Jun 17, 2020 2:04:12 PM

When to Use Symmetric vs. Asymmetric Encryption

Most people today are familiar with the basic idea of cryptography -- encrypting a message to secure it so that it’s not readable to anyone and everyone. This familiarity is not surprising given the multitude of use cases for encryption, which span everything from digital signatures and SSL certificates that secure websites to cryptocurrency like Bitcoin and public key infrastructures (PKI). 

However, there’s a lot more to cryptography that meets the eye. Cryptographic algorithms are defined, highly complex mathematical formulas that range in complexity, and the earliest ones pre-date modern technology. 

Today, there are two types of cryptography that get used often: Symmetric and asymmetric cryptography. This article will explore the differences between these two types of cryptography,  the pros and cons of each and common use cases for each approach. 

What is Symmetric Cryptography? 

Symmetric cryptography uses mathematical permutations to encrypt a plain text message. It also uses the same mathematical permutation, known as a key, to decrypt messages. 

Importantly, the same plain text letter does not always come out the same in the encrypted message (e.g. “SSS” would not encrypt to three of the same characters), which makes it difficult to decode the encrypted message without the key. 

Even though it’s difficult to decrypt messages without the key, the fact that this approach uses the same key for both encryption and decryption creates risk. Specifically, people (or technology) who want to correspond via symmetric encryption must share the key to do so, and if the channel used to share the key gets compromised, so does the entire system for sharing secure messages since anyone with the key can encrypt or decrypt those communications. 

By today’s standards, symmetric encryption is a relatively simple cryptographic algorithm, however it was once considered state of the art and used by the German army in World War II. 

What is Asymmetric Cryptography? 

Asymmetric cryptography also uses mathematical permutations to encrypt a plain text message, but it uses two different permutations, still known as keys, to encrypt and decrypt messages. With asymmetric cryptography, a public key that can be shared with anyone gets used to encrypt messages while a private key that’s known only by the recipient gets used to decrypt messages.  

Critically, it should be relatively easy to compute the public key from the private key but nearly impossible to do the reverse and generate the private key from the public key. Three popular mathematical permutations, known as RSA, ECC and Diffie-Hellman, accomplish this today. Each uses different algorithms but they all rely on the same basic principles. For instance, the RSA 2048 bit algorithm randomly generates two prime numbers that are each 1024 bits long and then multiplies them together. The answer to that equation is the public key, while the two prime numbers that created the answer are the private key. 

How exactly does this all work? Let’s say Alice wants to send a private message to Bob. Bob can share his public key with Alice, which she then uses to encrypt her message. Once the message gets encrypted, only Bob’s private key can decrypt it. This means that as long as Bob ensures no one else has his private key, then no one can read the encrypted message 

The above example offers a more secure way to encrypt messages compared to symmetric cryptography; however, asymmetric cryptography also powers additional, more advanced use cases.  

Consider digital signatures. In this case, Bob might want to send a message to Alice and add a digital signature so she can verify it was in fact Bob who sent it. He can do so by encrypting a signature using his private key. When Alice receives the message, she can use Bob’s public key to verify that Bob (or someone with Bob’s private key) sent the message and that the message was not modified in transit (because if it does get modified, the verification will fail). 

It’s important to note that all of these examples are one-way. To reverse any of them (e.g. so Bob can send private messages to Alice and Alice can send messages to Bob that contain her digital signature), Alice needs her own private key and must share the corresponding public key with Bob. 

What are the Advantages and Disadvantages of Symmetric vs. Asymmetric Cryptography? 

Asymmetric cryptography may be more advanced than symmetric cryptography, but both are still in use today -- and many times they get used in tandem. That’s because each approach comes with advantages and disadvantages. Two big trade-offs exist between symmetric and asymmetric cryptography: Speed and security. 

Speed: Where Symmetric Cryptography Beats Out Asymmetric Cryptography 

First, we have speed, where symmetric cryptography has an enormous advantage over asymmetric cryptography. Symmetric cryptography is faster to run (in terms of both encryption and decryption) because the keys used are much shorter than they are in asymmetric cryptography. Additionally, the fact that only one key gets used (versus two for asymmetric cryptography) also makes the entire process faster. 

 

In contrast, the slower speed of asymmetric cryptography not only makes the process of sharing messages far less efficient, but it can also create performance issues as network processes get bogged down trying to encrypt and/or decrypt messages with asymmetric cryptography. This can result in slow processes, issues with memory capacity and fast drainage on batteries. 

Security: Where Asymmetric Cryptography Beats Out Symmetric Cryptography 

Second, we have security, where asymmetric cryptography presents an advantage over symmetric cryptography. Symmetric cryptography carries a high risk around key transmission, as the same key used to encrypt messages must be shared with anyone who needs to decrypt those messages. Every time the key gets shared, the risk of interception by an unintended third party exists. 

Asymmetric cryptography offers better security because it uses two different keys -- a public key which only gets used to encrypt messages, making it safe for anyone to have, and a private key to decrypt messages that never needs to be shared. Since the private key never needs to be shared, it helps ensure only the intended recipient can decrypt encoded messages and creates a tamper-proof digital signature. 

How Do Symmetric and Asymmetric Cryptography Get Used Today? 

Both symmetric and asymmetric cryptography get used often today, including in conjunction with one another. Here’s a look at some of the most common use cases for each approach as well as why that approach makes the most sense in each circumstance. 

Common Use Cases for Symmetric Cryptography 

Symmetric cryptography typically gets used when speed is the priority over increased security, keeping in mind that encrypting a message still offers a high level of security. Some of the most common use cases for symmetric cryptography include: 

  • Banking: Encrypting credit card information or other personally identifiable information (PII) required for transactions 
  • Data storage: Encrypting data stored on a device when that data is not being transferred 
Common Use Cases for Asymmetric Cryptography 

Asymmetric cryptography typically gets used when increased security is the priority over speed and when identity verification is required, as the latter is not something symmetric cryptography supports. Some of the most common use cases for asymmetric cryptography include: 

  • Digital signatures: Confirming identity for someone to sign a document 
  • Blockchain: Confirming identity to authorize transactions for cryptocurrency 
  • Public key infrastructure (PKI): Governing encryption keys through the issuance and management of digital certificates 
Common Use Cases for Symmetric and Asymmetric Cryptography Together 

Finally, many use cases combine both symmetric and asymmetric cryptography to improve speed and security at once. Most of these instances use symmetric cryptography to encrypt the bulk of the information and then use asymmetric cryptography to encrypt the symmetric encryption/decryption key (which can in turn be used to decrypt the full message contents). Some of the most common uses for this hybrid approach include: 

  • SSL/TLSUsing asymmetric cryptography to encrypt a single-use symmetric encryption key, which in turn gets used to encrypt/decrypt the contents of that internet browsing session 
  • Mobile chat systems: Using asymmetric cryptography to verify the identity of participants at the start of a conversation and then symmetric cryptography to encrypt the ongoing contents of the conversation 

What Else Do You Need to Know About Symmetric and Asymmetric Cryptography? 

Find out more about symmetric vs. asymmetric cryptography and the role they play in security for today’s digital enterprise in The Definitive Guide to PKI.