A well-rounded solution for securing digital transactions includes the use of both symmetric and asymmetric cryptography and keys. Each method of data protection has advantages, especially when applied to the right scenarios. We will look at the reasons for using each cryptographic method in this section.
Symmetric Versus Asymmetric
Symmetric keys use the same key for both encryption and decryption. Both the sender and receiver of the data must know and share the secret key. For standard encrypt/decrypt functions, symmetric algorithms generally perform much faster than their asymmetrical counterparts. This is due to the fact that asymmetric cryptography is massively inefficient. Symmetric cryptography is designed precisely for the efficient processing of large volumes of data. In other words, symmetric encryption is generally used for speed and performance, e.g. when there's a large amount of data that needs to be encrypted/protected.
Asymmetric, on the other hand, makes use of a key pair which constitutes of a private key a mathematically associated public key - and if one key encrypts or signs something, then the other key can decrypt or verify the signature. For example, if the public key was used to sign/encrypt some data then only users with the private key can decrypt the data and verify its integrity. Vice versa, if users with the private key sign some data then anyone with the public key can decrypt and verify the integrity and authenticity of that data. Asymmetric is more beneficial when larger subsets of entities are sharing information. While asymmetric cryptography is relatively expensive computationally, it works well in situations requiring the benefits of Public Key Infrastructure (PKI). A common example is when a trusted connection needs to be established where there is not an existing shared secret.
Hybrid Solutions
Asymmetric encryption is often used to establish a secure connection between two parties, e.g. when connecting to an online web portal / secure website. The extra overhead of the public/private key operation is only incurred at the beginning of the exchange to ensure a trusted relationship. Typically, once a secure connection is established, the two entities will then use faster symmetrical encryption to share multiple transactions of sensitive data. The combination of using both symmetric and asymmetric algorithms together is known as hybrid encryption.
With the hybrid encryption approach, the two communication partners initially use asymmetric encryption for establishing the secure connection to create a symmetric encryption key together and then start encrypting your traffic with that secret key. This approach allows generating a shared secret key in such a way that the key can't be seen by observing the communication. Secure Socket Layers (SSL) and Transport Layer Security (TLS) are the most widely used examples of hybrid encryption communication.
One System to Manage All Keys
A significant difference between symmetric and asymmetric key management is the key distribution. With high value symmetric keys (such as a master key), it is much more difficult because each secret key has to be distributed securely to each application that requires them. With asymmetric, only one entity keeps hold of its private key and openly shares the public key with all other entities
Nevertheless, there are challenges to the management of both asymmetric and symmetric keys. The loss or misuse of any significant private or secret key can be hugely damaging to an organisation. Since the need for both types of cryptography will exist for the foreseeable future, you will need to securely manage the life-cycles and the growth of these keys.
The optimal solution will be a centralized key management system that is capable of handling the complexities of both types of keys throughout their life-cycle. A key management system can ensure that the right keys are available to (only) authorized applications when needed and are recoverable when necessary.
References and Further Reading
-
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
-
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
-
CKMS Product Sheet (2016), by Cryptomathic