Q
Manage Learn to apply best practices and optimize your operations.

# How hybrid cryptosystems secure e-mail exchange

## In this Ask the Expert Q&A, our application security expert discusses how hybrid cryptosystems are used to secure an e-mail exchange.

Can you please explain how classical and public key approaches are combined into hybrid cryptosystems?
Before I begin to answer your question, I think I should discuss what "classical" ciphers are. I will then explain how they are used with public key ciphers in hybrid cryptosystems. The term classical ciphers is usually used to refer to transposition ciphers, which rearrange the order of letters in a message and substitution ciphers, which systematically replace letters or groups of letters with other letters or groups of letters, so for example, SearchSecurity becomes d3V\$kpd3k?\$Wxq by substitution. Transposition and substitution ciphers are both symmetric key ciphers, as they both require the same key to cipher and decipher. Modern cryptanalysis has made simple substitution and transposition ciphers obsolete as neither of these operations alone can provide sufficient security. However, strong ciphers can be built by combining them and it is these modern symmetric key ciphers that are used in hybrid cryptosystems.

Symmetric key or, shared secret, ciphers can be grouped into block ciphers and stream ciphers. Stream ciphers encrypt...

one bit at a time, in contrast to a block cipher, which operates on a group of bits -- a block -- of a certain length all in one go. Symmetric key algorithms are generally much faster to execute than public key or, asymmetric key algorithms, but their big disadvantage is the requirement of a shared secret key, which must be somehow exchanged in a secure way between the two parties wishing to encrypt their messages. Public key encryption solves this problem as it uses two keys, a public and a private key. The public key is used for encryption and the private key is used for decryption. This means that someone can freely send their public key over an insecure channel and be sure that only they can decrypt messages encrypted with it. Hybrid cryptosystems combine symmetric and asymmetric encryption in order to take advantage of the higher speed of symmetric ciphers and the ability of asymmetric ciphers to securely exchange keys. The key that's used for the symmetric cipher uses a public key cipher when information is exchanged and the rest is encrypted using the symmetric key cipher. This combined use of both cipher types appears in many security products and protocols, including e-mail, PGP, Web browsing, and SSL. This use is probably best explained with an example.

Bob wants to send an encrypted message to Alice. However, Bob has to tell Alice what the key will be if they use a symmetric key cipher. He is concerned that someone may steal the key and be able to decrypt the message if he sends her the key in plaintext. Therefore, Alice sends Bob her public key, which is paired with a private key that only she has. Bob decides to use kpd3kd3V\$?\$Wxq as the key for their chosen symmetric cipher. He encrypts this key with Alice's public key using a public key cipher and sends it to her in an e-mail. Alice is the only person who can decrypt the contents of the e-mail, because Alice is the only one who has the private key that matches Bob's encrypted public key. By using public key encryption, Bob and Alice were able to securely exchange a key that they can now both use to encrypt and decrypt messages between them using a faster symmetric key cipher. It is important to note that the complete security of any practical encryption scheme is not proven. A symmetric cipher may only have proven security against a limited class of attacks, while asymmetric ciphers rely on the difficulty of the associated mathematical problem for their security.

• Learn how to initiate a secure session
• Learn tools and tactics for securing your e-mail systems

• This was last published in October 2005

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### SQL injection attacks: How to defend your enterprise

SQL injection attacks threaten enterprise database security, but the use of cloud services can reduce the risk. Here's a look at ...

• ### Cloud security lessons to learn from the Uber data breach

Any organization that uses cloud services can learn something from the 2016 Uber data breach. Expert Ed Moyle explains the main ...

• ### Challenges in cloud data security lead to a lack of confidence

A new study on cloud data security provides insights into the shaken confidence in the cloud. Despite its increased use, payment ...

## SearchNetworking

• ### DNS challenges have changed, but its vital role hasn't

Developments like IPv6 and the internet of things are throwing obstacles into DNS operations. But this 'directory assistance of ...

• ### DNS functions remain vital, but must adapt as demands shift

The domain name system's tasks are simple, but essential, and the service faces challenges with the proliferation of devices that...

• ### Why IPv6 networks create DNS configuration problems

DNS data is among the most basic and crucial information required for network connectivity, but configuring DNS recursive servers...

## SearchCIO

• ### Software robot tech arrives: Are CIOs ready?

RPA technology is coming of age and becoming a strategic play in the public and private sectors. The task for CIOs is to make ...

• ### IBM Watson CTO: A range of conversational technologies can coexist

IBM Watson VP and CTO Rob High explains why there's space for both conversational agents and chatbots in the enterprise, each ...

• ### IT priorities 2018: Regs, big data, cloud loom large for GRC pros

Regulatory initiatives remain at the top of GRC pros' lists of tech projects, according to TechTarget's annual IT Priorities 2018...

## SearchEnterpriseDesktop

• ### VMware Workspace One helps Western Digital organize 3,000 apps

The application portal in VMware Workspace One allowed IT to streamline app delivery, and the product's cloud-based model proved ...

• ### Three PC lifecycle management options IT should consider

IT pros can use PCs and laptops until they stop working, or they can set up a lifecycle management plan that retires them after a...

• ### Microsoft Office 2019 release will force IT to migrate to Windows 10

If you're not yet on Windows 10, news about the upcoming Microsoft Office 2019 release may force your hand. Plus, the company ...

## SearchCloudComputing

• ### How to blend the advantages of cloud computing with containers

Containers and cloud sound like a perfect match. But how well does containerization help boost application portability? And will ...

• ### Prepare for hybrid cloud implementation with these key steps

As enterprises mix public and private IT resources, they grapple with app workflows, network connections and more. Here are four ...

• ### Containerized applications and the portability dream

To make containers work within a cloud strategy, you're going to need to carefully consider the complexities of porting an ...

## ComputerWeekly.com

• ### Disaster recovery in the age of cloud

The cloud is emerging as a key option for disaster recovery. Its benefits include reduced costs and taking advantage of the ...

• ### Businesses face unprecedented volume of cyber attacks

Organisations are facing the highest levels of cyber attacks in both number and sophistication as automated swarm attacks ...

• ### The EURECA moment: Counting the cost of running the UK’s public sector datacentres

The EU-backed EURECA project has spent the past 36 months assessing the state of public sector datacentres across Europe, and its...

Close