What are the advantages of asymmetric encryption?

Asymmetric Encryption

Asymmetric encryption uses computationally hard problems with a secret(private), and shared (public) key. With asymmetric encryption, a message encrypted with one’s public key can only be deciphered by their private key and vice versa. Asymmetric encryption solves the problem of having to share without secure communication by enabling communicating parties to share their public keys and, using complex math, encrypt data such that an eavesdropper cannot decipher the message. Therefore, everyone can publicly share their public key so that others can communicate with them. Best practice behavior says you only encrypt data using the receiving party’s public key, and you do not encrypt messages with your private key.

Asymmetric encryption also enabled the concept of digital signatures. If, instead of using a private key for encryption it is instead used for message authentication, one can sign a message. To sign a message one first hashes (hashes are described next) a message and then encrypts the hash. This encrypted hash is transmitted with the message. A receiver can verify the hash by decrypting it using the signer’s public key and then compare the decrypted value to a computed hash of the message. If the values are equal, then the message is valid and came from the signer (assuming that the private key wasn’t stolen of course).

Asymmetric and Symmetric Tradeoffs

Asymmetric encryption is far slower than symmetric encryption, and is also weaker per bit of key length. The strength of asymmetric encryption is the ability to securely communicate without pre-sharing a key.

Table 4.16 compares symmetric and asymmetric algorithms based on key length. Note that systems based on discrete logarithms and factoring prime numbers are far weaker per bit of key length than symmetric systems such as Triple DES and AES. Elliptic Curve fares much better in comparison, but is still twice as weak per bit compared to AES.

Table 4.16. Symmetric vs. Asymmetric Strength [25]

Asymmetric and symmetric encryption are typically used together: use an asymmetric algorithm such as RSA to securely send someone an AES (symmetric) key. The symmetric key is called the session key; a new session key may be retransmitted periodically via RSA.

This approach leverages the strengths of both cryptosystems. Use the slower and weaker asymmetric system for the one part that symmetric encryption cannot do: securely pre-share keys. Once shared, leverage the fast and strong symmetric encryption to encrypt all further traffic.

Asymmetric Encryption

To address the problem of key exchange, another type of encryption was developed. Asymmetric encryption is also called public key encryption, but it actually relies on a key pair. Two mathematically related keys, one called the public key and another called the private key, are generated to be used together. The private key is never shared; it is kept secret and is used only by its owner. The public key is made available to anyone who wants it. Because of the time and amount of computer processing power required, it is considered “mathematically unfeasible” for anyone to be able to use the public key to re-create the private key, so this form of encryption is considered very secure.

The primary advantage of asymmetric encryption is that there is no need to securely transmit a secret key. Instead, the public key is published openly, made available to the entire world. There is no need to keep it secret, because it can't be used alone. The encryption process works like this:

The sender of a message uses the intended recipient's public key, which is freely available, to encrypt a message.

The recipient decrypts the message using his or her private key. Only the private key associated with the public key that encrypted it can be used to decrypt the message.

This key pair can also be used to provide for authentication of a message sender's identity using the keys a little differently: This time the sender uses his or her own private key to encrypt the message. This system provides no confidentiality, because anyone can decrypt the message using the owner's public key. However, it does verify the sender's identity, because if the associated public key will decrypt the message, it could only have been encrypted with that person's private key.

Obviously, the most important issue in public key cryptography is the protection of the private keys. This concept is especially important because compromise of a private key not only allows the unauthorized person to read private messages sent to the owner, but also allows the key thief to “sign” transactions emulating the owner, thus stealing the owner's identity. When the key pair is used for secure credit card or banking transactions, this loophole can be disastrous.

An Asymmetric Key Mutual Authentication Method

Authentication based on asymmetric keys is also possible. In addition to asymmetric encryption, there is also an asymmetric key analog of a message authentication code called a signature scheme. Just like a message authentication code, a signature scheme consists of three operations: key generate, sign, and verify. The key generate operation outputs two parameters, a signing key S and a related verification key V. S’s key holder is never supposed to reveal S to another party, whereas V is meant to be a public value. Under these assumptions, the sign operation takes the signing key S and a message M as input parameters and outputs a signature s of M. The verify operation takes the verification key V, message M, and signature s as inputs, and returns whether it verifies that s was created from S and M. If the signing key S is indeed known by only one party, the signature s must have been produced by that party. This is because it is infeasible for a computationally limited party to compute the signature s without S. Asymmetric signature schemes are often called public/private key schemes because S is maintained as a secret, never shared with another party, whereas the verification key is published to everyone.

