Cryptographic Keys – CompTIA Security+ SY0-501 – 6.1

The keys used in cryptography may consist of many different characteristics. In this video, you’ll learn about key strength, the key exchange process, and real-time encryption and decryption.

<< Previous Video: Weak Encryption Next: Steganography >>

Cryptography doesn’t rely on security through obscurity. With cryptography, you know practically everything about the cryptographic process. The entire algorithm is usually public and known to everyone.

The one piece of information that isn’t known is the key. And that’s why the cryptographic key is so important. It’s going to determine what type of encrypted data you’re going to create, it will determine the hash value that’s created. And that key will determine what type of digital signature is created. That’s why we constantly say that your key must always be private because that’s the only thing protecting your data.

The size of the key is also important for security. The larger keys tend to be more secure, because the larger keys means there are more possible key combinations if somebody had to go through and brute force every single one of those. Of course, as our computing power grows and it becomes much more easy to perform many more calculations, we have to keep making these kids larger and larger.

For symmetric encryption, it’s common to see 128-bit keys. But we’re going to see larger and larger symmetric keys as it becomes easier to do brute force attacks. Asymmetric encryption, though, uses very complex calculations of very large prime numbers. And that means that the keys involved with asymmetric encryption are going to be quite a bit larger. It’s common to see asymmetric keys that are 3,072 bits or even larger to be able to prevent any brute force attacks.

So now that we understand how important this key is, how do we get a key exchanged with someone else over an insecure medium like the internet, but still maintain the confidentiality of that key? One way to do this would be to send the key out of band or without using the internet. We might telephone someone. We could provide a courier to send that key from one person to the other. Or we could visit them and hand the key over in person.

And out-of-band key exchange isn’t practical for most people. Instead, most of us use an in-band key exchange, where we’re transferring keys across the network. We would generally protect a symmetric key, then, by adding additional encryption. And it’s common to use asymmetric encryption, in order to protect our symmetric key.

Unfortunately, asymmetric encryption requires so much overhead that it’s not practical to use for real time encryption and decryption. For that reason, we commonly use symmetric encryption. But how would I get a symmetric key to use for encryption from a web server, if our only way of communicating is across the internet?

Well one way to do that is to share the symmetric key by using asymmetric encryption. I would have the server send me its public key. And then I would encrypt a random key with that public key and send it to the server. The server receives that encrypted message. It decrypts it with its private asymmetric key and then ultimately has the symmetric key that will be used for this conversation.

An important best practice when you’re using session keys is to change these keys often– once a day or multiple times a day. We call these temporary keys, ephemeral keys. And they also need to be unpredictable values. We don’t want our session keys to simply increment by one each time it’s changed, because there needs to be randomization to prevent any type of brute force attack.