Do real-Time IPsec and SSL/TLS use symmetric or asymmetric authentication?
It sounds like you're asking about symmetric and asymmetric encryption, rather than authentication. These two terms usually refer to types of encryption. With that in mind, let's take a look at how these encryption schemes are used in IPSec and SSL.
The real answer is that both are used. IPsec and SSL use asymmetric encryption to establish the encryption protocol when the session starts and then to securely exchange a private key used during the session. This private key is similar to the single secret key used in symmetric encryption.
Asymmetric encryption uses a key pair -- both a public and a private one -- for encryption. The sender uses the receiver's public key to encrypt the data and the receiver uses their private key to decrypt it. The transmission is secure because the recipient always has the private key in their possession and never exposes it by sending it over a public connection, such as the Internet. On the other hand, the public key, which is openly exposed in transit over the wire, cannot derive the private key. The two keys are only mathematically related and nothing more. So, even if sniffed en route, the public key is useless by itself.
Symmetric encryption uses only a single secret key by itself. However, since IPsec and SSL by nature communicate openly across the Internet, a captured secret key would defeat symmetric encryption. A malicious user, using the encryption algorithm, if known, could then use the key to decrypt any traffic transmitted over the wire between the two hosts.
To clarify some terminology here, symmetric encryption uses what's called a secret key. This isn't meant to be confused with the private key in asymmetric encryption, which like its symmetric counterpart, is also secret. The difference is that the secret key in symmetric encryption is a single key, while the private key in asymmetric encryption is part of a key pair.
However, there is a catch to using asymmetric encryption. It runs about 1,000 times slower than symmetric encryption and eats up just as much processing power, straining already overburdened servers. That means asymmetric encryption is only used (by IPsec and SSL) to create an initial and secure encrypted connection to exchange a private key. Then, that key is used to create a shared secret, or session key, that is only good during the session when the two hosts are connected.
Dig Deeper on PKI and digital certificates
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading