message with their own private key and hash the message with an agreed-upon hash with the receiver. The recipient of the message has a guarantee that if the hashed value of the message is the same as the value calculated by the original sender, the message has not been tampered with by an adversary. If the value differs from the calculated hash value, it would indicate that the message has been tampered with during transit. The message which has been encrypted with the sender’s PRIVATE KEY and decrypted with the sender's PUBLIC KEY ensures that the message in fact came from the intended sender granting us non-repudiation.  In short, a hashing function compiles a message into a numerical or character value. The content of the message is the calculated static value. Changing a single space, comma, or anything within the document will change the hash value and indicate tampering.  In this exchange, the message itself is encrypted and its hashed value or message digest is determined to ensure that the message has not been tampered with and came from the intended sender (non-repudiation).  

 

The process to ensure confidentiality of the message would be to encrypt the package with the recipient’s PUBLIC KEY as in theory the only recipient who would be able to decrypt the message would be the intended recipient as they are the only entity with the recipient’s PRIVATE KEY.   

 

These methods of encryption mainly deal with data in transit, but data at rest uses a similar encryption scheme using keys. The end goal is the same: ensuring that only persons or machines with appropriate access rights are able to read or decrypt the data. Encrypting data at rest allows us to store data that would be worthless to anyone without a key or passcode. Following the same method or process, data is transformed using a key (or split keys) known only to certain individuals or machines.  This process alters the data so that it is indecipherable without the aforementioned key to undo the transformation.    

 

In a scenario where symmetric keys are used for the storage of information, the same individual or group would be decrypting the stored data using the same key which would have encrypted that data. Asymmetric key encryption may also be used to secure stored data. The data is encrypted using a public key and can later be decrypted using the private key associated with that key pair.  This approach can facilitate encryption of your own data or encrypting a file prior to transmitting it to a third party such as over secure file transfer protocol (SFTP).  

 

Organizations use data classification policies and standards to define what data elements require encryption. These policies and standards are generally driven by external requirements and require the participation of multiple internal resources to successfully implement and maintain secure data and systems. For example, companies that store sensitive information (e.g., PCI DSS compliance, HIPAA, GLBA) may apply encryption to specific files, data records, or data elements such as stored credit card numbers, social security numbers, and date of birth.  

 

Encryption, whether it be symmetric or asymmetric, has the same end goal of encoding messages, contents, or data in such a way that only intended parties gain access. This affects both data at rest and data in motion because both are subject to confidentiality. Encryption can also provide non-repudiation and verify message integrity. In addition to selecting the appropriate cryptographic techniques and algorithms, the secure implementation of these methods plays a critical role in the overall effectiveness of the solution. Attempting to crack the encryption of today can be a very time and resource-intensive task if implemented properly; however, poor implementation, side-channel attacks, and inadequate key management processes may be detrimental to the security of your data.  

 

Here at MegaplanIT, we have many years of experience with deployed encryption solutions, ranging from PKI, database encryption, and system-level security.  We can guide your organization through every step of your assessment process, including audit preparation, onsite assessment of data flows and processes, policy and procedure development, and secure key management. Call us today to speak with industry-certified experts and learn how we can keep your data secure. 

 

Speak With A MegaplanIT Expert 

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.

Schedule Meeting

 

Topics: Compliance Services

Leave Comment