Q

How hybrid cryptosystems secure e-mail exchange

In this Ask the Expert Q&A, our application security expert discusses how hybrid cryptosystems are used to secure an e-mail exchange.

Can you please explain how classical and public key approaches are combined into hybrid cryptosystems?
Before I begin to answer your question, I think I should discuss what "classical" ciphers are. I will then explain how they are used with public key ciphers in hybrid cryptosystems. The term classical ciphers is usually used to refer to transposition ciphers, which rearrange the order of letters in a message and substitution ciphers, which systematically replace letters or groups of letters with other letters or groups of letters, so for example, SearchSecurity becomes d3V\$kpd3k?\$Wxq by substitution. Transposition and substitution ciphers are both symmetric key ciphers, as they both require the same key to cipher and decipher. Modern cryptanalysis has made simple substitution and transposition ciphers obsolete as neither of these operations alone can provide sufficient security. However, strong ciphers can be built by combining them and it is these modern symmetric key ciphers that are used in hybrid cryptosystems.

Symmetric key or, shared secret, ciphers can be grouped into block ciphers and stream ciphers. Stream ciphers encrypt...

one bit at a time, in contrast to a block cipher, which operates on a group of bits -- a block -- of a certain length all in one go. Symmetric key algorithms are generally much faster to execute than public key or, asymmetric key algorithms, but their big disadvantage is the requirement of a shared secret key, which must be somehow exchanged in a secure way between the two parties wishing to encrypt their messages. Public key encryption solves this problem as it uses two keys, a public and a private key. The public key is used for encryption and the private key is used for decryption. This means that someone can freely send their public key over an insecure channel and be sure that only they can decrypt messages encrypted with it. Hybrid cryptosystems combine symmetric and asymmetric encryption in order to take advantage of the higher speed of symmetric ciphers and the ability of asymmetric ciphers to securely exchange keys. The key that's used for the symmetric cipher uses a public key cipher when information is exchanged and the rest is encrypted using the symmetric key cipher. This combined use of both cipher types appears in many security products and protocols, including e-mail, PGP, Web browsing, and SSL. This use is probably best explained with an example.

Bob wants to send an encrypted message to Alice. However, Bob has to tell Alice what the key will be if they use a symmetric key cipher. He is concerned that someone may steal the key and be able to decrypt the message if he sends her the key in plaintext. Therefore, Alice sends Bob her public key, which is paired with a private key that only she has. Bob decides to use kpd3kd3V\$?\$Wxq as the key for their chosen symmetric cipher. He encrypts this key with Alice's public key using a public key cipher and sends it to her in an e-mail. Alice is the only person who can decrypt the contents of the e-mail, because Alice is the only one who has the private key that matches Bob's encrypted public key. By using public key encryption, Bob and Alice were able to securely exchange a key that they can now both use to encrypt and decrypt messages between them using a faster symmetric key cipher. It is important to note that the complete security of any practical encryption scheme is not proven. A symmetric cipher may only have proven security against a limited class of attacks, while asymmetric ciphers rely on the difficulty of the associated mathematical problem for their security.

• Learn how to initiate a secure session
• Learn tools and tactics for securing your e-mail systems

• This was last published in October 2005

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

SearchCloudSecurity

• How to effectively manage the cloud logs of security events

Cloud logs of security events produce an abundance of data. Expert Dave Shackleford discusses how to filter through it and get to...

• How the Flip Feng Shui technique undermines cloud security

The Flip Feng Shui attack against hypervisors could have both short and long-term effects on enterprises. Expert Ed Moyle ...

• How cloud endpoint protection products benefit enterprises

Cloud endpoint protection products are outpacing standard endpoint protections. Expert Frank Siemons discusses the evolution of ...

SearchNetworking

• Cumulus NOS, Edgecore switch bundle unlikely to beat incumbent vendors

Analysts are skeptical of networking supplier Cumulus's entry into the hardware business. The vendor is selling and supporting an...

• Trigger gets props among hot next-gen network automation tools

This week, bloggers look into network automation tools, incident response, and the new reality of MPLS and SD-WAN.

• Enterprises finding high value in 25 GbE, 100 GbE switches

Research finds shipments of 25 GbE and 100 GbE switches are outpacing 10/40 GbE hardware, as companies find more value in the ...

SearchCIO

• Oculus trial: Even if Facebook loses, VR to prevail

The outcome of the Oculus trial is up in the air, but VR is gaining ground. Also in Searchlight: Oracle faces discrimination suit...

• Securing a board appointment: CIO requirements and benefits

A corporate board appointment can give a CIO invaluable perspective on running a business, but to get one, deep expertise and a ...

• PrivacyCon: Tech's assault on (obliteration of?) consumer privacy

The attack on consumer privacy by new tech is huge and growing, enabled by consumers and greased by profit; in other words, a ...

SearchConsumerization

• Android, Windows tablets from HP take aim at business users

HP released a new line of tablets targeting business users. The HP Pro Slate 8 and Pro Slate 12 run Android and cost \$449 and ...

• Microsoft to lay off 18,000, Nokia X moves to Windows Phone

Microsoft will lay off 18,000 people over the next year while the Nokia X line of Android smartphones, which was unveiled earlier...

• Microsoft Surface Pro 3 vs. Microsoft Surface Pro 2

Surface Pro 2 and Surface Pro 3 are different enough that Microsoft is keeping both on the market as competing products. Which ...

SearchEnterpriseDesktop

• Prepare for the challenging move to Windows 10

Organizations can cling to past versions of Windows as long as they want. But, eventually, they will have to accept Windows 10, ...

Before making a move to Windows 10, IT admins need to know how licensing, hardware and management are different. They also must ...

• Give Windows 10 disk space a clean sweep

There are multiple ways to keep Windows 10 running smoothly, such as clearing the clutter of old files and applications. A more ...

SearchCloudComputing

• Words to go: Google cloud storage services

When it comes to cloud storage, going in blind will cause inefficiency and high costs. Familiar yourself with these key Google ...

• Cloud, IoT to drive enterprise IT trends in 2017

Cloud computing has evolved quite a bit in the last few years, but it still has far to go. Technologies such as big data, ...

• Build cloud web services with microservices

Building cloud web services with microservices provides benefits, such as scalability, and allows enterprise apps to access new ...

ComputerWeekly

• BT draws fire over broadband price hike

Consumer broadband groups have hit out after BT put up its broadband prices

• Pay rises tipped for IT security and data analysis roles in 2017

Increase in high-profile data breaches and the need for data insight are seen as contributory factors in salary rises for IT ...

• Financial markets regulatory outlook 2017

Financial services companies will face new challenges from innovative financial technology (fintech) companies, regulatory ...

Close