When it comes to encryption, you should always use the algorithm that's right for the job and has been extensively...
and publicly tested -- something the cryptographic community won't have had the chance to do with brand-new algorithms.
Let's have a look at some of the most widely used symmetric and asymmetric algorithms and how to evaluate the best encryption method for your enterprise.
Types of symmetric encryption algorithms and use cases
For most people, encryption means converting plaintext to ciphertext using the same key, or secret key, to encrypt and decrypt it. This is called symmetric encryption, which is relatively fast compared to other types of encryption, like asymmetric encryption. There are varying types of symmetric encryption algorithms.
- Advanced Encryption Standard (AES). This is the most widely used algorithm in symmetric key cryptography. AES is the successor to the Data Encryption Standard (DES), which, with insecure 56-bit key lengths, was replaced with AES by NIST in 2001. AES comprises three block ciphers-- AES-128, AES-192 and AES-256 -- each of which is deemed sufficient to protect government-classified information up to the Secret level, with Top Secret information requiring either 192-bit or 256-bit key lengths.
- Triple DES (3DES).
- Rivest Cipher 4 (RC4). Attacks in the 2000s and 2010s revealed weaknesses in the RC4 algorithm, and its use in Transport Layer Security was prohibited by the Internet Engineering Task Force in February 2015.
While some symmetric encryption algorithms, like AES, use block ciphers, others use stream ciphers, like RC4. Symmetric encryption types, like 3DES and AES, are often used by VPN products. Other uses of symmetric encryption include payment applications, validations, and random number generation or hashing.
Types of asymmetric encryption algorithms and use cases
Unlike symmetric encryption algorithms, asymmetric algorithms use two interdependent keys: one to encrypt the data and one to decrypt it. This interdependency provides a number of different features, the most important probably being digital signatures. Among other things, digital signatures are used to guarantee that a message was created by a particular entity or authenticate remote systems or users. Some of the most common asymmetric encryption algorithms include the following:
- One of the most common is the Diffie-Hellman (DH) key exchange, which enables two parties to exchange cryptographic keys in a secure manner, regardless of whether the communication channel is public or private.
- RSA (Rivest-Shamir-Adleman) is another widely used asymmetric encryption algorithm. Based off DH, it is often used in e-commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
- Elliptic curve cryptography (ECC) is another type of asymmetric encryption growing in popularity. Based on elliptic curve theory, ECC uses algebraic functions to generate security between key pairs.
Asymmetric cryptography use is also common in cryptocurrencies, such as bitcoin.
A cryptographic hash function has a somewhat different role compared to other cryptographic algorithms. It is used to return a value based on a piece of data, a file or a message, for example. Any accidental or intentional change to the data will change this hash value.
A good hash algorithm should make it impossible to either create an initial input that produces a specific hash value or for the original input to be calculated from the hash value. MD5 (Message-Digest 5) and Secure Hash Algorithm 1 (SHA-1) were widely used hash algorithms that are now considered weak. They were depreciated in 2014 and were replaced by SHA-224, SHA-256, SHA-384 and SHA-512, collectively referred to as SHA-2. SHA-3 -- composed of SHA-3-224, SHA-3-256, SHA-3-384 and SHA-3-512, as well as two extendable output functions, SHAKE128 and SHAKE256 -- was released in 2015. SHA-3 was labeled a backup standard, rather than a replacement for SHA-2.
Symmetric vs. asymmetric: Which is better?
When choosing an encryption algorithm, it's important to consider the type of data being encrypted. High-risk data, such as confidential customer information, needs stronger encryption than marketing plans, for example.
Performance is another key factor. In general, asymmetric encryption is slower than symmetric encryption due to the creation of two keys instead of one. The main disadvantage of symmetric key cryptography, however, is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it, and key exposure is a concern.
In asymmetric cryptography, the keys are never distributed and, therefore, are more secure. It is also impossible to derive a private key from a public key. If, in an asymmetric schema, an individual loses his key, however, he can't decrypt messages. Authentication also can be a concern in asymmetric cryptography because users and systems need to ensure the public key is authentic and belongs to the person or entity that claims it does. This is where using a public key infrastructure or an encryption program that provides authentication comes in.
Symmetric and asymmetric encryption algorithms each have different vulnerabilities. Symmetric cryptography is vulnerable to attacks that include brute force, chosen plaintext and known plaintext, as well as differential and linear cryptanalysis. Asymmetric cryptography is subject to brute-force and man-in-the-middle attacks. Additionally, if hackers know a user's key, they can use it to decrypt and read the data.
In many scenarios, such as SSL, both symmetric and asymmetric algorithms are used to boost security. As asymmetric encryption is much slower than symmetric encryption, data typically is encrypted with a symmetric algorithm, and then the comparatively short symmetric key is encrypted using asymmetric encryption. This enables the key necessary to decrypt the data to be securely sent to other parties along with the symmetrically encrypted data. In another example, Secure/Multipurpose Internet Mail Extensions uses an asymmetric algorithm -- public/private key algorithm -- for nonrepudiation and a symmetric algorithm for efficient privacy and data protection.
The landscape of cryptography is constantly changing. To stay abreast of the latest developments, follow the news and recommendations from standards bodies, such as NIST.
Is it time to prepare for post-quantum cryptography?
Read up on the strength of 3DES
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading