There
is a lot of confusion and
misinformation about the differences
between conventional (symmetric)
encryption and public/private key
(asymmetric) encryption. There is a
good reason for this. Not only is the
subject complicated; there is also a
lot of misinformation on the Internet
concerning the subject.
Recently
in a privacy newsgroup, one writer
compared symmetric encryption to a
locked suitcase and asymmetric
encryption to a safe - which of course
is much stronger and more secure. Not
only is this a bad analogy - it’s
completely wrong. The purpose of this
white paper is to help clarify the
differences between the two methods of
encryption for the average person.
Before
we begin comparing the differences
between the two methods of encryption,
it’s important to first understand
that the strength of the encryption
lies not with which of these two
methods is being used, but with the
encryption algorithm and key length
used by the encryption. Both symmetric
and asymmetric encryption use an
encryption algorithm to encrypt the
data – oftentimes the same
algorithm. Therefore, a 128-bit key
encryption algorithm has the same
strength against being cracked whether
it’s used in symmetric or asymmetric
encryption program. This is just one
reason why the analogy above is wrong
– both symmetric and asymmetric
encryption can be compared to the same
safe, and so far no one has randomly
cracked a 128 bit key length
encryption algorithm, unless the
algorithm itself was flawed. The best
programs use open source algorithms,
which means the algorithm can be
tested by unbiased third parties to
ensure that it doesn’t have any
flaws or back-doors. Note:
CenturionMail™ 3.03 uses a 256 bit key
length open source AES encryption
algorithm.
The big
difference between symmetric and
asymmetric encryption is the method
used to decrypt the data. To continue
with the analogy of the safe – the
most secure type of safe would be one
that could never be opened
(decrypted). But of course, if you can’t
ever open the safe then it defeats all
useful purpose of having a safe in the
first place.
In
programs that use Symmetric
encryption, the same password that is
used to encrypt the data is also used
decrypt the data. This is a simple
method of encryption which is easy to
understand and use.
To
completely understand this, let’s
continue with the safe example and
look at two people who want to share
information securely, Ted and John.
Ted puts the information in the safe
(in this case the safe is the
encryption algorithm) sets the
combination (the password) and then
sends the safe to John. He must
communicate in some secure way the
combination (password) to John as
well. When John receives the safe he
then enters the combination and opens
the safe. It’s fairly simple and -
as long as Ted communicates the
password in a secure way to John –
completely secure based on the
strength of the safe itself.
Asymmetric
encryption on the other hand does not
use the same key to encrypt and
decrypt the data. It uses a
combination of public and private keys
to encrypt and decrypt the information
and was created as a method to
eliminate the need to communicate the
password or key to another person.
So to
illustrate the above example with Ted
and John and the same safe, asymmetric
encryption would work like this: Ted
would first tell John that he wants to
send him some information securely.
John would then send Ted his own safe
(in this case the safe acts as John’s
Public Key) – already opened – in
which only John knows the combination
(his Private Key). Ted then puts the
information in the safe, locks it and
sends it back to John. John then can
open it with his original combination
(which he never had to give to Ted).
There was no communicating the
combination or password between the
two. With asymmetric encryption, Ted
can encrypt information intended for
John using John’s safe but once
locked (encrypted), only John can open
it because only he has the
combination.
Keys
can be broken in three ways:
1.
Simply guessing the password or
key.
2. Through interception - getting the
key by eavesdropping or
accessing the communication between
the sender and recipient or gaining
access their computer.
3. Brute Force - using computing power
to try all random keys until a correct
match is made.
Symmetric
encryption can be vulnerable to all
three methods, while asymmetirc
encryption is only vulnerable to the
third method and the second half of
the second method.
So does
that mean asymmetric encryption is more secure? Both actually
are equally secure. However with symmetric encryption
easily guessed passwords can be used and
you have to
communicate the password to your
recipient. If the password is not
communicated in a secure way, then
there is a chance that someone else
could intercept the password and open
the safe. Some people consider this
the weak link of symmetric encryption.
So why
not always use asymmetric encryption?
Unfortunately, asymmetric encryption
also has its drawbacks. The biggest
drawback is that it is complicated to
use. If Ted wants to send John some
encrypted information he must first
check whether John has the appropriate
decrypting software and has registered
his public key on one of the databases
that maintains these keys or have John
send him his public key. If he does
already have everything, then great,
the process itself is fairly simple as
long as Ted already has the
appropriate software for encrypting.
If John doesn’t have a public key
already, or the appropriate software
for decrypting, then he must go
through this process of installing and
registering before the encrypted
message can be sent. This
unfortunately is a time-consuming
process and is the main reason why –
despite its ingenious design –
most people are not using asymmetric
encryption in today’s fast-paced
world.
Symmetric
encryption, on the other hand, can be
used easily AND very securely if a
minimum of precaution is taken. First
the password must be communicated in a
secure way (in a way that no one else
can access it) to the recipient. For
most people, unless you believe your
phone is tapped, this is as simple as
making a phone call to the recipient
and letting them know the password.
Also, precaution must be taken that
the password used is not something
easily guessed by a third party. Pet
names, birthdates, etc., never make
good passwords. Just like with
the keys to your house, you do have to
take care that the password you use
doesn't get into the wrong hands, but
with minimum precaution you can be
assured that your data is safe.
Any code can be broken if caution
isn't used - including asymmetric
codes.
CenturionMail™
uses symmetric encryption because it
is our belief that if this minimum precaution is
used, then symmetric encryption offers
the best protection and ease-of-use
combination. If it’s easy to use,
you’re most likely to encrypt
sensitive information rather than
leaving it unprotected and
insecure. CenturionMail™ makes
symmetric encryption even easier to
use because of its self-decrypting
aspect - in which the recipient
doesn't need to decrypting software
installed in order to decrypt the
message - they only need the password.
Compare
the two encryption methods to a
grocery store. Which is more useful to
you? The one across the
street (Conventional Encryption) or
the one on the other side of town that
takes you an hour to get to
(Public/Private Key Encryption). The
one across town may have some features
that you like, but convenience almost
always wins out and you will use the
grocery store across the street- as long as you’re
getting similar quality and value for
the money.
Also
don't be fooled that any method of
encryption is completely 100%
unbreakable. While key lengths
of 128 bits and higher are currently
unbroken (CenturionMail™ has 256 bits), as computing power increases
brute force method of breaking codes
will continue to increase in
effectiveness. However - with
the use of common sense - both
symmetric and asymmetric encryption
can be used to effectively protect
information for a number of years to
come.
--------------------------------------
