Casey Crane is a tech lover and cybersecurity journalist for Hashed Out and Infosec Insights.
If you find understanding or explaining the differences between asymmetric and symmetric encryption daunting, then take a relaxing breath — we’ll break it all down into layman’s terms.
Symmetric and asymmetric encryption — what are they and what do they mean in terms of data security? To put it simply, both are ways that individuals, businesses, and other organizations can protect their data. Asymmetric and symmetric encryption involve cryptographic techniques and tools, and both are useful in different types of digital environments.
But these processes aren’t all that easy to explain to others. This is why we’ve put together a non-techies guide. No matter whether you’re new or advanced, this article can help you break down symmetric and asymmetric encryption. This way, you can easily explain it to others who may not be as tech-savvy as you. This will definitely come in handy for your upcoming holiday dinner conversations with family and friends.
So, what is symmetric encryption and how does it differ from asymmetric encryption? Let’s break each type of encryption down and compare them to see what is best in which applications.
Symmetric encryption means that your information is encrypted and decrypted using a single key. The data sender (or originator of the data) has one copy of the key, which they use to encrypt the data. (By “encrypt,” I mean convert it from plaintext, readable data into unreadable gibberish known as ciphertext.) The data recipient, who has another copy of the same key, can use it to decrypt the data — meaning that they can revert it from ciphertext to plaintext.
This is why symmetric encryption is also known as private key encryption — because both parties have copies of the same mathematically identical key that they don’t share with anyone.
The key itself is a string of randomly generated bits. When generated well and with enough entropy (randomness), the strings of bits should be completely unpredictable and, therefore, impractical to guess using modern computers.
Symmetric encryption is what large businesses typically use in internal environments to encrypt their at-rest data. Why? Because symmetric encryption is fast, convenient, and isn’t super resource-intensive in terms of bandwidth and processing power.
Let’s put it another way: Symmetric encryption = time savings + cost savings + strong security = a win for your business.
But symmetric encryption isn’t perfect. In fact, it has a couple of important shortcomings that we have to talk about that mean that it can’t stand on its own in public channels. But before we do that, let’s first go over what asymmetric encryption is and why it’s essential to the security of your data in public online environments.
Now, let’s take the concept of symmetric encryption and kick it up a level and you get asymmetric encryption. You see, asymmetric encryption is a cryptographic process that uses two separate keys — a public key and a private key — to encrypt and decrypt data. The keys are related but mathematically unique, unlike symmetric keys.
In asymmetric encryption, the public key encrypts it while the private key decrypts it. The public key is open and available to everyone, whereas the private key is intended to be kept secret. That’s why asymmetric encryption is oh-so cleverly known as public key encryption.
Now, while this may sound perfect, asymmetric encryption isn’t a one-size-fits-all tool for security. Because it uses two separate and larger keys, it makes it too unwieldly and impractical for large-scale business encryption applications. As such, it’s better suited as an authentication mechanism in many cases. This is why many businesses defer to using asymmetric key exchanges for authentication purposes and symmetric encryption to actually secure the data itself during the session.
Don’t worry — I’ll also help you break down asymmetric key exchanges into layman’s terms as well.
There’s a related aspect of asymmetric encryption that comes
into play way symmetric encryption. This is known as an asymmetric key
exchange, or a public key exchange. People often refer to asymmetric key
exchange protocols as encryption algorithms when it’s not exactly true. It’s
kind of like how your mom told you to call a close family friend “Uncle Don”
when, in fact, he wasn’t a blood relative at all. It’s not exactly true,
but it’s close enough for general conversations.
Similarly, the key exchange process isn’t truly a “key exchange,” either. It’s a bit of a misnomer. Rather, what it is, is a process that involves exchanging certain public variables and incorporating private variables to generate a shared key (i.e., a symmetric key) that only you and your intended recipient can create together.
No, don’t worry, I’m not going to get into all of the mathematical specifics of how that process works here. And your friends or family certainly won’t need you to dive into all of that business, either. But you can check out this great video to get into more of the specifics on how that all works:
Basically, the takeaway here is that the so-called asymmetric key exchange process makes it possible for you to exchange specific data over an open (and insecure) internet connection to generate a matching key. And this perfect combination of the asymmetric key exchange protocol and symmetric encryption algorithm (and symmetric key) are what make it possible to enjoy secure, encrypted connections.
It’s also important to note that this process is integral to the SSL/TLS
handshake in website security. The handshake is a process that allows your client to:
But asymmetric cryptographic process aren’t the sole mechanisms used in website security. Symmetric encryption also plays a star role in website data encryption.
When it comes to website security, symmetric encryption and asymmetric cryptographic techniques go together like rock stars and bad life choices. You use techniques from one (asymmetric key exchange) to help make the other (symmetric encryption) more secure in public channels. In fact, you’re actually using both of them right now to read this article.
You see, when you connect to a website, any data that you send to that site is sent via an insecure protocol by default. This insecure connection is known as the hypertext transport protocol, or HTTP. This is the same insecure “http” that you’ll sometimes see when you click on website URLs that display this type of warning message:
Tisk, tisk, Apache.org. You know better than to leave your site insecure like this!
When you transmit data using HTTP, it means that it’s sent via plaintext. And considering that when you connect to a website, because of how HTTPS works, you’re actually punted between multiple touchpoints along the way. And this means that your data also passes through all of those touchpoints as well.
