Choosing the right public key algorithm: RSA vs. Diffie-Hellman

In this expert response, Joel Dubin explores two different public key encryption algorithms and discusses how to make the right choice for your information security needs.

Which is currently the best public key encryption algorithm used in IT scenarios? I have read much about the RSA algorithm and Diffie-Hellman, but are they strong enough? Is there a trade-off between the two, as far as performance goes?

Encryption should never be seen as the ultimate answer to any information security problem. It's only one part of the security equation. This concept should always be considered when choosing a public key algorithm. Before delving into any encryption project, however, perform a thorough risk analysis of your data and systems to determine what you need. Obviously high-risk data, such as sensitive customer data, needs better encryption than marketing plans, which would have a much lower impact on the business if divulged.

Second, in terms of performance, a thorough analysis of your network architecture and the traffic load it can bear will help decide which encryption route to choose. In general, public key encryption, or asymmetric encryption, is about 10,000 times slower than private key encryption. This is because of asymmetric encryption's creation and exchange of the two keys versus the single one in private or symmetric encryption.

Both RSA and Diffie-Hellman are public key encryption algorithms strong enough for commercial purposes. The minimum recommended key length for encryption systems is 128 bits, and both exceed that with their 1,024-bit keys. Both were invented in the late 1970s and have yet to be cracked.

The nature of the Diffie-Hellman key exchange, however, makes it susceptible to man-in-the-middle (MITM) attacks, since it doesn't authenticate either party involved in the exchange. The MITM maneuver can also create a key pair and spoof messages between the two parties, who think they're both communicating with each other. Mutually authenticating both parties can defeat attempts at MITM attacks.

More on this topic

  • In this recent security tip, expert W. Curtis Preston discusses the best practices for successfully managing key encryption.
  • Learn how to verify a public key.


This was last published in April 2007

Dig Deeper on PKI and digital certificates