Cyber Security Interview Prep. Q3: "Symmetric & Asymmetric Encryption"

Category: Security

"Explain the difference between symmetric encryption and asymmetric encryption"

My answer:

Both of these encryption types will use keys to encrypt and decrypt data. A few reasons for using them:

• To make data unreadable to anyone but the intended recipient of the data in question

• To secure data at rest or in transit.

Symmetric encryption is when a key is generated that can both encrypt and decrypt the data. This has much less overhead and is quicker to use (partly because the keys are shorter in length and because half the number of keys are used compared to asymmetric), but if the key gets out, the encryption becomes useless. Also, giving the key to intended persons to start off with may be tricky too. Steps need to be taken to ensure it's not intercepted. This is why it's hard to scale- think of the logistics of secure key distribution in a large company for example. Examples of where this type of encryption is used include banking and data storage, where encrypting data at rest adds to security.

Asymmetric encryption forms a pair of keys at the same time from a large random number. One of these keys encrypts data and the other decrypts it. The one that encrypts is the public one; it is publicly available and anyone can encrypt data with it but nobody can decrypt that data except the holder of the second key- the private key. So if person A wanted to send a message only person B can read, they would encrypt with person B's public key and send it. Now wherever it goes (even into the hands of a cyber criminal)- only person B can decrypt it with their own private key. This has higher overheads and is slower, but is more secure. You never have to send the private key anywhere so the likelihood of it being intercepted and the encryption being broken is much lower. Examples of where this type of encryption is used include digital signatures and digital certificates.

Finally, we cover the combined use of both. As one encryption type provides for faster use and the other provides better security, combining both can be used to get the best of both worlds. In such situations where this is desired, symmetric encryption- the faster but less secure one- is used to encrypt the large amounts of data in use, while asymmetric encryption is then used to encrypt the symmetric encryption key itself. Examples of where this can be used include websites using HTTPS, where SSL/TLS is in use, and secure message chats where user identity is verified using asymmetric encryption but the chat messages themselves (the bulk of the data) use symmetric encryption.

A good source for further reading:

https://www.keyfactor.com/blog/symmetric-vs-asymmetric-encryption/