Signature schemes were invented to facilitate authentication. To accomplish this goal, the verification key must be public, and it is usually published in a certificate, which we will denote as cert(IDA, V), where IDA is the identity of the key holder of S and V is the verification key corresponding to A. The certificate is issued by a well-known party called a certificate authority. The sole job of the certificate authority is to introduce one party to another. A certificate cert(IDA, V) issued by a certificate authority is an assertion that entity A has a public verification key V that is used to prove A’s identity.

As with symmetric authentication, hundreds of different authentication protocols can be based on signature schemes. The following is one example among legions of examples:

(7.4)A→B:cert(IDA,V),RA

Here cert(IDA, V) is A’s certificate, conveying its identity IDA and verification key V; RA is a random number generated by A. If B is willing to begin a new session with A, it responds with the message:

(7.5)B→A:cert(IDB,V′),RB,RA,sigB(IDA,RB,RA)

RB is a random number generated by B, and sigB (IDA, RB, RA) is B’s signature over the message with fields IDA, RB, and RA. Including IDA under B’s signature is essential because it is B’s way of asserting that A is the target of message 2. Including RB and RA in the information signed is also necessary to defeat man-in-the-middle attacks. A responds with a third message:

(7.6)A→B:cert(IDA,V),Rb,sigB(IDB,RB)

Answers

1.

Correct answer and explanation: C. Answer C is correct; digital signatures require asymmetric encryption. ECC is the strongest asymmetric algorithm per bit of key length. This allows shorter key lengths that require less CPU resources.

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. AES is a symmetric cipher; symmetric ciphers are not used in digital signatures. RSA is based on factoring composite numbers into their primes, and ElGamal is based on discrete logarithms. Both methods provide roughly the same strength per bit and are far weaker per bit than ECC.

Correct answer and explanation: C. Answer C is correct; chosen ciphertext attacks are usually launched against asymmetric cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user's public key.

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. None of these are primarily used against asymmetric encryption.

Correct answer and explanation: C. Answer C is correct; linear cryptanalysis analyzes large amounts of plaintext/ciphertext pairs created with the same key, trying to deduce information about the key.

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. Linear cryptanalysis is a known plaintext attack, but the question references linear specifically, making known plaintext attack incorrect. Differential cryptanalysis seeks to find the “difference” between related plaintexts that are encrypted. A cryptanalyst chooses the plaintext to be encrypted during a chosen plaintext attack.

Correct answer and explanation: B. Answer B is correct; the sender generates a hash of the plaintext and encrypts the hash with a private key. The recipient decrypts the hash with a public key.

Incorrect answers and explanations: A, C, and D. Answers A, C, and D are incorrect. The sender encrypts the hash with the private key, not public. The plaintext is hashed and not encrypted.

Correct answer and explanation: D. Answer D is correct; Blowfish was not an AES finalist (Twofish, based on Blowfish, was).

Incorrect answers and explanations: A, B, and C. Answers A, B, and C are incorrect. MARS, RC6, and Serpent were all AES finalists.

This chapter provides an introduction to encryption as a resistance strategy. The focus is on symmetric encryption. Steganography and asymmetric encryption are covered in enough detail to demonstrate what symmetric cryptography is not, even though both could be subjects of books in their own right. Likewise, information theory is introduced at the appropriate level to support the discussion on cryptography. The chapter assumes no previous knowledge, and attempts to provide a basis for understanding by beginning with definitions for primitive cryptographic terms and discussing what encryption can and cannot do.

To give the reader a feel for how cryptography works, historic examples are introduced and the workings of the ciphers are described in some detail. Although these ciphers are not of practical importance, they are simple enough that the reader can grasp their workings without the extensive math background needed for modern ciphers. The historic ciphers covered include several substitution and transposition ciphers, starting with the simple Caesar cipher.

Modern encryption is discussed in the context of its primary uses: block ciphers, stream ciphers, disk encryption, and file encryption. Asymmetric encryption is introduced mostly for its utility in key management and distribution of symmetric keys. Host identification, more properly a topic for Chapter 7, is included in this chapter as a motivating example and technical example of these concepts; particularly to this end, the working of the transport layer security (TLS) stack is described.