Out of all the topics in IT Security, none are as intimidating as Cryptography or at least to me.  It is a concept that is integrated and weaved into all aspects of technology but fundamentally one of the toughest concepts to grasp.  When I reflect as to why, I surmise that it’s due to the vast amount of history and my lack of understanding the relevance of some of the defunct applications.

To begin to understand why we use Cryptography, we must first understand what it is and how it is implemented today.

What Is Cryptography?

If someone were to ask me what Cryptography is, I would simply tell them that it is encryption algorithms that are used to enforce data privacy when you are sending and receiving messages.  Oversimplification, I know but does the average person really want to know the inner workings of Cryptography? Probably not, then again, if you are finding this blog, I wouldn’t consider you the average person.

Jokes aside, cryptography is an important part of data security.  It helps us protect digital communications transmitted over a network by taking the original message and converting it into an alpha-numeric message called ciphertext.  Think of a ciphertext as a transformation of your original communication into a secret code which requires encryption keys to reveal the message (decryption).

These keys are often referred to as Public and Private Keys.  More on that later.

What Is Symmetric Key Encryption?

Cryptography is typically lumped into two categories, Symmetric and Asymmetric.  

Symmetric Key Encryption is when you use the same key, often called a public key, to encrypt and decrypt communications.  The ciphers used to protect messaging are called Stream and Block-ciphers. Here’s how it works:

Let’s say that Asuka wants to send a message to Britt by email. Without encryption, it is typically sent in clear or plaintext format.  If an unauthorized person like Chris were to intercept the email, it would be easy for him to see the contents of the message.

If Asuka were to enable Symmetric Key Encryption before sending a message, her key would modify the message into ciphertext.  When she sends the message over the internet, even if it gets intercepted by Chris, the only thing viewable is the ciphertext.  Practically useless for him. As the message reaches Chris, he can decrypt the message and review the true content.

The main advantage to Symmetric Key Encryption is that it can encrypt large volumes of data relatively quickly.  Consequently, the drawback is that if the public key is ever discovered by an unauthorized actor, data can be compromised.  It is mainly for this reason an alternative key encryption was necessary.

What Is Asymmetric Encryption?

Asymmetric Key Encryption addresses the main drawback of Symmetric Key Encryption by deploying a Public and Private Key Infrastructure.  The important thing to remember is both the Public and Private Key have their own function.  

The Public Key is used to encrypt messages whereas the Private Key is used to decrypt messages.  This added layer of security enforces privacy in the event that the public key is discovered. Another example, anyone?

Asuka wants to send her itinerary to Britt which contains sensitive information she doesn’t want to get out.  So she decides to compose her email and encrypts the message with Britt’s Public Key. When the message arrives, Britt uses her Private Key to decrypt the message.  It’s important to know that even if Chris intercepted the message and Britt’s Public Key, the message is still safe as Chris would only see the ciphertext. This is the beauty of Asymmetric Key Encryption.

Now you may be wondering, if Asymmetric Key Encryption is so great, why are we still using Symmetric Key Encryption today? Like any good technology Asymmetric Key Encryption is not without its drawbacks.  

This technology uses discrete logarithms or factorization when converting to ciphertext which means it uses a lot of computing power to get the job done.  Ideally, it is best used with a point to point connection or when sending small amounts of data through a network.

How are they used today?

Sometimes the best technologies are used together.  When you are connecting to a website in 2020, the connection is likely using Asymmetric Key Encryption.  In theory the connection between your browser and the website is encrypted preventing people like Chris from seeing what is transmitted.  From there you can use Symmetric Key Encryption to encrypt the actual data being transmitted.

Many operating systems today use a combination of both encryption technology to secure computing devices.  This is especially useful when a device has been physically compromised or stolen.

When choosing between the two think of what you are ultimately trying to accomplish.  If performance is the goal, Symmetric Encryption is likely the best route. If privacy is the goal, Asymmetric encryption is the way to go.