Dear Enam Luf:
This article doesn't point out a major problem:
PRIVATE KEY CRYPTOGRAPHY: If the symmetric (private) key used between two endpoints is broken, then the encryption between those two endpoints is broken. But only the encryption between those two endpoints. Nothing else.
PUBLIC KEY CRYPTOGRAPHY: (This is **believed** to be a solution.) If the public key of the asymmetric public/private key pair is broken, then ALL encryption between the owner of the private (asymmetric key) and whoever has the associated public (asymmetric key) (which can be anybody) is broken. And the scary thing is that no one will know that it is broken.
If you really want security, then private (symmetric) cryptography is the way to go, and make certain that the symmetric keys used during a communications session tumble frequently and at irregular intervals. Further, the tumbling of keys must occur without the tumbled keys being transported over the communications medium.
I don't know how much cryptography readers understand, but there are major differences between a symmetric key and an asymmetric key. I don't like to use the terms private (symmetric) and public (asymmetric) for key types, because these same words are used to describe the actual key. (This is the source of untold amounts of confusion.)
So, a symmetric key is a single private key given to each endpoint before communication can occur.
An asymmetric key is a pair of keys, one called a public key and the other a private key (**totally** different from a symmetric private key). The endpoint creating this key pair keeps the private asymmetric key, and makes the public asymmetric key freely available to you and me - anyone who wants it. Anything encrypted with one of these asymmetric keys can only be decrypted with the other.
Because of the encryption algorithms used, and the mathematics behind the creation of the keys, it is necessary for asymmetric (public) keys to be much larger than symmetric (private) keys in order to achieve the same encryption 'hardness'.
This means that encrypting with an asymmetric algorithm is much much slower than encrypting with a symmetric algorithm. To get around this, asymmetric (public) key cryptography is used **only** to encrypt a symmetric (private) session key which is actually used to encrypt the data. By doing this, the slow encryption algorithm is only used to encrypt a very small piece of data - the symmetric key.
Joggins |