So, all of the types of data that you don’t want falling into cybercriminals’ hands — such as your name, address, credit card information, or other sensitive details — are vulnerable to being intercepted by bad guys.
When bad guys intercept your data in this way, it’s known as a man-in-the-middle attack (MitM attack) because they’re essentially inserting themselves into the middle of your communication. As a result, messages from you to another party will pass through them first, which gives them an opportunity to read or even modify your message before passing it along.
Needless to say, it’s not only insecure, but it’s also bad news for you and the person (or website) you’re communicating with. So, to make this process more secure, website admins will instead opt to use the secure HTTPS protocol (which stands for “hypertext transport protocol secure”) to transmit data between users and their web servers. They do this by installing an SSL/TLS (secure sockets layer/transport layer security) certificate — or what’s otherwise known as a website security certificate.
This type of digital certificate ensures that you connect via HTTPS instead of the insecure HTTP protocol. It makes your web address bar in Google Chrome display a friendly secure padlock icon like this (instead of the “not secure” warning like earlier):
Image caption: As my grandfather loved to say, “this is more better.” Every website should be using an SSL/TLS certificate to allow its users to securely
As a result, instead of sending plaintext data across the internet, you’re sending gibberish ciphertext that no one can decipher without the requisite private key. That’s a win for you and a loss for the cybercriminals who want to mess you over.
Remember how earlier I said that symmetric encryption had a few shortcomings? Well, the biggest one relates to key distribution. That’s because there’s only one key that could be known by a bunch of individuals. So, if you keep handing out that key to a bunch of different people, it gets harder to keep track of and can result in the key becoming compromised.
You see, with symmetric encryption, you have to distribute the key in a secure way and make sure that only those authorized have a copy. Otherwise, if some authorized individual intercepts it, then they can simply decrypt your messages all they want.
This means that either the keys must be exchanged in person or via a secure key exchange method. But if you’re communicating with someone over the internet who’s located across the world, that isn’t really possible. This is where symmetric encryption comes into play. According to the National Institute of Standards and Technology (NIST), one of the leading authorities for cybersecurity standards, both types of encryption have their uses and work well together:
“Since asymmetric-key (i.e., public-key) cryptography requires fewer keys overall, and symmetric-key cryptography is significantly faster, a hybrid approach is often used whereby asymmetric-key algorithms are used for the generation and verification of digital signatures and for initial key establishment, while symmetric-key algorithms are used for all other purposes (e.g., encryption), especially those involving the protection of large amounts of data and for key distribution when entities share an already established symmetric key (e.g., established using manual distribution methods or asymmetric key establishment methods). For example, an asymmetric-key system can be used to establish a symmetric key via a key-agreement or key-transport process (see Sections 5.3.3 and 5.3.4, respectively), after which the symmetric key is used to encrypt files or messages or to distribute other keys.”
Basically, this massive run-on statement is a fancy way of saying that you should use both asymmetric key exchange/agreement and symmetric encryption processes together to securely distribute the shared key and create an encrypted connection. This is perfect for those otherwise open (and insecure) public, multi-user environments.
As you likely know, there are many ways that symmetric and asymmetric encryption differ in terms of how they work, the algorithms and keys they use, as well as when and where you should implement them. Let’s go over a few of them.
Symmetric vs Asymmetric Encryption Use Different Algorithms and Key Sizes
Two of the biggest differences between symmetric and asymmetric encryption are:
Symmetric encryption algorithms are significantly faster and use smaller keys than their asymmetric counterparts. They can be used to encrypt and decrypt either blocks or streams of data. The keys tend to be smaller in terms of the number of random bits that they contain.
Asymmetric encryption algorithms, on the other hand, use more complex encryption algorithms and significantly larger keys. This makes them great for encrypting and decrypting data in public channels in small batches, but not so great for use at scale.
Okay, let’s take a moment to compare their key lengths. I’ll also break down some of the different encryption algorithms and key exchange agreements that fall under the umbrellas of symmetric and asymmetric encryption.
If this is as clear as mud to you, let’s have a quick comparison of what the difference looks like in terms of key lengths (using the random key generator at cryptotools.net):
Yeah, just a wee bit of a difference in terms of key lengths, am I right? Now you can see why we say that using symmetric encryption is significantly faster than asymmetric encryption when you’re encrypting and decrypting data at scale.
So, what types of encryption algorithms are considered symmetric and which ones are asymmetric?
The go-to standard for symmetric encryption is AES, or what stands for the advanced encryption standard. AES was announced as the replacement for the data encryption standard (DES) in October 2000.
For asymmetric encryption, RSA (which stands for its creators’ surnames — Rivest, Shamir, and Adleman — is the encryption algorithm that’s most commonly used. As far as key exchanges go, though, RSA is still in use in TLS version 1.2 but is being deprecated in lieu of Diffie-Hellman in TLS 1.3.
Okay, let’s quickly go over some of the different uses for both types of encryption. For example, symmetric encryption is best used for:
Asymmetric encryption processes, on the other hand, are best
When it comes to website and general internet security, it’s easy to see how both of these types of encryption have important roles that help make it possible.
Symmetric encryption is faster and best suited for encrypting data at rest and in combination with asymmetric key distribution methods in website security. And asymmetric encryption is great for smaller batches of data and for making symmetric encryption possible in public channels.
I hope this article has provided you with a little clarity about the differences between symmetric and asymmetric encryption, what each process is on its own, and how each applies to different situations and use cases.
Create your free account to unlock your custom reading experience.