An Introduction to asymmetric vs symmetric cryptography
Most people are aware of the basic idea behind cryptography — hiding a message with a code that can only be decoded by your intended recipient. However, this basic description conceals a wealth of complexity. Once you start reading about different encryption methods, schemes and (even more complex) encryption algorithms themselves, it’s easy to get confused.
One of the primary differences between encryption methods is symmetric and asymmetric systems. As we mention in our introduction to cryptography, both types have a role to play in security, but each is suitable for different purposes.
There are key variations between these types of cryptography, and each offers different advantages.
What is (a)symmetric cryptography?
The principles that underpin both types of encryption are widely used in many systems; the most common use of both symmetric and asymmetric encryption is in public-key cryptography, and this is the most useful context to explain how they differ. If you’re unsure what public-key cryptography is, this primer on PKI security is a good resource before going further.
Here is the difference: In symmetric encryption, the same key is used to both encrypt and decrypt data. In asymmetric encryption, we make use of a pair of keys — a public key and a private key — that are mathematically related to each other. In asymmetric encryption, the sender of a message uses a public key to encrypt it, but the recipient needs a private key to decrypt it. This is why this type of encryption is referred to as “asymmetric.” The keys held by the sender and recipient are not the same.
Beyond this basic description, the way that symmetric and asymmetric encryption is used in the real world can be complicated. One of the fundamentals of cryptography is there are key differences between each of these schemes, no matter how they are implemented.
Advantages and disadvantages
Both symmetric and asymmetric encryption protocols are powerful and secure, but only if they are used in the correct contexts. The most fundamental difference between symmetric and asymmetric encryption can be summed up simply: Asymmetric encryption is more secure, but is much slower to use than symmetric encryption.
This difference is due to the various ways in which each scheme implements the principles of cryptography. The process of exchanging keys in asymmetric encryption is much more complicated than the corresponding process for symmetric encryption, which can slow the process down for asymmetric systems. Additionally, the encryption keys used for asymmetric encryption are generally larger and more complex than for symmetric encryption. The recommended RSA key size for asymmetric encryption is 2048 bits. In comparison, it’s just 256 for symmetric systems.
Asymmetric encryption is (or at least can be) much more secure. This is due to one of its fundamental features — the key used to decrypt messages is never shared between sender and recipient. Instead, there exists a mathematical relationship between public and private keys that allows them to be related to each other. This means the recipient of a message can decrypt the message (relatively) easily, but no one else can.
Symmetric encryption, in contrast, relies on sender and recipient being able to exchange an encryption key securely. This key cannot be sent in the same way as the encrypted message itself; doing this would allow the key to be intercepted and used to decode the message. This makes establishing a symmetric encryption scheme more costly, and often less secure, than its asymmetric counterpart.
Which is most useful?
There are very few instances in which one has a straight choice between asymmetric or symmetric encryption. It’s likely one of these schemes will simply be impossible, and so you will be forced to use the other. Think of the difference between these encryption schemes as similar to the difference between a proxy server and a VPN. One situation might be better suited to the former, and another situation to the latter. An ideal situation might be to use both in combination.
To see why this is the case, consider how we could encrypt a web page that is being sent to a standard laptop from a web server. Ideally, we would encrypt the entire page using symmetric encryption, because it is so much faster. However, exchanging an encryption key over the internet would defeat the whole purpose of encrypting the page, because this key could be intercepted as easily as an unencrypted page.
This is where asymmetric encryption comes in. Using an asymmetric scheme, we can create a protected connection between client and server without the need for key exchange. Once this asymmetric connection is established, we can then use it to exchange a symmetric encryption key. The rest of the data can then be exchanged using this symmetric key.
In this fashion, the advantages of symmetric encryption (increased speed) are combined with the advantages of asymmetric encryption (better security). This process is used in the real world to encrypt web pages and is how SSL certificates work.
Security and trust
The choice between symmetric and asymmetric encryption is hardly ever a direct one. Asymmetric encryption is used to establish a secure connection between two users who have never met; this connection is used to exchange a symmetric encryption key.
This entire process, when implemented in the SSL system, takes only a few milliseconds. As a result, most users will never notice it. Nonetheless, it is a crucial part of contemporary network infrastructure. And for now, it is the best way of protecting sensitive data from theft and corruption.
PKI Primer for Software Engineers, https://blog.keyfactor.com/pki-primer-for-software-engineers, 2019
Types of Encryption: What to Know About Symmetric vs Asymmetric Encryption, https://sectigostore.com/blog/types-of-encryption-what-to-know-about-symmetric-vs-asymmetric-encryption/, 2020
A Proxy Vs. A VPN: Differences and Use Cases, https://clario.co/blog/proxy-vs-vpn-difference/, 2021
Welcome to OpenSSL, https://www.openssl.org/