# Symmetric and Asymmetric Encryption – CompTIA Security+ SY0-501 – 6.1

January 21, 2018

If you’re planning to implement cryptography, then you’ll probably be using either symmetric encryption or asymmetric encryption. In this video, you’ll learn about both of these valuable encryption mechanisms.

If you’ve implemented symmetric encryption using a single shared key for both the encryption process and the decryption process, if some third party gains access to this key, you’ll need to throw that key away, use a different key, and distribute that key to both the sender and the recipient. This uses a shared key algorithm. Some people refer to this as a shared secret. And hopefully, it’s a secret that is only shared between the people that need to either encrypt or decrypt this information.

This obviously doesn’t scale very well. It can be difficult to distribute these keys to everyone who might need it. You can think of symmetric key distribution as someone who might have a key inside of a locked briefcase, and that locked briefcase is handcuffed to this person. That way, that key never gets out of their sight, and the only person who would be able to unlock this briefcase is the recipient who needs access to that key.

Symmetric encryption is a relatively fast way to encrypt and decrypt data. That has relatively less overhead than using asymmetric encryption, for example, but we often combine symmetric and asymmetric encryption together. For example, it’s very common to encrypt a symmetric key using asymmetric encryption, and now you don’t need somebody with a briefcase in handcuffs. You can simply send that key across a public medium. And since that symmetric key is encrypted using asymmetric encryption, even if somebody was to capture that data during the transfer, they would still have no idea what our symmetric key was.

You often hear asymmetric encryption referred to as public key cryptography. That’s because there are usually two or sometimes more keys created that are mathematically related to each other. One of these keys is the private key– the key that you would keep private and personal to you. The other key is one that we call the public key, because anyone can gain access to this key. And in fact, you should give this key to everyone who might want to send you information over an encrypted channel. And in many cases, people will put their public key on a public key server so that you can perform a search of their email address and retrieve their public key in return.

The secret to asymmetric encryption is that the only way to decrypt any data that has been created with this public key is only if you have the private key. Once information has been encrypted using the public key, nobody else can decrypt that information, even if they have access to the public key. This is the value of asymmetric encryption, and this is why we rely on asymmetric encryption for so much security on the internet.

I mentioned earlier that someone’s public and private keys are mathematically related. We create these keys at the same time using a key generation process. We’ll start with a large random number. We’ll put that into a key generation program. And out of that, we will get two keys– a public key and a private key. We’ll give everybody a copy of the public key, and we’ll make sure that we are the only ones who have access to the private key.

Let’s say that Bob would now like to encrypt some information and send that to Alice using this asymmetric encryption process. Before we start, Bob needs access to Alice’s public key. Alice’s public key might be on her web page, it might be part of a public key repository, or Alice might provide this public key directly to Bob. Bob then starts with the plaintext that he’d like to send to Alice. In this case, it’s a simple “hello, Alice.” And he uses Alice’s public key to combine with that plaintext to create the ciphertext.

This is the encrypted data, and you can see it looks nothing like “hello, Alice.” Bob will then send that ciphertext to Alice. Alice will use her private key to combine with the ciphertext. And only by using that private key is she able to decrypt this information and read the original plaintext.

We can also use this public key cryptography to be able to create a symmetric key that would only be known by two individuals. We know, for example, that Bob has his private key, and nobody else has access to Bob’s private key except Bob. And Alice has her private key, and of course, no one has access to that private key but Alice. Bob will combine his private key with Alice’s public key– which is, of course, available to everyone– and Alice will combine her private key with Bob’s public key– which, of course, is available to everyone as well.

The combination of Bob’s private key and Alice’s public key and the combination of Alice’s private key and Bob’s public key create exactly the same result, which is a symmetric key that is identical. So both Bob and Alice could communicate using symmetric encryption by simply combining their two keys together and coming up with exactly the same symmetric key. This asymmetric encryption process uses very large integers. It uses very large prime numbers. And there’s a good bit of overhead associated with using asymmetric encryption.

But, of course, our mobile devices don’t have as much power or memory as our desktop or laptop systems. In that case, we may want to use elliptic curve cryptography, or ECC. Instead of using those large prime numbers, we can instead use curves to be able to create asymmetric encryption. This uses smaller key sizes for the same amount of security, and it has a smaller storage and transmission requirement than traditional asymmetric encryption.

Category: CompTIA Security+ SY0-501