Encryption is the process of converting plaintext into ciphertext, and in order to protect your organization from adversaries, encrypting all your data is a must. But let’s back up for a moment; the following is a list of key terms (and their definitions) we will be using throughout this blog:
- Plaintext: the information that you wish to protect from unauthorized access
- Ciphertext: encrypted plaintext
- Encryption: the process of using an encryption algorithm with an encryption key to transform plaintext into ciphertext
- Key: a string of bits used with an encryption algorithm to provide encryption and decryption
- Decryption: the process of transforming ciphertext into plaintext
- Symmetric Encryption: when the same key is used for encryption and decryption operations
- Asymmetric Encryption: when different keys are used for encryption and decryption
- Cryptographic Checksum: a unique identifier for a piece of data
- Digital Signature: an encrypted cryptographic checksum of a piece of data
Now that we’ve covered the major definitions, the two main forms of data encryption are symmetric encryption and asymmetric encryption, but what is the difference, and which one is best for your organization? Knowing the differences, similarities, and details of each will help guide your security plan best practices and keep your workforce secure.
Symmetric encryption is older and has been the de facto form of encryption used by organizations and individuals alike. Symmetric encryption uses the same key to both encrypt and decrypt the data, meaning both parties have identical copies of the key. Here is how encrypted data is sent with symmetric encryption:
- First, a symmetric key is generated and distributed to the recipient in a secure manner.
- Someone writes a plaintext message that is unencrypted.
- This unencrypted plaintext can be converted to encrypted ciphertext using an encryption algorithm or cipher and symmetric key.
- The encrypted ciphertext is sent to a recipient.
- The recipient of the ciphertext can use the shared key to decrypt the ciphertext into plaintext. The shared key used here is the same as what was used to encrypt the message in the first step.
- The message is now readable to the recipient.
Assuming modern algorithms are used, the weakness within symmetric encryption is the symmetric key distribution. Another way to think of a symmetric secret is a shared secret, meaning each side of the transaction has the same key. In the case of a login, that key would be the password, which is a shared secret between the service provider and the account owner. The attack surface grows with each holder of the symmetric key, and the password can be stolen either from the account owner or from the service provider.
Asymmetric encryption helps to resolve the key distribution problem in symmetric encryption. Asymmetric encryption starts by generating two related but different keys. One may be used to encrypt plaintext to ciphertext, and the other may be used to decrypt ciphertext into plaintext. That way, you can share one of these keys with a third party in order to send messages to you or interpret messages from you. The key you share with that third party is known as the public key, and the one you keep secret is the private key. For example, with asymmetric encryption, when an email is encrypted using a public key, it can only be decrypted by the recipient with the corresponding private key. Alternatively, when someone signs a document with their private key, only the corresponding public key can be used for signature verification/authenticity.
Here is how asymmetric encryption helps someone to prove their identity:
- The asymmetric key pair is generated and the decryption key is distributed as the public key.
- The holder of the private key attempts to access a service.
- The service will respond with a challenge, which is a piece of data to be signed using that private key.
- The holder of the private key then signs that data and returns the signed data to the service.
- The service uses the public key to verify the signature on that data.
If someone were to steal the public key, it would be effectively useless to them. Without the public key, the adversary would only be able to verify the signature of the private key, and it would not be used to authenticate. There is no way to reverse engineer what the private key is from the public key.
Similarities and Differences
While asymmetric encryption and symmetric encryption both carry out similar functions, there are some obvious differences between the two. First, let’s discuss the similarities...
- Both are used to encrypt sensitive information in order to keep it away from adversaries
- Both systems encrypt plaintext and decrypt ciphertext
- Both can withstand some common attacks on sensitive data
- If done well, both are resilient to ciphertext only attacks
And now, more importantly, the differences:
- Symmetric encryption is typically more efficient than asymmetric encryption
- In symmetric encryption, only one key is used to both encrypt and decrypt, vs asymmetric encryption, where two different keys are used to encrypt and decrypt
- The length of keys is vastly different—for symmetric encryption, the length of the keys used is typically 128 or 256 bits, but for asymmetric encryption, the length of the keys is much larger, typically 2048 bits or higher (only important if we care about the math behind the system)
- The risk of security compromise is much higher with symmetric encryption because of the shared secret key
Why Beyond Identity Uses Asymmetric Key Cryptography
With passwordless authentication, rather than authenticating with symmetric encryption, like a password, a person's identity is verified using a private key that is securely stored within the user’s personal device within a specialized hardware device, such as a TPM. Because of this, the private key is truly secret, as there is only one copy, which cannot be cloned or moved. The private key is not shared with any entity because only the public key is used to authenticate identities.
This allows you to essentially use the same key for multiple services, without the risks associated with traditional passwords. With the use of two different keys, the secret will never be stored in a database, where it could be breached or stolen, compromising your organization. Not even the person logging into an application “knows” the asymmetric key, at least not in the way a password is known, and the private key physically cannot be stolen—this is what fundamentally changes the system. This way, your applications, systems, and networks remain safe and secure from threats and adversaries.
Learn more about how Beyond Identity brings added security to your organization through eliminating passwords.