Asymmetric Encryption
- Uses a mathematically related pair of keys - one public, one private - where data encrypted with one key can only be decrypted with the other
- Solves the key distribution problem of symmetric encryption by allowing secure communication without prior key exchange
- Much slower than symmetric encryption - typically used only for key exchange and digital signatures, not bulk data encryption
- Based on mathematical problems that are easy to compute in one direction but extremely difficult to reverse (one-way functions)
How It Works
- Key Generation: Mathematical algorithms create two keys that are mathematically linked but computationally infeasible to derive one from the other
- Encryption Process: Sender uses recipient’s public key to encrypt data - only the recipient’s private key can decrypt it
- Authentication Process: Sender uses their own private key to sign data - anyone with sender’s public key can verify the signature came from that sender
- Public keys can be freely distributed while private keys must remain secret and secure
Common Algorithms
| Algorithm | Key Size | Use Case | Strength |
|---|---|---|---|
| RSA | 1024-4096 bits | General purpose, widely supported | Industry standard, well-tested |
| ECC (Elliptic Curve) | 256-521 bits | Mobile/IoT devices, performance critical | Smaller keys, faster operations |
| Diffie-Hellman | 1024-4096 bits | Key exchange only | Enables secure key agreement |
| DSA | 1024-3072 bits | Digital signatures only | NIST standard for signatures |
Real-World Applications
- SSL/TLS Handshake: Web browsers use server’s public key to encrypt a symmetric session key for HTTPS connections
- SSH Key Authentication: Client’s public key stored on server allows passwordless authentication using client’s private key
- Digital Certificates: Certificate Authorities (CAs) use their private keys to sign certificates, browsers verify using CA’s public key
- Email Security (PGP/S/MIME): Users encrypt emails with recipient’s public key, sign with their own private key
- VPN Authentication: IPSec can use digital certificates for device authentication before establishing tunnels
Vocabulary
Public Key Infrastructure (PKI): Complete framework for managing digital certificates and public-private key pairs across an organization
Certificate Authority (CA): Trusted third party that issues and manages digital certificates, binding public keys to identities
Digital Signature: Cryptographic proof that data came from a specific sender and hasn’t been tampered with (uses sender’s private key)
Key Exchange: Process of securely sharing encryption keys between parties (often uses asymmetric encryption to protect symmetric keys)
Non-repudiation: Property ensuring that a sender cannot deny having sent a message (achieved through digital signatures)
Notes
- Hybrid approach is standard - use asymmetric encryption to securely exchange symmetric keys, then use faster symmetric encryption for actual data
- Key size matters for security - RSA keys should be minimum 2048 bits for current security standards (1024-bit considered weak)
- Private key protection is critical - if compromised, entire security model fails (use hardware security modules in enterprise environments)
- Certificate validation is essential - always verify certificate chain back to trusted root CA to prevent man-in-the-middle attacks
- Performance impact: RSA encryption is roughly 100-1000x slower than AES symmetric encryption
- Key rotation policies required - regularly generate new key pairs and update certificates before expiration
- ECC provides equivalent security to RSA with much smaller key sizes (256-bit ECC ≈ 3072-bit RSA)
- Watch for weak random number generation during key creation - poor entropy leads to predictable keys